Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | When saving the position of a cursor at the b-tree layer, allocate a few extra bytes at the end of the buffer used to save the key. Otherwise, if the key is corrupt, the code that restores the cursor position may overread the buffer by a little. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
160b1e31c0f27257c06c2987af9ec3a6 |
User & Date: | dan 2018-12-14 13:18:35.216 |
References
2019-01-21
| ||
16:01 | Make sure the extra bytes allocated for the saved cursor position by check-in [160b1e31c0f27257] are initialized to zero. (check-in: 2737564929 user: drh tags: trunk) | |
Context
2018-12-14
| ||
13:35 | Expand the size of the temporary page used during btree rebalancing by a few bytes, to avoid problems with small buffer overreads that can occur on corrupted database files. (check-in: 32754ca6f8 user: drh tags: trunk) | |
13:18 | When saving the position of a cursor at the b-tree layer, allocate a few extra bytes at the end of the buffer used to save the key. Otherwise, if the key is corrupt, the code that restores the cursor position may overread the buffer by a little. (check-in: 160b1e31c0 user: dan tags: trunk) | |
11:16 | Fix a problem with bytecode generation when a query involves two or more indexes on expressions connected by OR. Ticket [d96eba87698a428c1ddd0790ea04] (check-in: 7e4ed8b5c2 user: drh tags: trunk) | |
Changes
Changes to src/btree.c.
︙ | ︙ | |||
656 657 658 659 660 661 662 | assert( 0==pCur->pKey ); assert( cursorHoldsMutex(pCur) ); if( pCur->curIntKey ){ /* Only the rowid is required for a table btree */ pCur->nKey = sqlite3BtreeIntegerKey(pCur); }else{ | | > > > > > | | 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 | assert( 0==pCur->pKey ); assert( cursorHoldsMutex(pCur) ); if( pCur->curIntKey ){ /* Only the rowid is required for a table btree */ pCur->nKey = sqlite3BtreeIntegerKey(pCur); }else{ /* For an index btree, save the complete key content. It is possible ** that the current key is corrupt. In that case, it is possible that ** the sqlite3VdbeRecordUnpack() function may overread the buffer by ** up to the size of 1 varint plus 1 8-byte value when the cursor ** position is restored. Hence the 17 bytes of padding allocated ** below. */ void *pKey; pCur->nKey = sqlite3BtreePayloadSize(pCur); pKey = sqlite3Malloc( pCur->nKey + 9 + 8 ); if( pKey ){ rc = sqlite3BtreePayload(pCur, 0, (int)pCur->nKey, pKey); if( rc==SQLITE_OK ){ pCur->pKey = pKey; }else{ sqlite3_free(pKey); } |
︙ | ︙ |
Changes to test/dbfuzz001.test.
︙ | ︙ | |||
265 266 267 268 269 270 271 272 | | 480: 74 0a 06 02 07 40 18 00 00 00 00 00 00 0a 05 02 t....@.......... | 496: 07 40 18 00 04 02 01 04 03 03 02 01 04 03 02 02 .@.............. | end x/c03.db }] catchsql {INSERT INTO t3 SELECT * FROM t2;} } {1 {database disk image is malformed}} finish_test | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 | | 480: 74 0a 06 02 07 40 18 00 00 00 00 00 00 0a 05 02 t....@.......... | 496: 07 40 18 00 04 02 01 04 03 03 02 01 04 03 02 02 .@.............. | end x/c03.db }] catchsql {INSERT INTO t3 SELECT * FROM t2;} } {1 {database disk image is malformed}} do_test dbfuzz001-110 { sqlite3 db {} db deserialize [decode_hexdb { | size 3584 pagesize 512 filename x/c02.db | page 1 offset 0 | 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. | 16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07 .....@ ........ | 32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04 ................ | 48: 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 ................ | 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c ................ | 96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0 ..,P............ | 112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00 .V...*.......... | 256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61 ......"......1ta | 272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54 blet4t4.CREATE T | 288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11 ABLE t4(x)*..... | 304: 01 3f 69 6e 64 65 78 74 33 78 74 33 05 43 52 45 .?indext3xt3.CRE | 320: 41 54 45 20 49 4e 44 45 58 20 74 33 78 20 4f 4e ATE INDEX t3x ON | 336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e t3(x).......Ein | 352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45 dext2cdt2.CREATE | 368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74 INDEX t2cd ON t | 384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61 2(c,d)(......=ta | 400: 62 6c 65 74 33 74 33 07 43 52 45 41 54 45 20 54 blet3t3.CREATE T | 416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29 ABLE t3(c,x,e,f) | 432: 28 02 06 17 11 11 01 3d 74 61 74 65 6c 03 62 74 (......=tatel.bt | 448: 32 32 43 52 45 41 54 45 20 54 41 42 4c 45 20 74 22CREATE TABLE t | 464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11 2(c,d,e,f)$..... | 480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41 .5tablet1t1.CREA | 496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29 TE TABLE t1(a,b) | page 2 offset 512 | 0: 0d 00 00 00 04 01 cf 00 01 fa 01 f3 01 de 01 cf ................ | 160: 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 .. ............. | 448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d ................ | 464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03 ....seveneight.. | 480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00 ...@.......@.... | 496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02 ................ | page 3 offset 1024 | 0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa ......T......... | 16: 01 a1 01 96 01 6f 01 54 00 00 00 00 00 00 00 00 .....o.T........ | 112: 00 00 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | 336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74 ...........eight | 352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e 25 eightsevenseven% | 368: 07 05 07 07 07 07 40 18 00 00 00 00 00 00 40 18 ......@.......@. | 384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14 ......@.......@. | 400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03 ................ | 416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17 ................ | 432: 17 73 65 76 65 6e 65 69 67 68 74 65 69 67 68 74 .seveneighteight | 448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00 seven%......@... | 464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00 ....@.......@... | 480: 00 00 00 00 40 14 00 00 00 00 00 00 09 02 05 01 ....@........... | 496: 01 01 01 03 04 04 03 07 01 05 09 01 01 09 02 02 ................ | page 4 offset 1536 | 0: 0d 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ | 192: 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 ................ | 208: 00 e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | page 5 offset 2048 | 0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc ................ | 16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00 ................ | 240: 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 ................ | 400: 00 00 00 00 00 00 0f 04 17 07 01 65 69 67 68 74 ...........eight | 416: 65 69 67 68 74 08 15 04 07 07 01 40 18 00 00 00 eight......@.... | 432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01 ...@............ | 448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17 ................ | 464: 01 73 65 76 65 6e 65 69 67 68 74 04 15 04 07 07 .seveneight..... | 480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00 .@.......@...... | 496: 00 03 07 04 01 01 01 03 04 02 05 04 09 01 09 02 ................ | page 6 offset 2560 | 0: 0a 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ | 464: 00 00 00 00 00 00 00 00 00 00 7f 00 00 00 00 00 ................ | page 7 offset 3072 | 0: 0d 00 00 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec ................ | 16: 01 e0 01 d4 01 cb 01 c2 00 00 00 00 00 00 00 00 ................ | 448: 00 00 07 08 02 17 65 69 67 68 74 07 07 02 17 65 ......eight....e | 464: 69 67 68 74 0a 06 02 07 40 18 00 00 00 00 00 00 ight....@....... | 480: 0a 05 02 07 40 18 00 00 00 00 00 00 03 04 02 01 ....@........... | 496: 04 03 03 02 01 04 03 02 02 01 02 03 01 02 01 02 ................ | end x/c02.db }] execsql { DELETE FROM t3 WHERE x IN (SELECT x FROM t4); } } {} finish_test |