Fix an integer overflow problem in the sorter.

FossilOrigin-Name: 9d3351b8d713232133dad149c73fb2a27c72abb1
2014-04-03 16:25:29 +00:00 · 2014-04-03 16:25:29 +00:00 · 8930c2ab0c
commit 8930c2ab0c
parent 6e4cc55e1f
8 changed files with 57 additions and 27 deletions
--- a/22
+++ b/22
@ -1,5 +1,5 @@
-C Fix\sminor\serrors\scausing\scompilation\sto\sfail\swith\sSQLITE_MAX_WORKER_THREADS\sset\sto\sa\svalue\sgreater\sthan\szero.
-D 2014-04-03T14:29:08.251
+C Fix\san\sinteger\soverflow\sproblem\sin\sthe\ssorter.
+D 2014-04-03T16:25:29.778
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in ad0921c4b2780d01868cf69b419a4f102308d125
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@ -186,7 +186,7 @@ F src/journal.c b4124532212b6952f42eb2c12fa3c25701d8ba8d
 F src/legacy.c 0df0b1550b9cc1f58229644735e317ac89131f12
 F src/lempar.c cdf0a000315332fc9b50b62f3b5e22e080a0952b
 F src/loadext.c 867c7b330b740c6c917af9956b13b81d0a048303
-F src/main.c d3655832585baef4c2356529a5c6ca5ca3bd7c1f
+F src/main.c fcceb01d74a79c2d7984f33545b35b06da3bb1e8
 F src/malloc.c 0203ebce9152c6a0e5de520140b8ba65187350be
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c c0c990fcaddff810ea277b4fb5d9138603dd5d4b
@ -219,15 +219,15 @@ F src/resolve.c 273d5f47c4e2c05b2d3d2bffeda939551ab59e66
 F src/rowset.c 64655f1a627c9c212d9ab497899e7424a34222e0
 F src/select.c 20055cf917222e660c4222fea306bd13a0623caa
 F src/shell.c a08060750f92461fc462b4f767e3b0d19d6b832e
-F src/sqlite.h.in 0249af5d9d3bbeab0dc1f58e1f9fee878807732a
+F src/sqlite.h.in 81221c50addbf698c3247154d92efd1095bfd885
 F src/sqlite3.rc 11094cc6a157a028b301a9f06b3d03089ea37c3e
 F src/sqlite3ext.h 886f5a34de171002ad46fae8c36a7d8051c190fc
-F src/sqliteInt.h 3ed0fedb5b64ece395a2114b7c73417678f3e420
+F src/sqliteInt.h 78c89401120b062660427c7b642de4de7673bc46
 F src/sqliteLimit.h 164b0e6749d31e0daa1a4589a169d31c0dec7b3d
 F src/status.c 7ac05a5c7017d0b9f0b4bcd701228b784f987158
 F src/table.c 2cd62736f845d82200acfa1287e33feb3c15d62e
 F src/tclsqlite.c e87c99e28a145943666b51b212dacae35fcea0bd
-F src/test1.c 31596bf8a9c0629f88e514a4ec864847c8946c4e
+F src/test1.c 0cd73ae82fdf7add76ca603e3575380ae7539ae2
 F src/test2.c 7355101c085304b90024f2261e056cdff13c6c35
 F src/test3.c 1c0e5d6f080b8e33c1ce8b3078e7013fdbcd560c
 F src/test4.c 9b32d22f5f150abe23c1830e2057c4037c45b3df
@ -286,7 +286,7 @@ F src/vdbeapi.c 0ed6053f947edd0b30f64ce5aeb811872a3450a4
 F src/vdbeaux.c d8dc38965507a34b0e150c0d7fc82b02f8cf25ea
 F src/vdbeblob.c 15377abfb59251bccedd5a9c7d014a895f0c04aa
 F src/vdbemem.c 6fc77594c60f6155404f3f8d71bf36d1fdeb4447
-F src/vdbesort.c 5e7ed44bb4f2af809b6d229ae00f97825efab89a
+F src/vdbesort.c 252d7ab7620649945b53289510a172bc73133f17
 F src/vdbetrace.c 6f52bc0c51e144b7efdcfb2a8f771167a8816767
 F src/vtab.c 21b932841e51ebd7d075e2d0ad1415dce8d2d5fd
 F src/wal.c 76e7fc6de229bea8b30bb2539110f03a494dc3a8
@ -738,7 +738,7 @@ F test/pagesize.test 1dd51367e752e742f58e861e65ed7390603827a0
 F test/pcache.test b09104b03160aca0d968d99e8cd2c5b1921a993d
 F test/pcache2.test a83efe2dec0d392f814bfc998def1d1833942025
 F test/percentile.test b98fc868d71eb5619d42a1702e9ab91718cbed54
-F test/permutations.test 40add071ba71aefe1c04f5845308cf46f7de8d04
+F test/permutations.test a214a42b4767bbbc7cd0fd965ea6198044ab414d
 F test/pragma.test adb21a90875bc54a880fa939c4d7c46598905aa0
 F test/pragma2.test aea7b3d82c76034a2df2b38a13745172ddc0bc13
 F test/printf.test ec9870c4dce8686a37818e0bf1aba6e6a1863552
@ -1161,7 +1161,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh d1a6de74685f360ab718efda6265994b99bbea01
 F tool/win/sqlite.vsix 030f3eeaf2cb811a3692ab9c14d021a75ce41fff
-P d284e30eb1db144965fa85566e4234e30464350b
-R 45d899d78ea7a6cd4a92080d8bb33ecf
+P 0561272abf357a2f4709f6c02866e570d19cd344
+R 8288f2959bddd3667c4349a94ca23e0f
 U dan
-Z 013157fb51930f7eb005a94358375580
+Z 4eb0e7377049f06d09d1ea7ce591ab92
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-0561272abf357a2f4709f6c02866e570d19cd344
+9d3351b8d713232133dad149c73fb2a27c72abb1
--- a/src/main.c
+++ b/src/main.c
@ -2504,6 +2504,7 @@ static int openDatabase(
  db->nextAutovac = -1;
  db->szMmap = sqlite3GlobalConfig.szMmap;
  db->nextPagesize = 0;
+  db->nMaxSorterMmap = 0x7FFFFFFF;
  db->flags |= SQLITE_ShortColNames | SQLITE_EnableTrigger | SQLITE_CacheSpill
 #if !defined(SQLITE_DEFAULT_AUTOMATIC_INDEX) || SQLITE_DEFAULT_AUTOMATIC_INDEX
                 | SQLITE_AutoIndex
@ -3330,6 +3331,13 @@ int sqlite3_test_control(int op, ...){
      break;
    }

+    /*   sqlite3_test_control(SQLITE_TESTCTRL_SORTER_MMAP, db, nMax); */
+    case SQLITE_TESTCTRL_SORTER_MMAP: {
+      sqlite3 *db = va_arg(ap, sqlite3*);
+      db->nMaxSorterMmap = va_arg(ap, int);
+      break;
+    }
+
  }
  va_end(ap);
 #endif /* SQLITE_OMIT_BUILTIN_TEST */
--- a/src/sqlite.h.in
+++ b/src/sqlite.h.in
@ -6129,7 +6129,8 @@ int sqlite3_test_control(int op, ...);
 #define SQLITE_TESTCTRL_EXPLAIN_STMT            19
 #define SQLITE_TESTCTRL_NEVER_CORRUPT           20
 #define SQLITE_TESTCTRL_VDBE_COVERAGE           21
-#define SQLITE_TESTCTRL_LAST                    21
+#define SQLITE_TESTCTRL_SORTER_MMAP             22
+#define SQLITE_TESTCTRL_LAST                    22

 /*
 ** CAPI3REF: SQLite Runtime Status
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@ -981,6 +981,7 @@ struct sqlite3 {
  int nChange;                  /* Value returned by sqlite3_changes() */
  int nTotalChange;             /* Value returned by sqlite3_total_changes() */
  int aLimit[SQLITE_N_LIMIT];   /* Limits */
+  int nMaxSorterMmap;           /* Maximum size of regions mapped by sorter */
  struct sqlite3InitInfo {      /* Information used during initialization */
    int newTnum;                /* Rootpage of table being initialized */
    u8 iDb;                     /* Which db file is being initialized */
--- a/src/test1.c
+++ b/src/test1.c
@ -5884,6 +5884,7 @@ static int test_test_control(
    int i;
  } aVerb[] = {
    { "SQLITE_TESTCTRL_LOCALTIME_FAULT", SQLITE_TESTCTRL_LOCALTIME_FAULT }, 
+    { "SQLITE_TESTCTRL_SORTER_MMAP", SQLITE_TESTCTRL_SORTER_MMAP }, 
  };
  int iVerb;
  int iFlag;
@ -5911,6 +5912,19 @@ static int test_test_control(
      sqlite3_test_control(SQLITE_TESTCTRL_LOCALTIME_FAULT, val);
      break;
    }
+
+    case SQLITE_TESTCTRL_SORTER_MMAP: {
+      int val;
+      sqlite3 *db;
+      if( objc!=4 ){
+        Tcl_WrongNumArgs(interp, 2, objv, "DB LIMIT");
+        return TCL_ERROR;
+      }
+      if( getDbPointer(interp, Tcl_GetString(objv[2]), &db) ) return TCL_ERROR;
+      if( Tcl_GetIntFromObj(interp, objv[3], &val) ) return TCL_ERROR;
+      sqlite3_test_control(SQLITE_TESTCTRL_SORTER_MMAP, db, val);
+      break;
+    }
  }

  Tcl_ResetResult(interp);
--- a/src/vdbesort.c
+++ b/src/vdbesort.c
@ -144,7 +144,7 @@ struct SortSubtask {
  SQLiteThread *pThread;          /* Thread handle, or NULL */
  int bDone;                      /* Set to true by pTask when finished */

-  sqlite3_vfs *pVfs;              /* VFS used to open temporary files */
+  sqlite3 *db;                    /* Database connection */
  KeyInfo *pKeyInfo;              /* How to compare records */
  UnpackedRecord *pUnpacked;      /* Space to unpack a record */
  int pgsz;                       /* Main database page size */
@ -514,7 +514,9 @@ static int vdbePmaReaderInit(
  if( pIter->aAlloc ){
    /* Try to xFetch() a mapping of the entire temp file. If this is possible,
    ** the PMA will be read via the mapping. Otherwise, use xRead().  */
-    rc = sqlite3OsFetch(pIter->pFile, 0, pTask->iTemp1Off, &pMap);
+    if( pTask->iTemp1Off<=(i64)(pTask->db->nMaxSorterMmap) ){
+      rc = sqlite3OsFetch(pIter->pFile, 0, pTask->iTemp1Off, &pMap);
+    }
  }else{
    rc = SQLITE_NOMEM;
  }
@ -670,8 +672,8 @@ int sqlite3VdbeSorterInit(
    for(i=0; i<pSorter->nTask; i++){
      SortSubtask *pTask = &pSorter->aTask[i];
      pTask->pKeyInfo = pKeyInfo;
-      pTask->pVfs = db->pVfs;
      pTask->pgsz = pgsz;
+      pTask->db = db;
    }

    if( !sqlite3TempInMemory(db) ){
@ -1015,17 +1017,20 @@ static void vdbePmaWriteVarint(PmaWriter *p, u64 iVal){
 ** Whether or not the file does end up memory mapped of course depends on
 ** the specific VFS implementation.
 */
-static int vdbeSorterExtendFile(sqlite3_file *pFile, i64 nByte){
-  int rc = sqlite3OsTruncate(pFile, nByte);
-  if( rc==SQLITE_OK ){
-    void *p = 0;
-    sqlite3OsFetch(pFile, 0, nByte, &p);
-    sqlite3OsUnfetch(pFile, 0, p);
+static int vdbeSorterExtendFile(sqlite3 *db, sqlite3_file *pFile, i64 nByte){
+  int rc = SQLITE_OK;
+  if( nByte<=(i64)(db->nMaxSorterMmap) ){
+    rc = sqlite3OsTruncate(pFile, nByte);
+    if( rc==SQLITE_OK ){
+      void *p = 0;
+      sqlite3OsFetch(pFile, 0, nByte, &p);
+      sqlite3OsUnfetch(pFile, 0, p);
+    }
  }
  return rc;
 }
 #else
-# define vdbeSorterExtendFile(x,y) SQLITE_OK
+# define vdbeSorterExtendFile(x,y,z) SQLITE_OK
 #endif


@ -1051,7 +1056,7 @@ static int vdbeSorterListToPMA(SortSubtask *pTask){

  /* If the first temporary PMA file has not been opened, open it now. */
  if( pTask->pTemp1==0 ){
-    rc = vdbeSorterOpenTempFile(pTask->pVfs, &pTask->pTemp1);
+    rc = vdbeSorterOpenTempFile(pTask->db->pVfs, &pTask->pTemp1);
    assert( rc!=SQLITE_OK || pTask->pTemp1 );
    assert( pTask->iTemp1Off==0 );
    assert( pTask->nPMA==0 );
@ -1059,7 +1064,7 @@ static int vdbeSorterListToPMA(SortSubtask *pTask){

  /* Try to get the file to memory map */
  if( rc==SQLITE_OK ){
-    rc = vdbeSorterExtendFile(
+    rc = vdbeSorterExtendFile(pTask->db, 
        pTask->pTemp1, pTask->iTemp1Off + pTask->nInMemory + 9
    );
  }
@ -1206,9 +1211,9 @@ static void *vdbeSortSubtaskMain(void *pCtx){
      }

      /* Open a second temp file to write merged data to */
-      rc = vdbeSorterOpenTempFile(pTask->pVfs, &pTemp2);
+      rc = vdbeSorterOpenTempFile(pTask->db->pVfs, &pTemp2);
      if( rc==SQLITE_OK ){
-        rc = vdbeSorterExtendFile(pTemp2, pTask->iTemp1Off);
+        rc = vdbeSorterExtendFile(pTask->db, pTemp2, pTask->iTemp1Off);
      }
      if( rc!=SQLITE_OK ){
        vdbeMergeEngineFree(pMerger);
--- a/test/permutations.test
+++ b/test/permutations.test
@ -112,6 +112,7 @@ set allquicktests [test_set $alltests -exclude {
  incrvacuum_ioerr.test autovacuum_crash.test btree8.test shared_err.test
  vtab_err.test walslow.test walcrash.test walcrash3.test
  walthread.test rtree3.test indexfault.test securedel2.test
+  sort3.test
 }]
 if {[info exists ::env(QUICKTEST_INCLUDE)]} {
  set allquicktests [concat $allquicktests $::env(QUICKTEST_INCLUDE)]