mirror of https://github.com/sqlite/sqlite
Avoid a buffer overread when reading a corrupt fts5 structure record.
FossilOrigin-Name: facbc424e555061135aced7b134bf6c19f54e484
This commit is contained in:
parent
22e8356368
commit
2a44b3d877
|
@ -879,25 +879,34 @@ static int fts5StructureDecode(
|
|||
int nTotal;
|
||||
int iSeg;
|
||||
|
||||
i += fts5GetVarint32(&pData[i], pLvl->nMerge);
|
||||
i += fts5GetVarint32(&pData[i], nTotal);
|
||||
assert( nTotal>=pLvl->nMerge );
|
||||
pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(&rc,
|
||||
nTotal * sizeof(Fts5StructureSegment)
|
||||
);
|
||||
if( i>=nData ){
|
||||
rc = FTS5_CORRUPT;
|
||||
}else{
|
||||
i += fts5GetVarint32(&pData[i], pLvl->nMerge);
|
||||
i += fts5GetVarint32(&pData[i], nTotal);
|
||||
assert( nTotal>=pLvl->nMerge );
|
||||
pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(&rc,
|
||||
nTotal * sizeof(Fts5StructureSegment)
|
||||
);
|
||||
}
|
||||
|
||||
if( rc==SQLITE_OK ){
|
||||
pLvl->nSeg = nTotal;
|
||||
for(iSeg=0; iSeg<nTotal; iSeg++){
|
||||
if( i>=nData ){
|
||||
rc = FTS5_CORRUPT;
|
||||
break;
|
||||
}
|
||||
i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].iSegid);
|
||||
i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].pgnoFirst);
|
||||
i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].pgnoLast);
|
||||
}
|
||||
}else{
|
||||
fts5StructureRelease(pRet);
|
||||
pRet = 0;
|
||||
}
|
||||
}
|
||||
if( rc!=SQLITE_OK ){
|
||||
fts5StructureRelease(pRet);
|
||||
pRet = 0;
|
||||
}
|
||||
}
|
||||
|
||||
*ppOut = pRet;
|
||||
|
@ -1564,6 +1573,10 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
|
|||
int nNew; /* Bytes of new data */
|
||||
|
||||
iOff += fts5GetVarint32(&a[iOff], nNew);
|
||||
if( iOff+nNew>pIter->pLeaf->nn ){
|
||||
p->rc = FTS5_CORRUPT;
|
||||
return;
|
||||
}
|
||||
pIter->term.n = nKeep;
|
||||
fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);
|
||||
iOff += nNew;
|
||||
|
|
|
@ -334,12 +334,9 @@ do_catchsql_test 6.3.5 {
|
|||
} {1 {database disk image is malformed}}
|
||||
|
||||
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------
|
||||
#
|
||||
reset_db
|
||||
reset_db
|
||||
proc rnddoc {n} {
|
||||
set map [list a b c d]
|
||||
set doc [list]
|
||||
|
@ -371,6 +368,41 @@ do_test 7.1 {
|
|||
}
|
||||
} {}
|
||||
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------
|
||||
# Corruption within the structure record.
|
||||
#
|
||||
reset_db
|
||||
do_execsql_test 8.1 {
|
||||
CREATE VIRTUAL TABLE t1 USING fts5(x, y);
|
||||
INSERT INTO t1 VALUES('one', 'two');
|
||||
}
|
||||
|
||||
do_test 9.1.1 {
|
||||
set blob "12345678" ;# cookie
|
||||
append blob "0105" ;# 1 level, total of 5 segments
|
||||
append blob "06" ;# write counter
|
||||
append blob "0002" ;# first level has 0 segments merging, 2 other.
|
||||
append blob "450108" ;# first segment
|
||||
execsql "REPLACE INTO t1_data VALUES(10, X'$blob')"
|
||||
} {}
|
||||
do_catchsql_test 9.1.2 {
|
||||
SELECT * FROM t1('one AND two');
|
||||
} {1 {database disk image is malformed}}
|
||||
|
||||
do_test 9.2.1 {
|
||||
set blob "12345678" ;# cookie
|
||||
append blob "0205" ;# 2 levels, total of 5 segments
|
||||
append blob "06" ;# write counter
|
||||
append blob "0001" ;# first level has 0 segments merging, 1 other.
|
||||
append blob "450108" ;# first segment
|
||||
execsql "REPLACE INTO t1_data VALUES(10, X'$blob')"
|
||||
} {}
|
||||
do_catchsql_test 9.2.2 {
|
||||
SELECT * FROM t1('one AND two');
|
||||
} {1 {database disk image is malformed}}
|
||||
|
||||
sqlite3_fts5_may_be_corrupt 0
|
||||
finish_test
|
||||
|
||||
|
|
14
manifest
14
manifest
|
@ -1,5 +1,5 @@
|
|||
C Handle\sparser\sstack\soverflow\swhen\sparsing\sfts5\squery\sexpressions.\sFix\ssome\scompiler\swarnings\sin\sfts5\scode.
|
||||
D 2016-02-11T17:01:32.344
|
||||
C Avoid\sa\sbuffer\soverread\swhen\sreading\sa\scorrupt\sfts5\sstructure\srecord.
|
||||
D 2016-02-11T18:08:38.633
|
||||
F Makefile.in 4e90dc1521879022aa9479268a4cd141d1771142
|
||||
F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
|
||||
F Makefile.msc 463edfba5c6fccebc61d8c094ccd463a6a55becb
|
||||
|
@ -104,7 +104,7 @@ F ext/fts5/fts5_buffer.c 4c1502d4c956cd092c89ce4480867f9d8bf325cd
|
|||
F ext/fts5/fts5_config.c 35c5173cae4eb17e82164a7f5aeef56a48903079
|
||||
F ext/fts5/fts5_expr.c 8e8e4635f655133eb39018072fc0f0942a2c4337
|
||||
F ext/fts5/fts5_hash.c 1b113977296cf4212c6ec667d5e3f2bd18036955
|
||||
F ext/fts5/fts5_index.c 12354c3871dc0e84621449ab52e8dc26ada82294
|
||||
F ext/fts5/fts5_index.c f8afd5cc076726bd9e5807ab62306c85c58cef22
|
||||
F ext/fts5/fts5_main.c 0e01ead4e817483e378e7e38e6d902f50b68d29e
|
||||
F ext/fts5/fts5_storage.c f8343db90d8c95a4d4b52f6676e354b4649ffd6e
|
||||
F ext/fts5/fts5_tcl.c f8731e0508299bd43f1a2eff7dbeaac870768966
|
||||
|
@ -141,7 +141,7 @@ F ext/fts5/test/fts5conflict.test 26f4e46c4d31e16221794832a990dc4e30e18de5
|
|||
F ext/fts5/test/fts5content.test 9a952c95518a14182dc3b59e3c8fa71cda82a4e1
|
||||
F ext/fts5/test/fts5corrupt.test c2ad090192708150d50d961278df10ae7a4b8b62
|
||||
F ext/fts5/test/fts5corrupt2.test 26c0a39dd9ff73207e6229f83b50b21d37c7658c
|
||||
F ext/fts5/test/fts5corrupt3.test a2b537c120bdd43c79c42fe2438d7b8c81fe5599
|
||||
F ext/fts5/test/fts5corrupt3.test b9558d5b0ca44a8b6247fbb5d4a47592a8976892
|
||||
F ext/fts5/test/fts5detail.test ef5c690535a797413acaf5ad9b8ab5d49972df69
|
||||
F ext/fts5/test/fts5dlidx.test 13871a14641017ae42f6f1055a8067bafd44cb3d
|
||||
F ext/fts5/test/fts5doclist.test 8edb5b57e5f144030ed74ec00ef6fa4294fed79b
|
||||
|
@ -1427,7 +1427,7 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f
|
|||
F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
|
||||
F tool/warnings.sh ef6ebc6fd8d2dc35db3b622015c16a023d4fef4f
|
||||
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
|
||||
P cfe2eb88b504f5e9b1351022036641b1ac4c3e78
|
||||
R ecfecabfdc2e20b17daae28f5e9c8aee
|
||||
P bc3f7900d5a06829d123814a5ac7b951bcfc1560
|
||||
R 4e2da5472f7a4a893328894fa9813af5
|
||||
U dan
|
||||
Z 2089f51bfc7049c8d149969b8c7916a9
|
||||
Z 61d305eb29d472167b30ee2488dbe8c6
|
||||
|
|
|
@ -1 +1 @@
|
|||
bc3f7900d5a06829d123814a5ac7b951bcfc1560
|
||||
facbc424e555061135aced7b134bf6c19f54e484
|
Loading…
Reference in New Issue