/ Check-in [d0b347b4]
Login
SQLite training in Houston TX on 2019-11-05 (details)
Part of the 2019 Tcl Conference

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add checks to make sure cells in corrupt database files do not overflow a page when doing autovacuum. Problem detected by valgrind.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: d0b347b412376d22e9f0770ac083dafb5e480dd0
User & Date: drh 2011-08-31 13:27:19
Context
2011-08-31
17:46
Backslash escaping is not working right in tostr.awk on the latest ubuntu. The easiest fix is to simply not use any backslashes in the spaceanal.tcl script. check-in: df550066 user: drh tags: trunk
13:27
Add checks to make sure cells in corrupt database files do not overflow a page when doing autovacuum. Problem detected by valgrind. check-in: d0b347b4 user: drh tags: trunk
2011-08-30
19:52
Enable the thread test logic to work with the SQLITE_HAS_CODEC compile-time option. check-in: 20ddfb47 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  2750   2750       nCell = pPage->nCell;
  2751   2751   
  2752   2752       for(i=0; i<nCell; i++){
  2753   2753         u8 *pCell = findCell(pPage, i);
  2754   2754         if( eType==PTRMAP_OVERFLOW1 ){
  2755   2755           CellInfo info;
  2756   2756           btreeParseCellPtr(pPage, pCell, &info);
  2757         -        if( info.iOverflow ){
  2758         -          if( iFrom==get4byte(&pCell[info.iOverflow]) ){
  2759         -            put4byte(&pCell[info.iOverflow], iTo);
  2760         -            break;
  2761         -          }
         2757  +        if( info.iOverflow
         2758  +         && pCell+info.iOverflow+3<=pPage->aData+pPage->maskPage
         2759  +         && iFrom==get4byte(&pCell[info.iOverflow])
         2760  +        ){
         2761  +          put4byte(&pCell[info.iOverflow], iTo);
         2762  +          break;
  2762   2763           }
  2763   2764         }else{
  2764   2765           if( get4byte(pCell)==iFrom ){
  2765   2766             put4byte(pCell, iTo);
  2766   2767             break;
  2767   2768           }
  2768   2769         }
................................................................................
  5186   5187     u32 ovflPageSize;
  5187   5188   
  5188   5189     assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  5189   5190     btreeParseCellPtr(pPage, pCell, &info);
  5190   5191     if( info.iOverflow==0 ){
  5191   5192       return SQLITE_OK;  /* No overflow pages. Return without doing anything */
  5192   5193     }
         5194  +  if( pCell+info.iOverflow+3 > pPage->aData+pPage->maskPage ){
         5195  +    return SQLITE_CORRUPT;  /* Cell extends past end of page */
         5196  +  }
  5193   5197     ovflPgno = get4byte(&pCell[info.iOverflow]);
  5194   5198     assert( pBt->usableSize > 4 );
  5195   5199     ovflPageSize = pBt->usableSize - 4;
  5196   5200     nOvfl = (info.nPayload - info.nLocal + ovflPageSize - 1)/ovflPageSize;
  5197   5201     assert( ovflPgno==0 || nOvfl>0 );
  5198   5202     while( nOvfl-- ){
  5199   5203       Pgno iNext = 0;