SQLite

Check-in [0f850a25d6]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Prevent unsigned 32-bit integer overflow from leading to a buffer overread inside of an assert(). The problem fixed here is no reachable in production code.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 0f850a25d67a752fe1e9059c0c3f78e00c222113e556a7605fd3c50817b573cb
User & Date: drh 2019-01-12 21:30:26.399
Context
2019-01-13
00:58
Move a local variable declaration into the outermost scope in which it is used. This fixes an ASAN warning. (check-in: ac3b6021d9 user: drh tags: trunk)
2019-01-12
21:30
Prevent unsigned 32-bit integer overflow from leading to a buffer overread inside of an assert(). The problem fixed here is no reachable in production code. (check-in: 0f850a25d6 user: drh tags: trunk)
20:55
Fix another problem with handling corrupt records in fts5_decode(). (check-in: 726e398b9d user: dan tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/vdbeaux.c.
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894

    /* Verify that there is enough key space remaining to avoid
    ** a buffer overread.  The "d1+serial_type1+2" subexpression will
    ** always be greater than or equal to the amount of required key space.
    ** Use that approximation to avoid the more expensive call to
    ** sqlite3VdbeSerialTypeLen() in the common case.
    */
    if( d1+serial_type1+2>(u32)nKey1
     && d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1 
    ){
      break;
    }

    /* Extract the values to be compared.
    */
    d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);







|
|







3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894

    /* Verify that there is enough key space remaining to avoid
    ** a buffer overread.  The "d1+serial_type1+2" subexpression will
    ** always be greater than or equal to the amount of required key space.
    ** Use that approximation to avoid the more expensive call to
    ** sqlite3VdbeSerialTypeLen() in the common case.
    */
    if( d1+(u64)serial_type1+2>(u64)nKey1
     && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1 
    ){
      break;
    }

    /* Extract the values to be compared.
    */
    d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);