/ Check-in [f7c525f5]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Avoid exceeding array bounds when reading a corrupt database file in autovacuum mode. Fixes a problem discovered by John Regehr and Peng Li using a customized clang compiler.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: f7c525f5fc31e909721df2b1e66fc62dfb105718
User & Date: drh 2011-05-17 15:21:56
Context
2011-05-17
15:56
Add extended return code SQLITE_CORRUPT_VTAB. Returned when the tcontents of the sqlite tables used internally by a virtual table module are invalid or inconsistent. check-in: 8844e8bf user: dan tags: trunk
15:21
Avoid exceeding array bounds when reading a corrupt database file in autovacuum mode. Fixes a problem discovered by John Regehr and Peng Li using a customized clang compiler. check-in: f7c525f5 user: drh tags: trunk
14:41
Avoid including fts3_term.c in the amalgamation, as it contains test code only. check-in: f392b7ae user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

   784    784       return;
   785    785     }
   786    786     offset = PTRMAP_PTROFFSET(iPtrmap, key);
   787    787     if( offset<0 ){
   788    788       *pRC = SQLITE_CORRUPT_BKPT;
   789    789       goto ptrmap_exit;
   790    790     }
          791  +  assert( offset <= (int)pBt->usableSize-5 );
   791    792     pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
   792    793   
   793    794     if( eType!=pPtrmap[offset] || get4byte(&pPtrmap[offset+1])!=parent ){
   794    795       TRACE(("PTRMAP_UPDATE: %d->(%d,%d)\n", key, eType, parent));
   795    796       *pRC= rc = sqlite3PagerWrite(pDbPage);
   796    797       if( rc==SQLITE_OK ){
   797    798         pPtrmap[offset] = eType;
................................................................................
   823    824     rc = sqlite3PagerGet(pBt->pPager, iPtrmap, &pDbPage);
   824    825     if( rc!=0 ){
   825    826       return rc;
   826    827     }
   827    828     pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
   828    829   
   829    830     offset = PTRMAP_PTROFFSET(iPtrmap, key);
          831  +  if( offset<0 ){
          832  +    sqlite3PagerUnref(pDbPage);
          833  +    return SQLITE_CORRUPT_BKPT;
          834  +  }
          835  +  assert( offset <= (int)pBt->usableSize-5 );
   830    836     assert( pEType!=0 );
   831    837     *pEType = pPtrmap[offset];
   832    838     if( pPgno ) *pPgno = get4byte(&pPtrmap[offset+1]);
   833    839   
   834    840     sqlite3PagerUnref(pDbPage);
   835    841     if( *pEType<1 || *pEType>5 ) return SQLITE_CORRUPT_BKPT;
   836    842     return SQLITE_OK;