SQLite

Check-in [8ba3d9f380]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 8ba3d9f38090c4bbbcffba1930e5c26f69ff61f49b72a4a5a59253d37341380f
User & Date: drh 2018-12-14 16:20:54.136
Context
2018-12-14
17:57
Fix possible integer overflow while running PRAGMA integrity_check on a database file with a badly corrupted freelist. (check-in: 395599116d user: drh tags: trunk)
16:20
Back out the expansion of the temporary buffer size from [32754ca6f86da816] and replace it with an explicit test for buffer overreads. (check-in: 8ba3d9f380 user: drh tags: trunk)
16:00
Avoid a buffer overread in ptrmapPutOvflPtr() that can occurs in a corrupt database file that has large entries and uses autovacuum. (check-in: f8b781cf41 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/btree.c.
6758
6759
6760
6761
6762
6763
6764

6765
6766
6767
6768
6769
6770
6771
  i = get2byte(&aData[hdr+5]);
  memcpy(&pTmp[i], &aData[i], usableSize - i);

  pData = pEnd;
  for(i=0; i<nCell; i++){
    u8 *pCell = apCell[i];
    if( SQLITE_WITHIN(pCell,aData,pEnd) ){

      pCell = &pTmp[pCell - aData];
    }
    pData -= szCell[i];
    put2byte(pCellptr, (pData - aData));
    pCellptr += 2;
    if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT;
    memcpy(pData, pCell, szCell[i]);







>







6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
  i = get2byte(&aData[hdr+5]);
  memcpy(&pTmp[i], &aData[i], usableSize - i);

  pData = pEnd;
  for(i=0; i<nCell; i++){
    u8 *pCell = apCell[i];
    if( SQLITE_WITHIN(pCell,aData,pEnd) ){
      if( ((uptr)(pCell+szCell[i]))>(uptr)pEnd ) return SQLITE_CORRUPT_BKPT;
      pCell = &pTmp[pCell - aData];
    }
    pData -= szCell[i];
    put2byte(pCellptr, (pData - aData));
    pCellptr += 2;
    if( pData < pCellptr ) return SQLITE_CORRUPT_BKPT;
    memcpy(pData, pCell, szCell[i]);
Changes to src/pcache1.c.
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer
** exists, this function falls back to sqlite3Malloc().
*/
void *sqlite3PageMalloc(int sz){
  /* During rebalance operations on a corrupt database file, it is sometimes
  ** (rarely) possible to overread the temporary page buffer by a few bytes.
  ** Enlarge the allocation slightly so that this does not cause problems. */
  return pcache1Alloc(sz + 32);
}

/*
** Free an allocated buffer obtained from sqlite3PageMalloc().
*/
void sqlite3PageFree(void *p){
  pcache1Free(p);







|







476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
** using sqlite3_config(SQLITE_CONFIG_PAGECACHE) option. If no such buffer
** exists, this function falls back to sqlite3Malloc().
*/
void *sqlite3PageMalloc(int sz){
  /* During rebalance operations on a corrupt database file, it is sometimes
  ** (rarely) possible to overread the temporary page buffer by a few bytes.
  ** Enlarge the allocation slightly so that this does not cause problems. */
  return pcache1Alloc(sz);
}

/*
** Free an allocated buffer obtained from sqlite3PageMalloc().
*/
void sqlite3PageFree(void *p){
  pcache1Free(p);