Avoid a buffer overread when reading a corrupt fts5 structure record.

FossilOrigin-Name: facbc424e555061135aced7b134bf6c19f54e484
2016-02-11 18:08:38 +00:00 · 2016-02-11 18:08:38 +00:00 · 2a44b3d877
parent 22e8356368
commit 2a44b3d877
4 changed files with 65 additions and 20 deletions
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@ -879,25 +879,34 @@ static int fts5StructureDecode(
      int nTotal;
      int iSeg;

-      i += fts5GetVarint32(&pData[i], pLvl->nMerge);
-      i += fts5GetVarint32(&pData[i], nTotal);
-      assert( nTotal>=pLvl->nMerge );
-      pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(&rc, 
-          nTotal * sizeof(Fts5StructureSegment)
-      );
+      if( i>=nData ){
+        rc = FTS5_CORRUPT;
+      }else{
+        i += fts5GetVarint32(&pData[i], pLvl->nMerge);
+        i += fts5GetVarint32(&pData[i], nTotal);
+        assert( nTotal>=pLvl->nMerge );
+        pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(&rc, 
+            nTotal * sizeof(Fts5StructureSegment)
+        );
+      }

      if( rc==SQLITE_OK ){
        pLvl->nSeg = nTotal;
        for(iSeg=0; iSeg<nTotal; iSeg++){
+          if( i>=nData ){
+            rc = FTS5_CORRUPT;
+            break;
+          }
          i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].iSegid);
          i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].pgnoFirst);
          i += fts5GetVarint32(&pData[i], pLvl->aSeg[iSeg].pgnoLast);
        }
-      }else{
-        fts5StructureRelease(pRet);
-        pRet = 0;
      }
    }
+    if( rc!=SQLITE_OK ){
+      fts5StructureRelease(pRet);
+      pRet = 0;
+    }
  }

  *ppOut = pRet;
@ -1564,6 +1573,10 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
  int nNew;                       /* Bytes of new data */

  iOff += fts5GetVarint32(&a[iOff], nNew);
+  if( iOff+nNew>pIter->pLeaf->nn ){
+    p->rc = FTS5_CORRUPT;
+    return;
+  }
  pIter->term.n = nKeep;
  fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);
  iOff += nNew;
--- a/ext/fts5/test/fts5corrupt3.test
+++ b/ext/fts5/test/fts5corrupt3.test
@ -334,12 +334,9 @@ do_catchsql_test 6.3.5 {
 } {1 {database disk image is malformed}}


-}
-
 #------------------------------------------------------------------------
 #
 reset_db
-reset_db
 proc rnddoc {n} {
  set map [list a b c d]
  set doc [list]
@ -371,6 +368,41 @@ do_test 7.1 {
  }
 } {}

+}
+
+#------------------------------------------------------------------------
+# Corruption within the structure record.
+#
+reset_db
+do_execsql_test 8.1 {
+  CREATE VIRTUAL TABLE t1 USING fts5(x, y);
+  INSERT INTO t1 VALUES('one', 'two');
+}
+
+do_test 9.1.1 {
+  set    blob "12345678"    ;# cookie
+  append blob "0105"        ;# 1 level, total of 5 segments
+  append blob "06"          ;# write counter
+  append blob "0002"        ;# first level has 0 segments merging, 2 other.
+  append blob "450108"      ;# first segment
+  execsql "REPLACE INTO t1_data VALUES(10, X'$blob')"
+} {}
+do_catchsql_test 9.1.2 {
+  SELECT * FROM t1('one AND two');
+} {1 {database disk image is malformed}}
+
+do_test 9.2.1 {
+  set    blob "12345678"    ;# cookie
+  append blob "0205"        ;# 2 levels, total of 5 segments
+  append blob "06"          ;# write counter
+  append blob "0001"        ;# first level has 0 segments merging, 1 other.
+  append blob "450108"      ;# first segment
+  execsql "REPLACE INTO t1_data VALUES(10, X'$blob')"
+} {}
+do_catchsql_test 9.2.2 {
+  SELECT * FROM t1('one AND two');
+} {1 {database disk image is malformed}}
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test

--- a/14
+++ b/14
@ -1,5 +1,5 @@
-C Handle\sparser\sstack\soverflow\swhen\sparsing\sfts5\squery\sexpressions.\sFix\ssome\scompiler\swarnings\sin\sfts5\scode.
-D 2016-02-11T17:01:32.344
+C Avoid\sa\sbuffer\soverread\swhen\sreading\sa\scorrupt\sfts5\sstructure\srecord.
+D 2016-02-11T18:08:38.633
 F Makefile.in 4e90dc1521879022aa9479268a4cd141d1771142
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc 463edfba5c6fccebc61d8c094ccd463a6a55becb
@ -104,7 +104,7 @@ F ext/fts5/fts5_buffer.c 4c1502d4c956cd092c89ce4480867f9d8bf325cd
 F ext/fts5/fts5_config.c 35c5173cae4eb17e82164a7f5aeef56a48903079
 F ext/fts5/fts5_expr.c 8e8e4635f655133eb39018072fc0f0942a2c4337
 F ext/fts5/fts5_hash.c 1b113977296cf4212c6ec667d5e3f2bd18036955
-F ext/fts5/fts5_index.c 12354c3871dc0e84621449ab52e8dc26ada82294
+F ext/fts5/fts5_index.c f8afd5cc076726bd9e5807ab62306c85c58cef22
 F ext/fts5/fts5_main.c 0e01ead4e817483e378e7e38e6d902f50b68d29e
 F ext/fts5/fts5_storage.c f8343db90d8c95a4d4b52f6676e354b4649ffd6e
 F ext/fts5/fts5_tcl.c f8731e0508299bd43f1a2eff7dbeaac870768966
@ -141,7 +141,7 @@ F ext/fts5/test/fts5conflict.test 26f4e46c4d31e16221794832a990dc4e30e18de5
 F ext/fts5/test/fts5content.test 9a952c95518a14182dc3b59e3c8fa71cda82a4e1
 F ext/fts5/test/fts5corrupt.test c2ad090192708150d50d961278df10ae7a4b8b62
 F ext/fts5/test/fts5corrupt2.test 26c0a39dd9ff73207e6229f83b50b21d37c7658c
-F ext/fts5/test/fts5corrupt3.test a2b537c120bdd43c79c42fe2438d7b8c81fe5599
+F ext/fts5/test/fts5corrupt3.test b9558d5b0ca44a8b6247fbb5d4a47592a8976892
 F ext/fts5/test/fts5detail.test ef5c690535a797413acaf5ad9b8ab5d49972df69
 F ext/fts5/test/fts5dlidx.test 13871a14641017ae42f6f1055a8067bafd44cb3d
 F ext/fts5/test/fts5doclist.test 8edb5b57e5f144030ed74ec00ef6fa4294fed79b
@ -1427,7 +1427,7 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh ef6ebc6fd8d2dc35db3b622015c16a023d4fef4f
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P cfe2eb88b504f5e9b1351022036641b1ac4c3e78
-R ecfecabfdc2e20b17daae28f5e9c8aee
+P bc3f7900d5a06829d123814a5ac7b951bcfc1560
+R 4e2da5472f7a4a893328894fa9813af5
 U dan
-Z 2089f51bfc7049c8d149969b8c7916a9
+Z 61d305eb29d472167b30ee2488dbe8c6
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-bc3f7900d5a06829d123814a5ac7b951bcfc1560
+facbc424e555061135aced7b134bf6c19f54e484