/ Check-in [f71053cf]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Prevent the fetchPayload() routine from reporting a cell size that extends off the end of the page on a pathologically corrupted database file.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: f71053cf658b3260a32ac06f8ba5c2cde0ea54dd
User & Date: drh 2015-04-15 17:26:55
Context
2015-04-15
19:25
Fix a potential one-byte buffer overread in the command-line shell. check-in: e018f4bf user: drh tags: trunk
19:13
Add the BtCursor.pPage field which is the current page to which the cursor points, for a very small performance gain. Leaf check-in: a200e1ea user: drh tags: btree-current-page-cache
17:26
Prevent the fetchPayload() routine from reporting a cell size that extends off the end of the page on a pathologically corrupted database file. check-in: f71053cf user: drh tags: trunk
15:29
Enhance the showdb utility program so that it can read the last partial page of a truncated database file. check-in: 61d72e17 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  4447   4447   ** page of the database.  The data might change or move the next time
  4448   4448   ** any btree routine is called.
  4449   4449   */
  4450   4450   static const void *fetchPayload(
  4451   4451     BtCursor *pCur,      /* Cursor pointing to entry to read from */
  4452   4452     u32 *pAmt            /* Write the number of available bytes here */
  4453   4453   ){
         4454  +  u32 amt;
  4454   4455     assert( pCur!=0 && pCur->iPage>=0 && pCur->apPage[pCur->iPage]);
  4455   4456     assert( pCur->eState==CURSOR_VALID );
  4456   4457     assert( sqlite3_mutex_held(pCur->pBtree->db->mutex) );
  4457   4458     assert( cursorHoldsMutex(pCur) );
  4458   4459     assert( pCur->aiIdx[pCur->iPage]<pCur->apPage[pCur->iPage]->nCell );
  4459   4460     assert( pCur->info.nSize>0 );
  4460         -  *pAmt = pCur->info.nLocal;
         4461  +  assert( pCur->info.pPayload>pCur->apPage[pCur->iPage]->aData || CORRUPT_DB );
         4462  +  assert( pCur->info.pPayload<pCur->apPage[pCur->iPage]->aDataEnd ||CORRUPT_DB);
         4463  +  amt = (int)(pCur->apPage[pCur->iPage]->aDataEnd - pCur->info.pPayload);
         4464  +  if( pCur->info.nLocal<amt ) amt = pCur->info.nLocal;
         4465  +  *pAmt = amt;
  4461   4466     return (void*)pCur->info.pPayload;
  4462   4467   }
  4463   4468   
  4464   4469   
  4465   4470   /*
  4466   4471   ** For the entry that cursor pCur is point to, return as
  4467   4472   ** many bytes of the key or data as are available on the local