SQLite

Check-in [28ddecff04]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 28ddecff044dbc2dff50a7d8406ab67dfe06587f
User & Date: drh 2014-03-26 14:51:07.017
References
2014-03-26
15:14
Add an extra test case for the potential buffer overread patched by [28ddecff04]. (check-in: f585f5d7a0 user: dan tags: trunk)
Context
2014-03-26
16:22
Fix a potential buffer overread that could have occurred when searching a corrupt database file. (check-in: db2935473e user: drh tags: branch-3.8.4)
15:05
Add a test case to verify that the previous change avoids excess buffer overread in sqlite3VdbeRecordCompare(). (check-in: 2b28e8d582 user: drh tags: trunk)
14:51
Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to avoid a potential buffer overread. (check-in: 28ddecff04 user: drh tags: trunk)
12:02
Add an assert() and a comment to clarify the operation of the vdbeRecordCompareInt() routine. (check-in: 851abdb8fd user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/vdbeaux.c. 
3430
3431
3432
3433
3434
3435
3436

3437
3438
3439
3440
3441
3442
3443

    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;

    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );








>








3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444

    szHdr1 = aKey1[0];
    d1 = szHdr1 + sqlite3VdbeSerialTypeLen(s1);
    i = 1;
    pRhs++;
  }else{
    idx1 = getVarint32(aKey1, szHdr1);
    d1 = szHdr1;
    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
    i = 0;
  }

  VVA_ONLY( mem1.zMalloc = 0; ) /* Only needed by assert() statements */
  assert( pPKey2->pKeyInfo->nField+pPKey2->pKeyInfo->nXField>=pPKey2->nField 
       || CORRUPT_DB );
  assert( pPKey2->pKeyInfo->aSortOrder!=0 );
Changes to test/corruptI.test. 
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FF06

  breakpoint

  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {1 {database disk image is malformed}}


finish_test









<
<
<


|



<

36
37
38
39
40
41
42



43
44
45
46
47
48


} {}
db close

do_test 1.2 {
  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
  set off [expr 2*1024 + $offset + 1]
  hexio_write test.db $off FF06



  sqlite3 db test.db
  catchsql { SELECT * FROM t1 WHERE a = 10 }
} {0 {}}


finish_test