Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
8ba3d9f38090c4bbbcffba1930e5c26f |
User & Date: | drh 2018-12-14 16:20:54.136 |
Context
2018-12-14
| ||
17:57 | Fix possible integer overflow while running PRAGMA integrity_check on a database file with a badly corrupted freelist. (check-in: 395599116d user: drh tags: trunk) | |
16:20 | Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. (check-in: 8ba3d9f380 user: drh tags: trunk) | |
16:00 | Avoid a buffer overread in ptrmapPutOvflPtr() that can occurs in a corrupt database file that has large entries and uses autovacuum. (check-in: f8b781cf41 user: drh tags: trunk) | |
Changes
Changes to src/btree.c.
︙ | ︙ | |||
6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 | i = get2byte(&aData[hdr+5]); memcpy(&pTmp[i], &aData[i], usableSize - i); pData = pEnd; for(i=0; i<nCell; i++){ u8 *pCell = apCell[i]; if( SQLITE_WITHIN(pCell,aData,pEnd) ){ pCell = &pTmp[pCell - aData]; } pData -= szCell[i]; put2byte(pCellptr, (pData - aData)); pCellptr += 2; if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT; memcpy(pData, pCell, szCell[i]); | > | 6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 | i = get2byte(&aData[hdr+5]); memcpy(&pTmp[i], &aData[i], usableSize - i); pData = pEnd; for(i=0; i<nCell; i++){ u8 *pCell = apCell[i]; if( SQLITE_WITHIN(pCell,aData,pEnd) ){ if( ((uptr)(pCell+szCell[i]))>(uptr)pEnd ) return SQLITE_CORRUPT_BKPT; pCell = &pTmp[pCell - aData]; } pData -= szCell[i]; put2byte(pCellptr, (pData - aData)); pCellptr += 2; if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT; memcpy(pData, pCell, szCell[i]); |
︙ | ︙ |
Changes to src/pcache1.c.
︙ | ︙ | |||
476 477 478 479 480 481 482 | ** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer ** exists, this function falls back to sqlite3Malloc(). */ void *sqlite3PageMalloc(int sz){ /* During rebalance operations on a corrupt database file, it is sometimes ** (rarely) possible to overread the temporary page buffer by a few bytes. ** Enlarge the allocation slightly so that this does not cause problems. */ | | | 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 | ** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer ** exists, this function falls back to sqlite3Malloc(). */ void *sqlite3PageMalloc(int sz){ /* During rebalance operations on a corrupt database file, it is sometimes ** (rarely) possible to overread the temporary page buffer by a few bytes. ** Enlarge the allocation slightly so that this does not cause problems. */ return pcache1Alloc(sz); } /* ** Free an allocated buffer obtained from sqlite3PageMalloc(). */ void sqlite3PageFree(void *p){ pcache1Free(p); |
︙ | ︙ |