Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Make sure signed integer overflow does not cause a segfault while attempting to read a corrupt database where the header size varint on a record is larger than the maximum 32-bit signed integer. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
c3baca99f4580652afb2c3f73036ab83 |
User & Date: | drh 2013-08-01 19:17:39.891 |
Context
2013-08-01
| ||
20:26 | Fix a potential buffer overread in sqlite3VdbeRecordCompare() when a serial_type specifies a field that starts in bounds but is much too large for the allocated buffer. Mostly harmless. The overread is unlikely to go more than one or two bytes past the end of the buffer. (check-in: e436b2f4e5 user: drh tags: trunk) | |
19:17 | Make sure signed integer overflow does not cause a segfault while attempting to read a corrupt database where the header size varint on a record is larger than the maximum 32-bit signed integer. (check-in: c3baca99f4 user: drh tags: trunk) | |
17:43 | Add test case for the problem fixed by [127a5b776d]. (check-in: 65816718b5 user: dan tags: trunk) | |
Changes
Changes to src/vdbeaux.c.
︙ | |||
2986 2987 2988 2989 2990 2991 2992 | 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 | - + | ** equal, then the keys are considered to be equal and ** the parts beyond the common prefix are ignored. */ int sqlite3VdbeRecordCompare( int nKey1, const void *pKey1, /* Left key */ UnpackedRecord *pPKey2 /* Right key */ ){ |
︙ | |||
3020 3021 3022 3023 3024 3025 3026 | 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 | - + | nField = pKeyInfo->nField; assert( pKeyInfo->aSortOrder!=0 ); while( idx1<szHdr1 && i<pPKey2->nField ){ u32 serial_type1; /* Read the serial types for the next element in each key. */ idx1 += getVarint32( aKey1+idx1, serial_type1 ); |
︙ |
Added test/corruptG.test.
|