/ Check-in [f7e6cdc5]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix another case in fts5 where a corrupt database could cause a buffer overread.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: f7e6cdc5625664f449d0edbe39af2d45910c4137bfd856ae1f770dd826c138ff
User & Date: dan 2019-01-01 13:59:34
Context
2019-01-01
18:00
Ensure that when a new cursor is opened by OP_OpenDup, any existing cursor with the same id opened by a previous OP_OpenDup is closed first. check-in: 5c188361 user: dan tags: trunk
13:59
Fix another case in fts5 where a corrupt database could cause a buffer overread. check-in: f7e6cdc5 user: dan tags: trunk
2018-12-31
21:43
Fix harmless compiler warnings. check-in: b57c545a user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to ext/fts5/fts5_index.c.

  2307   2307         if( pIter->pLeaf==0 ) return;
  2308   2308         a = pIter->pLeaf->p;
  2309   2309         if( fts5LeafIsTermless(pIter->pLeaf)==0 ){
  2310   2310           iPgidx = pIter->pLeaf->szLeaf;
  2311   2311           iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff);
  2312   2312           if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){
  2313   2313             p->rc = FTS5_CORRUPT;
         2314  +          return;
  2314   2315           }else{
  2315   2316             nKeep = 0;
  2316   2317             iTermOff = iOff;
  2317   2318             n = pIter->pLeaf->nn;
  2318   2319             iOff += fts5GetVarint32(&a[iOff], nNew);
  2319   2320             break;
  2320   2321           }
  2321   2322         }
  2322   2323       }while( 1 );
  2323   2324     }
  2324   2325   
  2325   2326    search_success:
  2326         -
  2327   2327     pIter->iLeafOffset = iOff + nNew;
         2328  +  if( pIter->iLeafOffset>n ){
         2329  +    p->rc = FTS5_CORRUPT;
         2330  +    return;
         2331  +  }
  2328   2332     pIter->iTermLeafOffset = pIter->iLeafOffset;
  2329   2333     pIter->iTermLeafPgno = pIter->iLeafPgno;
  2330   2334   
  2331   2335     fts5BufferSet(&p->rc, &pIter->term, nKeep, pTerm);
  2332   2336     fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);
  2333   2337   
  2334   2338     if( iPgidx>=n ){

Changes to ext/fts5/test/fts5corrupt3.test.

  1627   1627   | end crash-cf347c523f793c.db
  1628   1628   }]} {}
  1629   1629   
  1630   1630   do_catchsql_test 20.1 {
  1631   1631     SELECT * FROM t1 WHERE t1 MATCH 'abandon';
  1632   1632   } {1 {vtable constructor failed: t1}}
  1633   1633   
         1634  +#-------------------------------------------------------------------------
         1635  +reset_db
         1636  +do_test 21.0 {
         1637  +  sqlite3 db {}
         1638  +  db deserialize [decode_hexdb {
         1639  +| size 28672 pagesize 4096 filename c22b.db
         1640  +| page 1 offset 0
         1641  +|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
         1642  +|     16: 10 00 01 01 00 40 20 20 00 00 00 01 00 00 00 07   .....@  ........
         1643  +|     32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
         1644  +|     48: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00   ................
         1645  +|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01   ................
         1646  +|     96: 00 2e 30 38 0d 00 00 00 07 0d d2 00 0f c4 0f 6d   ..08...........m
         1647  +|    112: 0f 02 0e ab 0e 4e 0d f6 0d d2 00 00 00 00 00 00   .....N..........
         1648  +|   3536: 00 00 22 07 06 17 11 11 01 31 74 61 62 6c 65 74   .........1tablet
         1649  +|   3552: 32 74 32 07 43 52 45 41 54 45 20 54 41 42 4c 45   2t2.CREATE TABLE
         1650  +|   3568: 20 74 32 28 78 29 56 06 06 17 1f 1f 01 7d 74 61    t2(x)V.......ta
         1651  +|   3584: 62 6c 65 74 31 5f 63 6f 6e 66 69 67 74 31 5f 63   blet1_configt1_c
         1652  +|   3600: 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54 41 42   onfig.CREATE TAB
         1653  +|   3616: 4c 45 20 27 74 31 5f 63 6f 6e 66 69 67 27 28 6b   LE 't1_config'(k
         1654  +|   3632: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29    PRIMARY KEY, v)
         1655  +|   3648: 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 5b 05    WITHOUT ROWID[.
         1656  +|   3664: 07 17 21 21 01 81 01 74 61 62 6c 65 74 31 5f 64   ..!!...tablet1_d
         1657  +|   3680: 6f 63 73 69 7a 65 74 31 5f 64 6f 63 73 69 7a 65   ocsizet1_docsize
         1658  +|   3696: 05 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74   .CREATE TABLE 't
         1659  +|   3712: 31 5f 64 6f 63 73 69 7a 65 27 28 69 64 20 49 4e   1_docsize'(id IN
         1660  +|   3728: 54 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45   TEGER PRIMARY KE
         1661  +|   3744: 59 2c 20 73 7a 20 42 4c 4f 42 29 55 04 06 17 21   Y, sz BLOB)U...!
         1662  +|   3760: 21 01 77 74 61 62 6c 65 74 31 5f 63 6f 6e 74 65   !.wtablet1_conte
         1663  +|   3776: 6e 74 74 31 5f 63 6f 6e 74 65 6e 74 04 43 52 45   ntt1_content.CRE
         1664  +|   3792: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 63 6f   ATE TABLE 't1_co
         1665  +|   3808: 6e 74 65 6e 74 27 28 69 64 20 49 4e 54 45 47 45   ntent'(id INTEGE
         1666  +|   3824: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 63   R PRIMARY KEY, c
         1667  +|   3840: 30 29 69 03 07 17 19 19 01 81 2d 74 61 62 6c 65   0)i.......-table
         1668  +|   3856: 74 31 5f 69 64 78 74 31 5f 69 64 78 03 43 52 45   t1_idxt1_idx.CRE
         1669  +|   3872: 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 69 64   ATE TABLE 't1_id
         1670  +|   3888: 78 27 28 73 65 67 69 64 2c 20 74 65 72 6d 2c 20   x'(segid, term, 
         1671  +|   3904: 70 67 6e 6f 2c 20 50 52 49 4d 41 52 59 20 4b 45   pgno, PRIMARY KE
         1672  +|   3920: 59 28 73 65 67 69 64 2c 20 74 65 72 6d 29 29 20   Y(segid, term)) 
         1673  +|   3936: 57 49 54 48 4f 55 54 20 52 4f 57 49 44 55 02 07   WITHOUT ROWIDU..
         1674  +|   3952: 17 1b 1b 01 81 01 74 61 62 6c 65 74 31 5f 64 61   ......tablet1_da
         1675  +|   3968: 74 61 74 31 5f 64 61 74 61 02 43 52 45 41 54 45   tat1_data.CREATE
         1676  +|   3984: 20 54 41 42 4c 45 20 27 74 31 5f 64 61 74 61 27    TABLE 't1_data'
         1677  +|   4000: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d   (id INTEGER PRIM
         1678  +|   4016: 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63 6b 20 42   ARY KEY, block B
         1679  +|   4032: 4c 4f 42 29 3a 01 06 17 11 11 08 63 74 61 62 6c   LOB):......ctabl
         1680  +|   4048: 65 74 31 74 31 43 52 45 41 54 45 20 56 49 52 54   et1t1CREATE VIRT
         1681  +|   4064: 55 41 4c 20 54 41 42 4c 45 20 74 31 20 55 53 49   UAL TABLE t1 USI
         1682  +|   4080: 4e 47 20 66 74 73 35 28 63 6f 6e 74 65 6e 74 29   NG fts5(content)
         1683  +| page 2 offset 4096
         1684  +|      0: 0d 0e 8e 00 06 0e 2f 00 0f e8 0e 2f 0f bd 0f 3b   ....../..../...;
         1685  +|     16: 0e a5 0e 49 00 00 00 00 00 00 00 00 00 00 00 00   ...I............
         1686  +|   3616: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18   ................
         1687  +|   3632: 0a 03 00 36 00 00 00 00 01 04 04 00 04 01 01 01   ...6............
         1688  +|   3648: 02 01 01 03 01 01 04 01 01 3e 90 80 80 80 80 01   .........>......
         1689  +|   3664: 04 00 81 00 00 00 00 36 06 30 62 61 63 6b 75 05   .......6.0backu.
         1690  +|   3680: 02 04 05 02 04 02 05 65 61 6d 65 72 05 02 02 05   .......eamer....
         1691  +|   3696: 02 02 02 05 6f 6f 6d 65 72 05 01 05 01 02 05 75   ....oomer......u
         1692  +|   3712: 6d 6d 65 72 05 02 03 05 02 03 04 0d 0d 0b 0f 27   mmer...........'
         1693  +|   3728: 00 17 30 00 00 00 00 01 03 03 00 03 01 01 01 02   ..0.............
         1694  +|   3744: 01 01 03 01 01 7b 8c 80 80 80 80 01 04 00 81 7a   ...............z
         1695  +|   3760: 00 00 00 6d 06 30 61 62 61 63 6b 0d 02 07 04 04   ...m.0aback.....
         1696  +|   3776: 6e 64 6f 6e 0d 02 05 02 05 63 74 69 76 65 09 02   ndon.....ctive..
         1697  +|   3792: 02 04 02 0b 02 04 6c 70 68 61 0d 04 02 0a 02 03   ......lpha......
         1698  +|   3808: 74 6f 6d 0b 02 02 02 02 09 05 02 69 63 0c 02 02   tom........ic...
         1699  +|   3824: 01 06 62 61 63 6b 75 70 0d 02 04 02 05 6f 6f 6d   ..backup.....oom
         1700  +|   3840: 65 72 0a 02 02 03 02 08 01 07 63 68 61 6e 6e 65   er........channe
         1701  +|   3856: 6c 0d 02 03 01 04 74 65 73 74 0d 02 06 04 0a 09   l.....test......
         1702  +|   3872: 0d 0a 0b 07 0b 0d 0c 0f ef 00 14 2a 00 00 00 00   ...........*....
         1703  +|   3888: 01 02 02 00 02 01 01 01 02 01 01 7b 88 80 80 80   ................
         1704  +|   3904: 80 01 04 00 81 7a 00 00 00 6d 06 30 61 62 61 63   .....z...m.0abac
         1705  +|   3920: 6b 08 02 07 04 04 6e 64 6f 6e 08 02 05 02 05 63   k.....ndon.....c
         1706  +|   3936: 74 69 76 65 04 02 02 04 02 0b 02 04 6c 70 68 61   tive........lpha
         1707  +|   3952: 08 04 02 0a 02 03 74 6f 6d 06 02 02 02 02 09 05   ......tom.......
         1708  +|   3968: 02 69 63 07 02 02 01 06 62 61 63 6b 75 70 08 02   .ic.....backup..
         1709  +|   3984: 04 02 05 6f 6f 6d 65 72 05 02 02 03 02 08 01 07   ...oomer........
         1710  +|   4000: 63 68 61 6e 6e 65 6c 08 02 03 01 04 74 65 73 74   channel.....test
         1711  +|   4016: 08 02 06 04 0a 09 0d 0a 0b 07 0b 0d 0c 24 84 80   .............$..
         1712  +|   4032: 80 80 80 01 03 00 4e 00 00 00 1e 06 30 61 62 61   ......N.....0aba
         1713  +|   4048: 63 6b 01 02 02 04 02 66 74 00 02 22 04 04 6e 64   ck.....ft.....nd
         1714  +|   4064: 6f 6e 03 02 02 08 0a 07 05 01 03 00 10 0d 23 00   on............#.
         1715  +|   4080: 00 00 11 24 00 00 00 00 01 01 01 00 01 01 01 01   ...$............
         1716  +| page 3 offset 8192
         1717  +|      0: 0a 00 00 00 04 0f e5 00 0f fa 0f f3 0f ec 0f e5   ................
         1718  +|   4064: 00 00 00 00 00 06 04 01 0c 01 04 02 06 04 01 0c   ................
         1719  +|   4080: 01 03 02 06 04 01 0c 01 02 02 05 04 09 0c 01 02   ................
         1720  +| page 4 offset 12288
         1721  +|      0: 0d 0f 5a 00 0d 0e ce 00 0f f6 0f ec 0f e0 0f d5   ..Z.............
         1722  +|     16: 0e e7 0f c1 0f b6 0f 70 0f 65 0e ce 0f 51 0f 46   .......p.e...Q.F
         1723  +|     32: 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
         1724  +|   3776: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 0a   ................
         1725  +|   3792: 03 00 35 62 65 61 6d 65 72 20 62 75 6d 6d 65 72   ..5beamer bummer
         1726  +|   3808: 20 62 61 63 6b 75 29 17 05 03 00 35 62 65 61 6d    backu)....5beam
         1727  +|   3824: 65 72 20 62 75 6d 6d 65 72 20 62 61 63 6b 75 29   er bummer backu)
         1728  +|   3840: 44 0d 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e   D.....alpha chan
         1729  +|   3856: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64   nel backup aband
         1730  +|   3872: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f   on test aback bo
         1731  +|   3888: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20   omer atom alpha 
         1732  +|   3904: 61 63 74 69 76 65 09 0c 03 00 19 61 74 6f 6d 69   active.....atomi
         1733  +|   3920: 63 07 0b 03 00 15 61 74 6f 6d 0f ca 00 0b 19 62   c.....atom.....b
         1734  +|   3936: 6f 6f 6d 65 72 09 09 03 00 19 61 63 74 69 76 65   oomer.....active
         1735  +|   3952: 44 08 04 00 81 0d 61 6c 70 68 61 20 63 68 61 6e   D.....alpha chan
         1736  +|   3968: 6e 65 6c 20 62 61 63 6b 75 70 20 61 62 61 6e 64   nel backup aband
         1737  +|   3984: 6f 6e 20 74 65 73 74 20 61 62 61 63 6b 20 62 6f   on test aback bo
         1738  +|   4000: 6f 6d 65 72 20 61 74 6f 6d 20 61 6c 70 68 61 20   omer atom alpha 
         1739  +|   4016: 61 63 74 69 76 65 09 07 03 00 19 61 74 6f 6d 69   active.....atomi
         1740  +|   4032: 63 07 06 03 00 15 61 74 6f 6d 00 00 00 0b 19 62   c.....atom.....b
         1741  +|   4048: 6f 6f 6d 65 72 09 04 03 00 19 61 63 74 69 76 65   oomer.....active
         1742  +|   4064: 0a 03 03 00 1b 61 62 61 6e 64 6f 6e 08 02 03 00   .....abandon....
         1743  +|   4080: 17 61 62 61 66 74 08 01 03 00 17 61 62 61 63 6b   .abaft.....aback
         1744  +| page 5 offset 16384
         1745  +|      0: 0d 00 00 00 0d 0f b2 00 0f fa 0f f4 0f ee 0f e8   ................
         1746  +|     16: 0f e2 0f dc 0f d6 0f d0 0f ca 0f c4 0f be 0f b8   ................
         1747  +|     32: 0f b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
         1748  +|   4016: 00 00 04 0d 03 00 0e 0a 04 0c 03 00 0e 01 04 0b   ................
         1749  +|   4032: 03 00 0e 01 04 0a 03 00 0e 03 04 09 03 00 0e 01   ................
         1750  +|   4048: 04 08 03 00 0e 0a 04 07 03 00 0e 01 04 06 03 00   ................
         1751  +|   4064: 0e 01 04 05 03 00 0e 03 04 04 03 00 0e 01 04 03   ................
         1752  +|   4080: 03 00 0e 01 04 02 03 00 0e 01 04 01 03 00 0e 01   ................
         1753  +| page 6 offset 20480
         1754  +|      0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00   ................
         1755  +|   4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04   ........version.
         1756  +| page 7 offset 24576
         1757  +|      0: 0d 00 00 00 03 0f d6 00 0f f4 0f e1 0f d6 00 00   ................
         1758  +|   4048: 00 00 00 00 00 00 09 03 02 1b 72 65 62 75 69 6c   ..........rebuil
         1759  +|   4064: 64 11 02 02 2b 69 6e 74 65 67 72 69 74 79 2d 63   d...+integrity-c
         1760  +|   4080: 68 65 63 6b 0a 01 02 1d 6f 70 74 69 6d 69 7a 65   heck....optimize
         1761  +| end c22b.db
         1762  +}]} {}
         1763  +
         1764  +do_catchsql_test 21.1 {
         1765  +  DELETE FROM t1 WHERE t1 MATCH 'ab*ndon';
         1766  +} {1 {database disk image is malformed}}
  1634   1767   
  1635   1768   sqlite3_fts5_may_be_corrupt 0
  1636   1769   finish_test
  1637   1770