/ Check-in [156d6128]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a potential buffer overrun in fts5 caused by corrupt database records.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 156d612800a7282fe0ebb20feb31d3fd577f4ab60fab8c00940c87143997aefb
User & Date: dan 2019-08-24 17:11:29
Context
2019-08-24
21:02
Minor performance improvement for balance_nonroot(). check-in: d7434cae user: dan tags: trunk
20:59
Minor performance improvement to balance_nonroot(). Closed-Leaf check-in: c88d42a9 user: dan tags: mistake
17:11
Fix a potential buffer overrun in fts5 caused by corrupt database records. check-in: 156d6128 user: dan tags: trunk
2019-08-23
23:05
Fix the built-in edit() SQL function in the CLI so that it works with zero-length blobs. check-in: e3249012 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

  4993   4993           int nCopy;
  4994   4994           u8 *aCopy;
  4995   4995   
  4996   4996           i64 iPrev = 0;
  4997   4997           Fts5PoslistWriter writer;
  4998   4998           memset(&writer, 0, sizeof(writer));
  4999   4999   
         5000  +        /* See the earlier comment in this function for an explanation of why
         5001  +        ** corrupt input position lists might cause the output to consume
         5002  +        ** at most 20 bytes of unexpected space. */
  5000   5003           fts5MergeAppendDocid(&out, iLastRowid, i2.iRowid);
  5001   5004           fts5BufferZero(&tmp);
  5002         -        sqlite3Fts5BufferSize(&p->rc, &tmp, i1.nPoslist + i2.nPoslist);
         5005  +        sqlite3Fts5BufferSize(&p->rc, &tmp, i1.nPoslist + i2.nPoslist + 10 + 10);
  5003   5006           if( p->rc ) break;
  5004   5007   
  5005   5008           sqlite3Fts5PoslistNext64(a1, i1.nPoslist, &iOff1, &iPos1);
  5006   5009           sqlite3Fts5PoslistNext64(a2, i2.nPoslist, &iOff2, &iPos2);
  5007   5010           assert_nc( iPos1>=0 && iPos2>=0 );
  5008   5011   
  5009   5012           if( iPos1<iPos2 ){

Changes to ext/fts5/test/fts5corrupt3.test.

  9362   9362   do_catchsql_test 63.2 {
  9363   9363     INSERT INTO t1(t1) VALUES('optimize');
  9364   9364   } {/*malformed database schema*/}
  9365   9365   
  9366   9366   do_catchsql_test 63.3 {
  9367   9367     SELECT * FROM t1 WHERE b MATCH 'thead*thead*theSt*';
  9368   9368   } {/*malformed database schema*/}
         9369  +
         9370  +#---------------------------------------------------------------------------
         9371  +do_test 64.0 {
         9372  +  sqlite3 db {}
         9373  +  db deserialize [decode_hexdb {
         9374  +.open --hexdb
         9375  +| size 28672 pagesize 4096 filename crash-4470f0b94422f7.db
         9376  +| page 1 offset 0
         9377  +|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
         9378  +|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 06   .....@  ........
         9379  +|     32: 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04   ................
         9380  +|     96: 00 00 00 00 0d 00 00 00 06 0d e2 00 0f c4 0f 6a   ...............j
         9381  +|    112: 0e fc 0e 9d 0e 3d 0d e2 00 00 00 00 00 01 00 00   .....=..........
         9382  +|   3552: 00 00 59 06 06 17 21 21 01 7f 74 61 62 6c 65 74   ..Y...!!..tablet
         9383  +|   3568: 74 74 5f 63 6f 6e 66 69 67 74 74 74 5f 63 6f 6e   tt_configttt_con
         9384  +|   3584: 66 69 67 06 43 52 45 41 54 45 20 54 41 42 4c 45   fig.CREATE TABLE
         9385  +|   3600: 20 27 74 74 74 5f 63 6f 6e 66 69 67 27 28 6b 20    'ttt_config'(k 
         9386  +|   3616: 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29 20   PRIMARY KEY, v) 
         9387  +|   3632: 57 49 54 48 4f 55 54 20 52 4f 57 49 44 5e 05 07   WITHOUT ROWID^..
         9388  +|   3648: 17 23 23 01 81 03 74 61 62 6c 65 74 74 74 5f 64   .##...tablettt_d
         9389  +|   3664: 6f 63 73 69 7a 65 74 74 74 5f 64 6f 63 73 69 7a   ocsizettt_docsiz
         9390  +|   3680: 65 05 43 52 45 41 54 45 20 54 41 42 4c 45 20 27   e.CREATE TABLE '
         9391  +|   3696: 74 74 74 5f 64 6f 63 73 69 7a 65 27 28 69 64 20   ttt_docsize'(id 
         9392  +|   3712: 49 4e 54 45 47 45 52 20 50 52 49 4d 41 52 59 20   INTEGER PRIMARY 
         9393  +|   3728: 4b 45 59 2c 20 73 7a 20 42 4c 4f 42 29 5d 04 07   KEY, sz BLOB)]..
         9394  +|   3744: 17 23 23 01 81 01 74 61 62 6c 65 74 74 74 5f 63   .##...tablettt_c
         9395  +|   3760: 6f 6e 74 65 6e 74 74 74 74 5f 63 6f 6e 74 65 6e   ontentttt_conten
         9396  +|   3776: 74 04 43 52 45 41 54 45 20 54 41 42 4c 45 20 27   t.CREATE TABLE '
         9397  +|   3792: 74 74 74 5f 63 6f 6e 74 65 6e 74 27 28 69 64 20   ttt_content'(id 
         9398  +|   3808: 49 4e 54 45 47 45 52 20 50 52 49 4d 41 52 59 20   INTEGER PRIMARY 
         9399  +|   3824: 4b 45 59 2c 20 63 30 2c 20 63 31 29 6c 03 07 17   KEY, c0, c1)l...
         9400  +|   3840: 1b 1b 01 81 2f 74 61 62 6c 65 74 74 74 5f 69 64   ..../tablettt_id
         9401  +|   3856: 78 74 74 74 5f 69 64 78 03 43 52 45 41 54 45 20   xttt_idx.CREATE 
         9402  +|   3872: 54 41 42 4c 45 20 27 74 74 74 5f 69 64 78 27 28   TABLE 'ttt_idx'(
         9403  +|   3888: 73 65 67 69 64 2c 20 74 65 72 6d 2c 20 70 67 6e   segid, term, pgn
         9404  +|   3904: 6f 2c 20 50 52 49 4d 41 52 59 20 4b 45 59 28 73   o, PRIMARY KEY(s
         9405  +|   3920: 65 67 69 64 2c 20 74 65 72 6d 29 29 20 57 49 54   egid, term)) WIT
         9406  +|   3936: 48 4f 55 54 20 52 4f 57 49 44 58 02 07 17 1d 1d   HOUT ROWIDX.....
         9407  +|   3952: 01 81 03 74 61 62 6c 65 74 74 74 5f 64 61 74 61   ...tablettt_data
         9408  +|   3968: 74 74 74 5f 64 61 74 61 02 43 52 45 41 54 45 20   ttt_data.CREATE 
         9409  +|   3984: 54 41 42 4c 45 20 27 74 74 74 5f 64 61 74 61 27   TABLE 'ttt_data'
         9410  +|   4000: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d   (id INTEGER PRIM
         9411  +|   4016: 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63 6b 20 42   ARY KEY, block B
         9412  +|   4032: 4c 4f 42 29 3a 01 06 17 13 13 08 5f 74 61 62 6c   LOB):......_tabl
         9413  +|   4048: 65 74 74 74 74 74 74 43 52 45 41 54 45 20 56 49   ettttttCREATE VI
         9414  +|   4064: 52 54 55 41 4c 20 54 41 42 4c 45 20 74 74 74 20   RTUAL TABLE ttt 
         9415  +|   4080: 55 53 49 4e 47 20 66 74 73 35 28 61 2c 20 62 29   USING fts5(a, b)
         9416  +| page 2 offset 4096
         9417  +|      0: 0d 0f 44 00 05 0e 81 00 0f 1a 0e 81 0f af 0f 58   ..D............X
         9418  +|     16: 0e 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
         9419  +|   3712: 00 15 0a 03 00 30 00 00 00 00 01 03 03 00 03 01   .....0..........
         9420  +|   3728: 01 01 02 01 01 03 01 01 81 24 8c 80 80 80 80 01   .........$......
         9421  +|   3744: 04 00 82 4c 00 00 00 9b 02 30 65 03 1a 02 05 05   ...L.....0e.....
         9422  +|   3760: 07 05 01 01 04 03 03 08 03 03 01 2e 02 05 05 07   ................
         9423  +|   3776: 05 07 05 07 05 01 01 04 03 03 08 03 03 08 03 03   ................
         9424  +|   3792: 07 f3 03 02 01 65 03 1e 03 05 05 04 05 05 01 00   .....e..........
         9425  +|   3808: 03 06 04 04 06 04 03 01 36 03 05 05 04 06 05 04   ........6.......
         9426  +|   3824: 06 05 04 05 05 01 01 03 06 04 04 06 04 04 06 04   ................
         9427  +|   3840: 04 06 04 03 03 01 65 03 14 04 05 06 f5 05 01 01   ......e.........
         9428  +|   3856: 02 08 09 01 20 04 05 07 05 07 05 07 05 05 01 00   .... ...........
         9429  +|   3872: 02 08 0a 0a 0a 04 01 65 03 02 0a 01 06 0a 0a 0a   .......e........
         9430  +|   3888: 05 01 65 03 06 01 01 0a 01 0a 01 01 0a 0a 0a 04   ..e.............
         9431  +|   3904: 2b 31 21 0b 0f ef 00 14 2a 00 00 00 00 01 02 02   +1!.....*.......
         9432  +|   3920: 00 02 01 01 01 02 01 01 50 88 80 80 80 80 01 04   ........P.......
         9433  +|   3936: 00 81 24 00 00 00 47 02 30 65 02 1a 02 05 05 07   ..$...G.0e......
         9434  +|   3952: 05 01 01 04 03 03 08 03 03 02 01 65 02 1e 03 05   ...........e....
         9435  +|   3968: 05 04 05 05 01 01 03 06 04 04 06 04 03 03 01 65   ...............e
         9436  +|   3984: 02 14 04 05 07 05 05 01 01 02 08 0a 04 01 65 02   ..............e.
         9437  +|   4000: 02 0a 05 01 65 02 06 01 01 0a 04 12 14 0f 06 31   ....e..........1
         9438  +|   4016: 84 80 80 80 80 01 03 00 68 00 00 00 2b 02 30 65   ........h...+.0e
         9439  +|   4032: 01 10 02 05 05 01 01 04 03 03 02 01 65 01 12 03   ............e...
         9440  +|   4048: 05 05 01 01 03 06 04 03 03 01 65 01 0e 04 05 05   ..........e.....
         9441  +|   4064: 01 01 02 08 04 0d 0e 06 01 03 00 12 04 4c 4c 00   .............LL.
         9442  +|   4080: 00 00 11 24 00 00 00 00 01 01 01 00 01 01 01 01   ...$............
         9443  +| page 3 offset 8192
         9444  +|      0: 0a 00 00 00 03 0f ec 00 0f 00 00 00 00 00 00 00   ................
         9445  +|   4064: 00 00 00 00 00 00 00 00 00 00 00 00 06 04 01 0c   ................
         9446  +|   4080: 01 03 02 06 04 01 0c 01 02 02 05 04 09 0c 01 02   ................
         9447  +| page 4 offset 12288
         9448  +|      0: 0d 00 00 00 04 0e 1a 00 0f c7 0f 5b 0e ef 0e 1a   ...........[....
         9449  +|   3600: 00 00 00 00 00 00 00 00 00 00 81 52 04 06 00 81   ...........R....
         9450  +|   3616: 5d 81 55 65 20 65 65 20 65 65 65 20 65 20 65 65   ].Ue ee eee e ee
         9451  +|   3632: 20 65 65 65 20 65 20 65 65 20 65 65 65 66 20 65    eee e ee eeef e
         9452  +|   3648: 65 20 65 65 65 20 65 20 65 65 20 65 65 65 20 65   e eee e ee eee e
         9453  +|   3664: 20 65 65 20 65 65 65 65 20 65 65 20 65 65 65 20    ee eeee ee eee 
         9454  +|   3680: 65 20 65 65 20 65 65 65 20 65 20 65 65 20 65 65   e ee eee e ee ee
         9455  +|   3696: 65 65 20 65 65 20 65 65 65 20 65 20 65 65 20 65   ee ee eee e ee e
         9456  +|   3712: 65 65 20 65 20 65 65 20 65 65 65 65 65 65 20 65   ee e ee eeeeee e
         9457  +|   3728: 65 20 65 20 65 20 65 20 65 65 20 65 65 65 20 65   e e e e ee eee e
         9458  +|   3744: 65 20 65 65 65 65 65 20 65 65 20 65 20 65 1f 65   e eeeee ee e e.e
         9459  +|   3760: 20 65 65 20 65 65 65 20 65 65 20 65 65 65 65 65    ee eee ee eeeee
         9460  +|   3776: 20 65 65 20 65 20 65 20 65 20 65 65 20 65 65 65    ee e e e ee eee
         9461  +|   3792: 20 65 65 20 65 65 65 65 65 20 65 65 20 65 20 65    ee eeeee ee e e
         9462  +|   3808: 20 65 20 65 65 20 65 65 65 20 65 65 20 65 65 6a    e ee eee ee eej
         9463  +|   3824: 03 03 ff 75 71 65 20 65 65 1f 65 65 65 20 65 20   ...uqe ee.eee e 
         9464  +|   3840: 65 65 20 65 65 65 20 65 20 65 65 20 65 65 65 65   ee eee e ee eeee
         9465  +|   3856: 20 65 65 20 65 65 65 20 65 20 65 65 20 65 65 65    ee eee e ee eee
         9466  +|   3872: 20 65 20 65 65 20 65 65 65 65 65 65 20 65 65 20    e ee eeeeee ee 
         9467  +|   3888: 65 20 65 20 65 20 65 65 20 65 65 65 20 65 65 20   e e e ee eee ee 
         9468  +|   3904: 65 65 65 65 65 20 65 65 20 65 20 65 20 65 20 65   eeeee ee e e e e
         9469  +|   3920: 65 20 65 65 65 20 65 65 20 65 65 6a 02 04 00 75   e eee ee eej...u
         9470  +|   3936: 40 65 20 65 65 20 65 65 65 20 65 20 65 65 20 65   @e ee eee e ee e
         9471  +|   3952: 65 65 20 65 20 65 65 20 65 65 65 65 20 65 65 20   ee e ee eeee ee 
         9472  +|   3968: 65 65 65 20 65 20 65 65 20 65 65 65 20 65 20 65   eee e ee eee e e
         9473  +|   3984: 65 20 65 65 65 65 65 65 20 65 65 20 65 20 65 20   e eeeeee ee e e 
         9474  +|   4000: 65 20 65 65 20 65 65 65 20 65 65 20 65 65 65 65   e ee eee ee eeee
         9475  +|   4016: 65 20 65 65 20 65 20 65 20 65 20 65 65 20 65 65   e ee e e e ee ee
         9476  +|   4032: 65 20 65 65 20 65 65 37 01 04 00 41 3f 65 20 65   e ee ee7...A?e e
         9477  +|   4048: 65 20 65 65 65 20 65 20 65 65 20 65 65 65 20 65   e eee e ee eee e
         9478  +|   4064: 20 65 65 20 65 65 65 65 65 65 20 65 65 20 65 20    ee eeeeee ee e 
         9479  +|   4080: 65 20 65 20 65 65 20 65 65 65 20 65 65 20 65 65   e e ee eee ee ee
         9480  +| page 5 offset 16384
         9481  +|      0: 0d 00 00 00 04 0f e4 00 0f f9 0f f2 0f eb 0f e4   ................
         9482  +|   4064: 00 00 00 00 05 04 03 00 10 21 21 05 03 03 00 10   .........!!.....
         9483  +|   4080: 11 11 05 02 03 00 10 11 11 05 01 03 00 10 09 09   ................
         9484  +| page 6 offset 20480
         9485  +|      0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00   ................
         9486  +|   4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04   ........version.
         9487  +| end crash-4470f0b94422f7.db
         9488  +}]} {}
         9489  +
         9490  +do_catchsql_test 64.1 {
         9491  +  SELECT * FROM ttt('e*');
         9492  +} {1 {database disk image is malformed}}
         9493  +
  9369   9494   
  9370   9495   sqlite3_fts5_may_be_corrupt 0
  9371   9496   finish_test
  9372   9497