/ Check-in [5b9ae693]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix an issue introduced by check-in [4cd2a9672c59] (2017-03-03) that could allow a negative value in the 3rd parameter to memmove() when defragmentPage() is called on a btree page with a corrupted freeblock list. The corruption is now detected early and results in an SQLITE_CORRUPT return before the memmove() is reached.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 5b9ae693120fe4f7bc3b6270f35d773876f6cc8f5990e05cce0d255c54b36ae7
User & Date: drh 2017-09-28 13:47:35
Context
2017-09-28
16:56
Fix over-length source code lines in select.c. No logic changes. check-in: fd3267ef user: drh tags: trunk
13:47
Fix an issue introduced by check-in [4cd2a9672c59] (2017-03-03) that could allow a negative value in the 3rd parameter to memmove() when defragmentPage() is called on a btree page with a corrupted freeblock list. The corruption is now detected early and results in an SQLITE_CORRUPT return before the memmove() is reached. check-in: 5b9ae693 user: drh tags: trunk
01:58
Add new routines to simplify dealing with collating sequences in expressions: sqlite3ExprNNCollSeq() and sqlite3ExprCollSeqMatch(). check-in: 490e488e user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  1395   1395   
  1396   1396         if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
  1397   1397           u8 *pEnd = &data[cellOffset + nCell*2];
  1398   1398           u8 *pAddr;
  1399   1399           int sz2 = 0;
  1400   1400           int sz = get2byte(&data[iFree+2]);
  1401   1401           int top = get2byte(&data[hdr+5]);
         1402  +        if( top>=iFree ){
         1403  +          return SQLITE_CORRUPT_PGNO(pPage->pgno);
         1404  +        }
  1402   1405           if( iFree2 ){
  1403   1406             assert( iFree+sz<=iFree2 ); /* Verified by pageFindSlot() */
  1404   1407             sz2 = get2byte(&data[iFree2+2]);
  1405   1408             assert( iFree+sz+sz2+iFree2-(iFree+sz) <= usableSize );
  1406   1409             memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz));
  1407   1410             sz += sz2;
  1408   1411           }