/ Check-in [160b1e31]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:When saving the position of a cursor at the b-tree layer, allocate a few extra bytes at the end of the buffer used to save the key. Otherwise, if the key is corrupt, the code that restores the cursor position may overread the buffer by a little.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:160b1e31c0f27257c06c2987af9ec3a64abfacb2150325b72e8ccd3d217b5baa
User & Date: dan 2018-12-14 13:18:35
References
2019-01-21
16:01
Make sure the extra bytes allocated for the saved cursor position by check-in [160b1e31c0f27257] are initialized to zero. check-in: 27375649 user: drh tags: trunk
Context
2018-12-14
13:35
Expand the size of the temporary page used during btree rebalancing by a few bytes, to avoid problems with small buffer overreads that can occur on corrupted database files. check-in: 32754ca6 user: drh tags: trunk
13:18
When saving the position of a cursor at the b-tree layer, allocate a few extra bytes at the end of the buffer used to save the key. Otherwise, if the key is corrupt, the code that restores the cursor position may overread the buffer by a little. check-in: 160b1e31 user: dan tags: trunk
11:16
Fix a problem with bytecode generation when a query involves two or more indexes on expressions connected by OR. Ticket [d96eba87698a428c1ddd0790ea04] check-in: 7e4ed8b5 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/btree.c.

656
657
658
659
660
661
662
663





664
665
666
667
668
669
670
671
672
673
  assert( 0==pCur->pKey );
  assert( cursorHoldsMutex(pCur) );

  if( pCur->curIntKey ){
    /* Only the rowid is required for a table btree */
    pCur->nKey = sqlite3BtreeIntegerKey(pCur);
  }else{
    /* For an index btree, save the complete key content */





    void *pKey;
    pCur->nKey = sqlite3BtreePayloadSize(pCur);
    pKey = sqlite3Malloc( pCur->nKey );
    if( pKey ){
      rc = sqlite3BtreePayload(pCur, 0, (int)pCur->nKey, pKey);
      if( rc==SQLITE_OK ){
        pCur->pKey = pKey;
      }else{
        sqlite3_free(pKey);
      }







|
>
>
>
>
>


|







656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
  assert( 0==pCur->pKey );
  assert( cursorHoldsMutex(pCur) );

  if( pCur->curIntKey ){
    /* Only the rowid is required for a table btree */
    pCur->nKey = sqlite3BtreeIntegerKey(pCur);
  }else{
    /* For an index btree, save the complete key content. It is possible
    ** that the current key is corrupt. In that case, it is possible that
    ** the sqlite3VdbeRecordUnpack() function may overread the buffer by
    ** up to the size of 1 varint plus 1 8-byte value when the cursor 
    ** position is restored. Hence the 17 bytes of padding allocated 
    ** below. */
    void *pKey;
    pCur->nKey = sqlite3BtreePayloadSize(pCur);
    pKey = sqlite3Malloc( pCur->nKey + 9 + 8 );
    if( pKey ){
      rc = sqlite3BtreePayload(pCur, 0, (int)pCur->nKey, pKey);
      if( rc==SQLITE_OK ){
        pCur->pKey = pKey;
      }else{
        sqlite3_free(pKey);
      }

Changes to test/dbfuzz001.test.

265
266
267
268
269
270
271



















































































272
    |    480: 74 0a 06 02 07 40 18 00 00 00 00 00 00 0a 05 02   t....@..........
    |    496: 07 40 18 00 04 02 01 04 03 03 02 01 04 03 02 02   .@..............
    | end x/c03.db
  }]
  catchsql {INSERT INTO t3 SELECT * FROM t2;}
} {1 {database disk image is malformed}}




















































































finish_test







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
    |    480: 74 0a 06 02 07 40 18 00 00 00 00 00 00 0a 05 02   t....@..........
    |    496: 07 40 18 00 04 02 01 04 03 03 02 01 04 03 02 02   .@..............
    | end x/c03.db
  }]
  catchsql {INSERT INTO t3 SELECT * FROM t2;}
} {1 {database disk image is malformed}}


do_test dbfuzz001-110 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
| size 3584 pagesize 512 filename x/c02.db
| page 1 offset 0
|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
|     16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07   .....@  ........
|     32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04   ................
|     48: 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00   ................
|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c   ................
|     96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0   ..,P............
|    112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00   .V...*..........
|    256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61   ......"......1ta
|    272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54   blet4t4.CREATE T
|    288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11   ABLE t4(x)*.....
|    304: 01 3f 69 6e 64 65 78 74 33 78 74 33 05 43 52 45   .?indext3xt3.CRE
|    320: 41 54 45 20 49 4e 44 45 58 20 74 33 78 20 4f 4e   ATE INDEX t3x ON
|    336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e    t3(x).......Ein
|    352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45   dext2cdt2.CREATE
|    368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74    INDEX t2cd ON t
|    384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61   2(c,d)(......=ta
|    400: 62 6c 65 74 33 74 33 07 43 52 45 41 54 45 20 54   blet3t3.CREATE T
|    416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29   ABLE t3(c,x,e,f)
|    432: 28 02 06 17 11 11 01 3d 74 61 74 65 6c 03 62 74   (......=tatel.bt
|    448: 32 32 43 52 45 41 54 45 20 54 41 42 4c 45 20 74   22CREATE TABLE t
|    464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11   2(c,d,e,f)$.....
|    480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41   .5tablet1t1.CREA
|    496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29   TE TABLE t1(a,b)
| page 2 offset 512
|      0: 0d 00 00 00 04 01 cf 00 01 fa 01 f3 01 de 01 cf   ................
|    160: 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00   .. .............
|    448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d   ................
|    464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03   ....seveneight..
|    480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00   ...@.......@....
|    496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02   ................
| page 3 offset 1024
|      0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa   ......T.........
|     16: 01 a1 01 96 01 6f 01 54 00 00 00 00 00 00 00 00   .....o.T........
|    112: 00 00 dd 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
|    336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74   ...........eight
|    352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e 25   eightsevenseven%
|    368: 07 05 07 07 07 07 40 18 00 00 00 00 00 00 40 18   ......@.......@.
|    384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14   ......@.......@.
|    400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03   ................
|    416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17   ................
|    432: 17 73 65 76 65 6e 65 69 67 68 74 65 69 67 68 74   .seveneighteight
|    448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00   seven%......@...
|    464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00   ....@.......@...
|    480: 00 00 00 00 40 14 00 00 00 00 00 00 09 02 05 01   ....@...........
|    496: 01 01 01 03 04 04 03 07 01 05 09 01 01 09 02 02   ................
| page 4 offset 1536
|      0: 0d 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00   ................
|    192: 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 00   ................
|    208: 00 e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
| page 5 offset 2048
|      0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc   ................
|     16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00   ................
|    240: 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00   ................
|    400: 00 00 00 00 00 00 0f 04 17 07 01 65 69 67 68 74   ...........eight
|    416: 65 69 67 68 74 08 15 04 07 07 01 40 18 00 00 00   eight......@....
|    432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01   ...@............
|    448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17   ................
|    464: 01 73 65 76 65 6e 65 69 67 68 74 04 15 04 07 07   .seveneight.....
|    480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00   .@.......@......
|    496: 00 03 07 04 01 01 01 03 04 02 05 04 09 01 09 02   ................
| page 6 offset 2560
|      0: 0a 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00   ................
|    464: 00 00 00 00 00 00 00 00 00 00 7f 00 00 00 00 00   ................
| page 7 offset 3072
|      0: 0d 00 00 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec   ................
|     16: 01 e0 01 d4 01 cb 01 c2 00 00 00 00 00 00 00 00   ................
|    448: 00 00 07 08 02 17 65 69 67 68 74 07 07 02 17 65   ......eight....e
|    464: 69 67 68 74 0a 06 02 07 40 18 00 00 00 00 00 00   ight....@.......
|    480: 0a 05 02 07 40 18 00 00 00 00 00 00 03 04 02 01   ....@...........
|    496: 04 03 03 02 01 04 03 02 02 01 02 03 01 02 01 02   ................
| end x/c02.db
  }]
  execsql {
    DELETE FROM t3 WHERE x IN (SELECT x FROM t4);
  }
} {}

finish_test