From 4e6cec1ca0d927b4f62b202554fa607c7987758c Mon Sep 17 00:00:00 2001 From: drh Date: Thu, 28 Sep 2017 13:47:35 +0000 Subject: [PATCH] Fix an issue introduced by check-in [4cd2a9672c59] (2017-03-03) that could allow a negative value in the 3rd parameter to memmove() when defragmentPage() is called on a btree page with a corrupted freeblock list. The corruption is now detected early and results in an SQLITE_CORRUPT return before the memmove() is reached. FossilOrigin-Name: 5b9ae693120fe4f7bc3b6270f35d773876f6cc8f5990e05cce0d255c54b36ae7 --- manifest | 12 ++++++------ manifest.uuid | 2 +- src/btree.c | 3 +++ 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/manifest b/manifest index 5a19f39844..a65a171730 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Add\snew\sroutines\sto\ssimplify\sdealing\swith\scollating\ssequences\sin\sexpressions:\nsqlite3ExprNNCollSeq()\sand\ssqlite3ExprCollSeqMatch(). -D 2017-09-28T01:58:23.335 +C Fix\san\sissue\sintroduced\sby\scheck-in\s[4cd2a9672c59]\s(2017-03-03)\sthat\scould\nallow\sa\snegative\svalue\sin\sthe\s3rd\sparameter\sto\smemmove()\swhen\ndefragmentPage()\sis\scalled\son\sa\sbtree\spage\swith\sa\scorrupted\nfreeblock\slist.\s\sThe\scorruption\sis\snow\sdetected\searly\sand\sresults\sin\nan\sSQLITE_CORRUPT\sreturn\sbefore\sthe\smemmove()\sis\sreached. +D 2017-09-28T13:47:35.240 F Makefile.in 4bc36d913c2e3e2d326d588d72f618ac9788b2fd4b7efda61102611a6495c3ff F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 6033b51b6aea702ea059f6ab2d47b1d3cef648695f787247dd4fb395fe60673f @@ -401,7 +401,7 @@ F src/auth.c 6277d63837357549fe14e723490d6dc1a38768d71c795c5eb5c0f8a99f918f73 F src/backup.c faf17e60b43233c214aae6a8179d24503a61e83b F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33 F src/btmutex.c 0e9ce2d56159b89b9bc8e197e023ee11e39ff8ca -F src/btree.c 1c2b2f1714c411d7a9bc52c90d9dd7eab261261d5691ac0f67e1ced92419799c +F src/btree.c 221bc1b836f0c386676999a7c62c8dc60455e255fab37df97eca2aa619b92f2a F src/btree.h 32ef5d3f25dc70ef1ee9cecf84a023c21378f06a57cd701d2e866e141b150f09 F src/btreeInt.h 55b702efce17e5d1941865464227d3802cfc9c7c832fac81d4c94dced47a71fc F src/build.c e71e96a67daf3d1dd23188423e66cd6af38017e2ec73fead5d2b57da2d3c7e16 @@ -1655,7 +1655,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 0413001843dce7c63659d39b329ca14cdcd54f4407922f51b2fb7659572a733e -R 0aa0c6a22a3ca8a1377c9aa1ffa8dd82 +P 490e488ea963fe725b16212822c8608f2b6abce688931b611446bc2cbfe6b87c +R 2f97a6d6fe698142318cfe94f9a0a57b U drh -Z 1f5f89ecf882e16436178057d38d6ed8 +Z 00f2b9734ad71698420412023f6d2194 diff --git a/manifest.uuid b/manifest.uuid index 030ba54b7f..567c9cdf5d 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -490e488ea963fe725b16212822c8608f2b6abce688931b611446bc2cbfe6b87c \ No newline at end of file +5b9ae693120fe4f7bc3b6270f35d773876f6cc8f5990e05cce0d255c54b36ae7 \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index a1b125dda8..7c468f35a5 100644 --- a/src/btree.c +++ b/src/btree.c @@ -1399,6 +1399,9 @@ static int defragmentPage(MemPage *pPage, int nMaxFrag){ int sz2 = 0; int sz = get2byte(&data[iFree+2]); int top = get2byte(&data[hdr+5]); + if( top>=iFree ){ + return SQLITE_CORRUPT_PGNO(pPage->pgno); + } if( iFree2 ){ assert( iFree+sz<=iFree2 ); /* Verified by pageFindSlot() */ sz2 = get2byte(&data[iFree2+2]);