/ Check-in [6e3e014a]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a one byte buffer overread in fts3.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 6e3e014af91601ed1f3a9cbe23f7c4260a4d177f
User & Date: dan 2010-03-05 17:27:02
Context
2010-03-05
18:46
Change a condition in sqlite3VdbeMemShallowCopy() to avoid accessing an unitialized variable (doing so was not dangerous, but caused a valgrind error). check-in: 4793c381 user: dan tags: trunk
17:27
Fix a one byte buffer overread in fts3. check-in: 6e3e014a user: dan tags: trunk
16:32
Modify the vdbe so that the comparison operator opcodes do not modify the data type of operands. Fix for [aa92c76cd4]. check-in: 8858042f user: dan tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts3/fts3.c.

1033
1034
1035
1036
1037
1038
1039
1040





1041
1042
1043
1044
1045
1046
1047
....
2177
2178
2179
2180
2181
2182
2183

2184

2185
2186
2187
2188
2189
2190
2191
  assert( iVal-*piPrev > 0 || (*piPrev==0 && iVal==0) );
  *pp += sqlite3Fts3PutVarint(*pp, iVal-*piPrev);
  *piPrev = iVal;
}

/*
** When this function is called, *ppPoslist is assumed to point to the 
** start of a position-list.





*/
static void fts3PoslistCopy(char **pp, char **ppPoslist){
  char *pEnd = *ppPoslist;
  char c = 0;

  /* The end of a position list is marked by a zero encoded as an FTS3 
  ** varint. A single 0x00 byte. Except, if the 0x00 byte is preceded by
................................................................................
    char *pEnd = &pExpr->aDoclist[pExpr->nDoclist];
    char *pCsr = pExpr->pCurrent;

    assert( pCsr );
    while( pCsr<pEnd ){
      if( pExpr->iCurrent<iDocid ){
        fts3PoslistCopy(0, &pCsr);

        fts3GetDeltaVarint(&pCsr, &pExpr->iCurrent);

        pExpr->pCurrent = pCsr;
      }else{
        if( pExpr->iCurrent==iDocid ){
          int iThis = 0;
          if( iCol<0 ){
            /* If iCol is negative, return a pointer to the start of the
            ** position-list (instead of a pointer to the start of a list







|
>
>
>
>
>







 







>
|
>







1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
....
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
  assert( iVal-*piPrev > 0 || (*piPrev==0 && iVal==0) );
  *pp += sqlite3Fts3PutVarint(*pp, iVal-*piPrev);
  *piPrev = iVal;
}

/*
** When this function is called, *ppPoslist is assumed to point to the 
** start of a position-list. After it returns, *ppPoslist points to the
** first byte after the position-list.
**
** If pp is not NULL, then the contents of the position list are copied
** to *pp. *pp is set to point to the first byte past the last byte copied
** before this function returns.
*/
static void fts3PoslistCopy(char **pp, char **ppPoslist){
  char *pEnd = *ppPoslist;
  char c = 0;

  /* The end of a position list is marked by a zero encoded as an FTS3 
  ** varint. A single 0x00 byte. Except, if the 0x00 byte is preceded by
................................................................................
    char *pEnd = &pExpr->aDoclist[pExpr->nDoclist];
    char *pCsr = pExpr->pCurrent;

    assert( pCsr );
    while( pCsr<pEnd ){
      if( pExpr->iCurrent<iDocid ){
        fts3PoslistCopy(0, &pCsr);
        if( pCsr<pEnd ){
          fts3GetDeltaVarint(&pCsr, &pExpr->iCurrent);
        }
        pExpr->pCurrent = pCsr;
      }else{
        if( pExpr->iCurrent==iDocid ){
          int iThis = 0;
          if( iCol<0 ){
            /* If iCol is negative, return a pointer to the start of the
            ** position-list (instead of a pointer to the start of a list