2009-06-03 21:26:17 +04:00
|
|
|
# 2009 June 3
|
|
|
|
#
|
|
|
|
# The author disclaims copyright to this source code. In place of
|
|
|
|
# a legal notice, here is a blessing:
|
|
|
|
#
|
|
|
|
# May you do good and not evil.
|
|
|
|
# May you find forgiveness for yourself and forgive others.
|
|
|
|
# May you share freely, never taking more than you give.
|
|
|
|
#
|
|
|
|
#***********************************************************************
|
|
|
|
#
|
2009-06-05 21:09:11 +04:00
|
|
|
# $Id: corruptD.test,v 1.2 2009/06/05 17:09:12 drh Exp $
|
2009-06-03 21:26:17 +04:00
|
|
|
|
|
|
|
set testdir [file dirname $argv0]
|
|
|
|
source $testdir/tester.tcl
|
|
|
|
|
2011-02-16 04:23:50 +03:00
|
|
|
# Do not use a codec for tests in this file, as the database file is
|
|
|
|
# manipulated directly using tcl scripts (using the [hexio_write] command).
|
|
|
|
#
|
|
|
|
do_not_use_codec
|
|
|
|
|
2009-06-03 21:26:17 +04:00
|
|
|
#--------------------------------------------------------------------------
|
|
|
|
# OVERVIEW
|
|
|
|
#
|
|
|
|
# This test file attempts to verify that SQLite does not read past the
|
|
|
|
# end of any in-memory buffers as a result of corrupted database page
|
|
|
|
# images. Usually this happens because a field within a database page
|
|
|
|
# that contains an offset to some other structure within the same page
|
|
|
|
# is set to too large a value. A database page contains the following
|
|
|
|
# such fields:
|
|
|
|
#
|
|
|
|
# 1. The page header field that contains the offset to the first
|
|
|
|
# free block of space.
|
|
|
|
#
|
|
|
|
# 2. The first two bytes of all but the last free block on the free-block
|
|
|
|
# list (the offset to the next free block).
|
|
|
|
#
|
|
|
|
# 3. The page header field containing the number of cells on the page
|
|
|
|
# (implicitly defines the offset to the final element in the cell offset
|
|
|
|
# array, which could potentially be off the end of the page).
|
|
|
|
#
|
|
|
|
# 4. The page header field containing the offset to the start of the cell
|
|
|
|
# content area.
|
|
|
|
#
|
|
|
|
# 5. The contents of the cell offset array.
|
|
|
|
#
|
|
|
|
# 6. The first few bytes of each cell determine the size of the cell
|
|
|
|
# stored within the page, and hence the offset to the final byte of
|
|
|
|
# the cell.
|
|
|
|
#
|
|
|
|
# If any of the above fields are set to too large a value, then a buffer
|
|
|
|
# overread may occur. This test script creates and operates on various
|
|
|
|
# strategically corrupted database files to attempt to provoke such buffer
|
|
|
|
# overreads.
|
|
|
|
#
|
|
|
|
# Very often, a buffer overread passes unnoticed, particularly in workstation
|
|
|
|
# environments. For this reason, this test script should be run using valgrind
|
|
|
|
# (or similar) in order to verify that no overreads occur.
|
|
|
|
#
|
|
|
|
# TEST PLAN
|
|
|
|
#
|
|
|
|
# Test cases corruptD-1.* are white-box tests. They attempt to corrupt
|
|
|
|
# one of the above fields, then exercise each part of the code in btree.c
|
|
|
|
# that uses said field.
|
|
|
|
#
|
|
|
|
# Offset variables 1, 2, 3 and 4 are all checked to make sure they
|
|
|
|
# will not result in buffer overruns as part of page initialization in
|
|
|
|
# sqlite3BtreeInitPage(). Offsets 5 and 6 cannot be tested as part of
|
|
|
|
# page initialization, as trying to do so causes a performance hit.
|
|
|
|
#
|
|
|
|
|
|
|
|
do_test corruptD-1.0 {
|
|
|
|
execsql {
|
|
|
|
PRAGMA auto_vacuum = 0;
|
|
|
|
PRAGMA page_size = 1024;
|
|
|
|
CREATE TABLE t1(a, b);
|
|
|
|
CREATE INDEX i1 ON t1(a, b);
|
|
|
|
}
|
|
|
|
for {set ii 1} {$ii < 50} {incr ii} {
|
|
|
|
execsql { INSERT INTO t1 VALUES($ii, $ii * $ii) }
|
|
|
|
}
|
|
|
|
execsql {
|
|
|
|
DELETE FROM t1 WHERE a = 10;
|
|
|
|
DELETE FROM t1 WHERE a = 20;
|
|
|
|
DELETE FROM t1 WHERE a = 30;
|
|
|
|
DELETE FROM t1 WHERE a = 40;
|
|
|
|
}
|
2011-08-02 04:57:34 +04:00
|
|
|
forcecopy test.db test.bu
|
2009-06-03 21:26:17 +04:00
|
|
|
} {}
|
|
|
|
|
|
|
|
proc incr_change_counter {} {
|
|
|
|
hexio_write test.db 24 [
|
|
|
|
hexio_render_int32 [expr [hexio_get_int [hexio_read test.db 24 4]] + 1]
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
proc restore_file {} {
|
|
|
|
db close
|
2011-08-02 04:57:34 +04:00
|
|
|
forcecopy test.bu test.db
|
2009-06-03 21:26:17 +04:00
|
|
|
sqlite3 db test.db
|
|
|
|
}
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
# The following tests, corruptD-1.1.*, focus on the page header field
|
|
|
|
# containing the offset of the first free block in a page.
|
|
|
|
#
|
|
|
|
do_test corruptD-1.1.1 {
|
|
|
|
incr_change_counter
|
|
|
|
hexio_write test.db [expr 1024+1] FFFF
|
2012-09-15 22:45:54 +04:00
|
|
|
catchsql { SELECT * FROM t1 ORDER BY rowid }
|
2009-06-03 21:26:17 +04:00
|
|
|
} {1 {database disk image is malformed}}
|
|
|
|
do_test corruptD-1.1.2 {
|
|
|
|
incr_change_counter
|
|
|
|
hexio_write test.db [expr 1024+1] [hexio_render_int32 1021]
|
2012-09-15 22:45:54 +04:00
|
|
|
catchsql { SELECT * FROM t1 ORDER BY rowid }
|
2009-06-03 21:26:17 +04:00
|
|
|
} {1 {database disk image is malformed}}
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
# The following tests, corruptD-1.2.*, focus on the offsets contained
|
|
|
|
# in the first 2 byte of each free-block on the free-list.
|
|
|
|
#
|
|
|
|
do_test corruptD-1.2.1 {
|
|
|
|
restore_file
|
|
|
|
} {}
|
|
|
|
do_test corruptD-1.2.2 {
|
|
|
|
} {}
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
# The following tests, corruptD-1.4.*, ...
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
# The following tests, corruptD-1.5.*, focus on the offsets contained
|
|
|
|
# in the cell offset array.
|
|
|
|
#
|
|
|
|
# defragmentPage
|
|
|
|
#
|
|
|
|
|
|
|
|
finish_test
|