Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: | 8ba3d9f38090c4bbbcffba1930e5c26f |
| User & Date: | drh 2018-12-14 16:20:54 |
Context
|
2018-12-14
| ||
| 17:57 | Fix possible integer overflow while running PRAGMA integrity_check on a database file with a badly corrupted freelist. check-in: 39559911 user: drh tags: trunk | |
| 16:20 | Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. check-in: 8ba3d9f3 user: drh tags: trunk | |
| 16:00 | Avoid a buffer overread in ptrmapPutOvflPtr() that can occurs in a corrupt database file that has large entries and uses autovacuum. check-in: f8b781cf user: drh tags: trunk | |
Changes
Changes to src/btree.c.
6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 |
i = get2byte(&aData[hdr+5]);
memcpy(&pTmp[i], &aData[i], usableSize - i);
pData = pEnd;
for(i=0; i<nCell; i++){
u8 *pCell = apCell[i];
if( SQLITE_WITHIN(pCell,aData,pEnd) ){
pCell = &pTmp[pCell - aData];
}
pData -= szCell[i];
put2byte(pCellptr, (pData - aData));
pCellptr += 2;
if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT;
memcpy(pData, pCell, szCell[i]);
|
> |
6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 |
i = get2byte(&aData[hdr+5]);
memcpy(&pTmp[i], &aData[i], usableSize - i);
pData = pEnd;
for(i=0; i<nCell; i++){
u8 *pCell = apCell[i];
if( SQLITE_WITHIN(pCell,aData,pEnd) ){
if( ((uptr)(pCell+szCell[i]))>(uptr)pEnd ) return SQLITE_CORRUPT_BKPT;
pCell = &pTmp[pCell - aData];
}
pData -= szCell[i];
put2byte(pCellptr, (pData - aData));
pCellptr += 2;
if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT;
memcpy(pData, pCell, szCell[i]);
|
Changes to src/pcache1.c.
476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 |
** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer
** exists, this function falls back to sqlite3Malloc().
*/
void *sqlite3PageMalloc(int sz){
/* During rebalance operations on a corrupt database file, it is sometimes
** (rarely) possible to overread the temporary page buffer by a few bytes.
** Enlarge the allocation slightly so that this does not cause problems. */
return pcache1Alloc(sz + 32);
}
/*
** Free an allocated buffer obtained from sqlite3PageMalloc().
*/
void sqlite3PageFree(void *p){
pcache1Free(p);
|
| |
476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 |
** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer
** exists, this function falls back to sqlite3Malloc().
*/
void *sqlite3PageMalloc(int sz){
/* During rebalance operations on a corrupt database file, it is sometimes
** (rarely) possible to overread the temporary page buffer by a few bytes.
** Enlarge the allocation slightly so that this does not cause problems. */
return pcache1Alloc(sz);
}
/*
** Free an allocated buffer obtained from sqlite3PageMalloc().
*/
void sqlite3PageFree(void *p){
pcache1Free(p);
|