From b1e8d31edfa3b09210ad21dca1f4939ff934742b Mon Sep 17 00:00:00 2001 From: dan Date: Tue, 1 Mar 2016 14:51:36 +0000 Subject: [PATCH] Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread. Cherrypick of [c9a30e117f]. FossilOrigin-Name: daef5869f4d62ebb24eb03b79fe4be0812fa0496 --- ext/fts5/fts5_index.c | 5 +++++ manifest | 14 +++++++------- manifest.uuid | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 8e2fb35f0f..7f9a931b02 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -698,6 +698,7 @@ static Fts5Data *fts5DataRead(Fts5Index *p, i64 iRowid){ return pRet; } + /* ** Release a reference to data record returned by an earlier call to ** fts5DataRead(). @@ -2154,6 +2155,10 @@ static void fts5LeafSeek( iPgidx = szLeaf; iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff); iOff = iTermOff; + if( iOff>n ){ + p->rc = FTS5_CORRUPT; + return; + } while( 1 ){ diff --git a/manifest b/manifest index afbce79f63..329486cbd8 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\san\sfts5\sproblem\scausing\s'optimize'\sto\scorrupt\sthe\sfts\sindex\sunder\ssome\scircumstances.\sCherrypick\sof\s[251d6473f7]. -D 2016-03-01T14:50:55.628 +C Fix\sa\sproblem\sin\sfts5\swhere\sa\scorrupt\sdb\scould\slead\sto\sa\s(huge)\sbuffer\soverread.\sCherrypick\sof\s[c9a30e117f]. +D 2016-03-01T14:51:36.262 F Makefile.in 4e90dc1521879022aa9479268a4cd141d1771142 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 30f075dc4f27a07abb76088946b2944178d85347 @@ -104,7 +104,7 @@ F ext/fts5/fts5_buffer.c 4c1502d4c956cd092c89ce4480867f9d8bf325cd F ext/fts5/fts5_config.c 35c5173cae4eb17e82164a7f5aeef56a48903079 F ext/fts5/fts5_expr.c 8e8e4635f655133eb39018072fc0f0942a2c4337 F ext/fts5/fts5_hash.c f3a7217c86eb8f272871be5f6aa1b6798960a337 -F ext/fts5/fts5_index.c a32f4059b48ee800a94e8a286bf953d67b75185e +F ext/fts5/fts5_index.c ecc70368618c6bae4bb59124abc343c02634ad0c F ext/fts5/fts5_main.c db24ac714c6c4a1b3c24a1f8c25889f2952148c1 F ext/fts5/fts5_storage.c f8343db90d8c95a4d4b52f6676e354b4649ffd6e F ext/fts5/fts5_tcl.c f8731e0508299bd43f1a2eff7dbeaac870768966 @@ -1427,8 +1427,8 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh ef6ebc6fd8d2dc35db3b622015c16a023d4fef4f F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P ce0f1ed517e387ca6a687b805088d7c529cd257b -Q +251d6473f7c9ad95adbdcc49cb8eaf7c0956764b -R 5f7a25988e6c8801d10d40ebf8cc999a +P 5b1b7ab5d67f3d691e52ba57dbc14c52d90c6631 +Q +c9a30e117f2c6c9ef0cc0c6ca5227d2961715b8f +R 9e1a768531e15f702b1609ee77fd97cc U dan -Z 645a7ae1e10094786fc6e926b7bb55a9 +Z 25f98900ae0232bf213e8bdd46c5ac6f diff --git a/manifest.uuid b/manifest.uuid index ef13a6ec43..45cc164a6f 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -5b1b7ab5d67f3d691e52ba57dbc14c52d90c6631 \ No newline at end of file +daef5869f4d62ebb24eb03b79fe4be0812fa0496 \ No newline at end of file