Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | A different approach to preventing buffer overreads when comparing a vector of values with a corrupt index record that spans at least one overflow page. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
95eaa49f4ee071c7a0f690a695f1f2d1 |
User & Date: | drh 2015-05-27 15:42:53.434 |
Context
2015-05-27
| ||
18:13 | All bytes of a page are initialized, even bytes that follow a 2-byte cell on a malformed page. (check-in: 7373a004ed user: drh tags: trunk) | |
15:42 | A different approach to preventing buffer overreads when comparing a vector of values with a corrupt index record that spans at least one overflow page. (check-in: 95eaa49f4e user: drh tags: trunk) | |
15:10 | Disallow the use of "rowid" in CTEs - it has never worked correctly and it makes no sense, so we might as well make it an explicit error. Also: add the PRAGMA cell_size_check=ON command. (check-in: 19e2cebc12 user: drh tags: trunk) | |
14:21 | A different approach to preventing buffer overreads when comparing a vector of values with a corrupt index record that spans at least one overflow page. (Closed-Leaf check-in: 7e9e1b6123 user: dan tags: avoid-buffer-overread) | |
Changes
Changes to src/btree.c.
︙ | ︙ | |||
4938 4939 4940 4941 4942 4943 4944 | ** fits entirely on the main b-tree page. */ testcase( pCell+nCell+2==pPage->aDataEnd ); c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey); }else{ /* The record flows over onto one or more overflow pages. In ** this case the whole cell needs to be parsed, a buffer allocated ** and accessPayload() used to retrieve the record into the | | > > > > > > > > > > | | 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 | ** fits entirely on the main b-tree page. */ testcase( pCell+nCell+2==pPage->aDataEnd ); c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey); }else{ /* The record flows over onto one or more overflow pages. In ** this case the whole cell needs to be parsed, a buffer allocated ** and accessPayload() used to retrieve the record into the ** buffer before VdbeRecordCompare() can be called. ** ** If the record is corrupt, the xRecordCompare routine may read ** up to two varints past the end of the buffer. An extra 18 ** bytes of padding is allocated at the end of the buffer in ** case this happens. */ void *pCellKey; u8 * const pCellBody = pCell - pPage->childPtrSize; btreeParseCellPtr(pPage, pCellBody, &pCur->info); nCell = (int)pCur->info.nKey; testcase( nCell<0 ); if( nCell<2 ){ rc = SQLITE_CORRUPT_BKPT; goto moveto_finish; } pCellKey = sqlite3Malloc( nCell+18 ); if( pCellKey==0 ){ rc = SQLITE_NOMEM; goto moveto_finish; } pCur->aiIdx[pCur->iPage] = (u16)idx; rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2); if( rc ){ |
︙ | ︙ |