/ Check-in [c9a30e11]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:c9a30e117f2c6c9ef0cc0c6ca5227d2961715b8f
User & Date: dan 2016-02-29 17:34:16
References
2016-03-01
14:51
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f]. Closed-Leaf check-in: daef5869 user: dan tags: branch-3.11-matchinfo
Context
2016-03-01
02:11
Better estimatedCost in the xBestIndex method of the generate_series vtab. check-in: f2c16094 user: drh tags: trunk
2016-02-29
18:30
Modify the ANALYZE command to store worst-case statistics in sqlite_stat1, rather thn average case. check-in: 5a0143c9 user: drh tags: analyze-worst-case
17:34
Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. check-in: c9a30e11 user: dan tags: trunk
17:16
Fix an fts5 problem causing 'optimize' to corrupt the fts index under some circumstances. check-in: 251d6473 user: dan tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

693
694
695
696
697
698
699

700
701
702
703
704
705
706
....
2150
2151
2152
2153
2154
2155
2156




2157
2158
2159
2160
2161
2162
2163
    p->rc = rc;
    p->nRead++;
  }

  assert( (pRet==0)==(p->rc!=SQLITE_OK) );
  return pRet;
}


/*
** Release a reference to data record returned by an earlier call to
** fts5DataRead().
*/
static void fts5DataRelease(Fts5Data *pData){
  sqlite3_free(pData);
................................................................................
  int bEndOfPage = 0;

  assert( p->rc==SQLITE_OK );

  iPgidx = szLeaf;
  iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
  iOff = iTermOff;





  while( 1 ){

    /* Figure out how many new bytes are in this term */
    fts5FastGetVarint32(a, iOff, nNew);
    if( nKeep<nMatch ){
      goto search_failed;







>







 







>
>
>
>







693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
....
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
    p->rc = rc;
    p->nRead++;
  }

  assert( (pRet==0)==(p->rc!=SQLITE_OK) );
  return pRet;
}


/*
** Release a reference to data record returned by an earlier call to
** fts5DataRead().
*/
static void fts5DataRelease(Fts5Data *pData){
  sqlite3_free(pData);
................................................................................
  int bEndOfPage = 0;

  assert( p->rc==SQLITE_OK );

  iPgidx = szLeaf;
  iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
  iOff = iTermOff;
  if( iOff>n ){
    p->rc = FTS5_CORRUPT;
    return;
  }

  while( 1 ){

    /* Figure out how many new bytes are in this term */
    fts5FastGetVarint32(a, iOff, nNew);
    if( nKeep<nMatch ){
      goto search_failed;