From 0a79238b3925a2c94539379d7fe996425d7e589b Mon Sep 17 00:00:00 2001 From: dan Date: Tue, 25 Nov 2014 18:59:55 +0000 Subject: [PATCH] Fix an integer overflow bug in vdbesort.c. FossilOrigin-Name: 623827192532f08b68bc0eb9ed1449e173361f0c --- manifest | 17 +++++++++-------- manifest.uuid | 2 +- src/vdbesort.c | 9 ++++++++- test/bigsort.test | 43 ++++++++++++++++++++++++++++++++++++++++++ test/permutations.test | 1 + 5 files changed, 62 insertions(+), 10 deletions(-) create mode 100644 test/bigsort.test diff --git a/manifest b/manifest index 125cecdf0c..61c47f746e 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Always\sreinitialized\sthe\sIndex.bUnordered\sand\sIndex.noSkipscan\sflags\sbefore\nrereading\sthe\ssqlite_stat1\stable,\seven\sif\sSQLITE_ENABLE_STAT4\sis\sdefined. -D 2014-11-22T21:37:00.608 +C Fix\san\sinteger\soverflow\sbug\sin\svdbesort.c. +D 2014-11-25T18:59:55.761 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in a226317fdf3f4c895fb3cfedc355b4d0868ce1fb F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -298,7 +298,7 @@ F src/vdbeapi.c 07acb615d1e4170e71fc1b0d087f3c53a1ad8e83 F src/vdbeaux.c 5ce4f414147a3bc3cbcf00ec57f2606c25791629 F src/vdbeblob.c 4af4bfb71f6df7778397b4a0ebc1879793276778 F src/vdbemem.c 31d8eabb0cd78bfeab4e5124c7363c3e9e54db9f -F src/vdbesort.c 87f3923483113d1c95d84640becb4e4946f27d9a +F src/vdbesort.c 42c166f7ca78cb643c7f4e4bdfa83c59d363d1a6 F src/vdbetrace.c 7e4222955e07dd707a2f360c0eb73452be1cb010 F src/vtab.c 2a30791bbd7926b589401bd09c3abb33de563793 F src/wal.c 486e644b3b8aa5ad066f625bc428aa8ff7001405 @@ -366,6 +366,7 @@ F test/between.test 34d375fb5ce1ae283ffe82b6b233e9f38e84fc6c F test/bigfile.test aa74f4e5db51c8e54a1d9de9fa65d01d1eb20b59 F test/bigfile2.test 1b489a3a39ae90c7f027b79110d6b4e1dbc71bfc F test/bigrow.test f0aeb7573dcb8caaafea76454be3ade29b7fc747 +F test/bigsort.test 835478d0ce83bd1e5b05c90571dedd9871a09196 F test/bind.test 3c7b320969000c441a70952b0b15938fbb66237c F test/bindxfer.test efecd12c580c14df5f4ad3b3e83c667744a4f7e0 F test/bitvec.test 75894a880520164d73b1305c1c3f96882615e142 @@ -776,7 +777,7 @@ F test/pagesize.test 1dd51367e752e742f58e861e65ed7390603827a0 F test/pcache.test b09104b03160aca0d968d99e8cd2c5b1921a993d F test/pcache2.test a83efe2dec0d392f814bfc998def1d1833942025 F test/percentile.test b98fc868d71eb5619d42a1702e9ab91718cbed54 -F test/permutations.test cef25f5e8499a15846eccd06785f17f4180407ab +F test/permutations.test 4e12d43f4639ea8a0e366d9c64e0009afe2eb544 F test/pragma.test 49ac8a73c0daa574824538fed28727d1259fe735 F test/pragma2.test aea7b3d82c76034a2df2b38a13745172ddc0bc13 F test/printf.test ec9870c4dce8686a37818e0bf1aba6e6a1863552 @@ -1221,7 +1222,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P 9660ce541837ccd8df415641a922274e093056aa -R b51cb063fe9c06786b358d55d58b3f87 -U drh -Z 1318c316d07e28b9d1759e5cafc8a50c +P 1e1221fc4823a6bb6fc5d2408732e27aca585de9 +R d9420ee27960cebcc5a5d23852d1a5da +U dan +Z 0b92bbab30b87a9f1cf79fdddb96f8d5 diff --git a/manifest.uuid b/manifest.uuid index 47b33e7181..03036e1aff 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -1e1221fc4823a6bb6fc5d2408732e27aca585de9 \ No newline at end of file +623827192532f08b68bc0eb9ed1449e173361f0c \ No newline at end of file diff --git a/src/vdbesort.c b/src/vdbesort.c index df8357a57e..7c736adefe 100644 --- a/src/vdbesort.c +++ b/src/vdbesort.c @@ -147,6 +147,13 @@ # define SQLITE_DEBUG_SORTER_THREADS 1 #endif +/* +** Hard-coded maximum amount of data to accumulate in memory before flushing +** to a level 0 PMA. The purpose of this limit is to prevent various integer +** overflows. 512MiB. +*/ +#define SQLITE_MAX_MXPMASIZE (1<<29) + /* ** Private objects used by the sorter */ @@ -845,7 +852,7 @@ int sqlite3VdbeSorterInit( pSorter->mnPmaSize = SORTER_MIN_WORKING * pgsz; mxCache = db->aDb[0].pSchema->cache_size; if( mxCachemxPmaSize = mxCache * pgsz; + pSorter->mxPmaSize = MIN((i64)mxCache*pgsz, SQLITE_MAX_MXPMASIZE); /* EVIDENCE-OF: R-26747-61719 When the application provides any amount of ** scratch memory using SQLITE_CONFIG_SCRATCH, SQLite avoids unnecessary diff --git a/test/bigsort.test b/test/bigsort.test new file mode 100644 index 0000000000..259adc3747 --- /dev/null +++ b/test/bigsort.test @@ -0,0 +1,43 @@ +# 2014 November 26 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# + +set testdir [file dirname $argv0] +source $testdir/tester.tcl +set testprefix bigsort + +#-------------------------------------------------------------------- +# At one point there was an overflow problem if the product of the +# cache-size and page-size was larger than 2^31. Causing an infinite +# loop if the product was also an integer multiple of 2^32, or +# inefficiency otherwise. +# +do_execsql_test 1.0 { + PRAGMA page_size = 1024; + CREATE TABLE t1(a, b); + BEGIN; + WITH data(x,y) AS ( + SELECT 1, zeroblob(10000) + UNION ALL + SELECT x+1, y FROM data WHERE x < 300000 + ) + INSERT INTO t1 SELECT * FROM data; + COMMIT; +} +do_execsql_test 1.1 { + PRAGMA cache_size = 4194304; + CREATE INDEX i1 ON t1(a, b); +} + + +finish_test + + diff --git a/test/permutations.test b/test/permutations.test index 54239cc759..ff61bf644b 100644 --- a/test/permutations.test +++ b/test/permutations.test @@ -113,6 +113,7 @@ set allquicktests [test_set $alltests -exclude { vtab_err.test walslow.test walcrash.test walcrash3.test walthread.test rtree3.test indexfault.test securedel2.test sort3.test sort4.test fts4growth.test fts4growth2.test + bigsort.test }] if {[info exists ::env(QUICKTEST_INCLUDE)]} { set allquicktests [concat $allquicktests $::env(QUICKTEST_INCLUDE)]