When saving the position of a cursor at the b-tree layer, allocate a few extra

bytes at the end of the buffer used to save the key. Otherwise, if the key is corrupt, the code that restores the cursor position may overread the buffer by a little. FossilOrigin-Name: 160b1e31c0f27257c06c2987af9ec3a64abfacb2150325b72e8ccd3d217b5baa
2018-12-14 13:18:35 +00:00 · 2018-12-14 13:18:35 +00:00 · fffaf23013
parent 5a1ce4369f
commit fffaf23013
4 changed files with 99 additions and 12 deletions
--- a/17
+++ b/17
@ -1,5 +1,5 @@
-C Fix\sa\sproblem\swith\sbytecode\sgeneration\swhen\sa\squery\sinvolves\stwo\sor\smore\nindexes\son\sexpressions\sconnected\sby\sOR.\nTicket\s[d96eba87698a428c1ddd0790ea04]
-D 2018-12-14T11:16:52.652
+C When\ssaving\sthe\sposition\sof\sa\scursor\sat\sthe\sb-tree\slayer,\sallocate\sa\sfew\sextra\nbytes\sat\sthe\send\sof\sthe\sbuffer\sused\sto\ssave\sthe\skey.\sOtherwise,\sif\sthe\skey\sis\ncorrupt,\sthe\scode\sthat\srestores\sthe\scursor\sposition\smay\soverread\sthe\sbuffer\sby\sa\nlittle.
+D 2018-12-14T13:18:35.216
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6
@ -448,7 +448,7 @@ F src/auth.c 0fac71038875693a937e506bceb492c5f136dd7b1249fbd4ae70b4e8da14f9df
 F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab
 F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33
 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
-F src/btree.c 14b4b17b75af36e0431df2676205296bc234a634cf18798ad81f768b455b9e93
+F src/btree.c 89e9abe6a3f7461c8c5d44314b261e1dd29a31557d1dd91c72378bc0976fc1f6
 F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2
 F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96
 F src/build.c ef9d7dc73e40dd9d10c28848343e21e8bc1baaab92cfb75eda893fff4fbf6b55
@ -773,7 +773,7 @@ F test/dataversion1.test 6e5e86ac681f0782e766ebcb56c019ae001522d114e0e111e5ebf68
 F test/date.test 9b73bbeb1b82d9c1f44dec5cf563bf7da58d2373
 F test/date2.test 74c234bece1b016e94dd4ef9c8cc7a199a8806c0e2291cab7ba64bace6350b10
 F test/dbfuzz.c 73047c920d6210e5912c87cdffd9a1c281d4252e
-F test/dbfuzz001.test 28f24ed01e9322f4c7aeba4c228f57e9e8ab6a96b474465e872425205a31b1b2
+F test/dbfuzz001.test 96b52856ffce5442e404847de33487db5ce49aa27778497a42328d5acf6859d7
 F test/dbfuzz2-seed1.db e6225c6f3d7b63f9c5b6867146a5f329d997ab105bee64644dc2b3a2f2aebaee
 F test/dbfuzz2.c b8ed9b32a1f287505e55970e55203bedcb9170f137ecefa2254033c9faccdfba
 F test/dbpage.test 650234ba683b9d82b899c6c51439819787e7609f17a0cc40e0080a7b6443bc38
@ -1787,8 +1787,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P cc42dd15100db28a9796254f69a4e367ea5eae29f546be055017cf3e12aa66ba 89a25abfcd069aebdf817890e5c27f46de3000fb858ae01029e4528f9d677567
-R 6e4a89239ac2714d2f3e8e3c0f340ed6
-T +closed 89a25abfcd069aebdf817890e5c27f46de3000fb858ae01029e4528f9d677567
-U drh
-Z 4c06ed13d4147ae87910536f3d08fc7f
+P 7e4ed8b5c2047b69bbb037497111e56e465a4d9f8afca3b337f9ac744471dc4a
+R ba1eb44fdcbd375391cb2e9633b3bcc5
+U dan
+Z 7755266d0736215443f101017f7858b1
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-7e4ed8b5c2047b69bbb037497111e56e465a4d9f8afca3b337f9ac744471dc4a
+160b1e31c0f27257c06c2987af9ec3a64abfacb2150325b72e8ccd3d217b5baa
--- a/src/btree.c
+++ b/src/btree.c
@ -660,10 +660,15 @@ static int saveCursorKey(BtCursor *pCur){
    /* Only the rowid is required for a table btree */
    pCur->nKey = sqlite3BtreeIntegerKey(pCur);
  }else{
-    /* For an index btree, save the complete key content */
+    /* For an index btree, save the complete key content. It is possible
+    ** that the current key is corrupt. In that case, it is possible that
+    ** the sqlite3VdbeRecordUnpack() function may overread the buffer by
+    ** up to the size of 1 varint plus 1 8-byte value when the cursor 
+    ** position is restored. Hence the 17 bytes of padding allocated 
+    ** below. */
    void *pKey;
    pCur->nKey = sqlite3BtreePayloadSize(pCur);
-    pKey = sqlite3Malloc( pCur->nKey );
+    pKey = sqlite3Malloc( pCur->nKey + 9 + 8 );
    if( pKey ){
      rc = sqlite3BtreePayload(pCur, 0, (int)pCur->nKey, pKey);
      if( rc==SQLITE_OK ){
--- a/test/dbfuzz001.test
+++ b/test/dbfuzz001.test
@ -269,4 +269,87 @@ do_test dbfuzz001-200 {
  catchsql {INSERT INTO t3 SELECT * FROM t2;}
 } {1 {database disk image is malformed}}

+
+do_test dbfuzz001-110 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+| size 3584 pagesize 512 filename x/c02.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00   ................
+|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c   ................
+|     96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0   ..,P............
+|    112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00   .V...*..........
+|    256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61   ......"......1ta
+|    272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54   blet4t4.CREATE T
+|    288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11   ABLE t4(x)*.....
+|    304: 01 3f 69 6e 64 65 78 74 33 78 74 33 05 43 52 45   .?indext3xt3.CRE
+|    320: 41 54 45 20 49 4e 44 45 58 20 74 33 78 20 4f 4e   ATE INDEX t3x ON
+|    336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e    t3(x).......Ein
+|    352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45   dext2cdt2.CREATE
+|    368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74    INDEX t2cd ON t
+|    384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61   2(c,d)(......=ta
+|    400: 62 6c 65 74 33 74 33 07 43 52 45 41 54 45 20 54   blet3t3.CREATE T
+|    416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29   ABLE t3(c,x,e,f)
+|    432: 28 02 06 17 11 11 01 3d 74 61 74 65 6c 03 62 74   (......=tatel.bt
+|    448: 32 32 43 52 45 41 54 45 20 54 41 42 4c 45 20 74   22CREATE TABLE t
+|    464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11   2(c,d,e,f)$.....
+|    480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41   .5tablet1t1.CREA
+|    496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29   TE TABLE t1(a,b)
+| page 2 offset 512
+|      0: 0d 00 00 00 04 01 cf 00 01 fa 01 f3 01 de 01 cf   ................
+|    160: 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00   .. .............
+|    448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d   ................
+|    464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03   ....seveneight..
+|    480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00   ...@.......@....
+|    496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02   ................
+| page 3 offset 1024
+|      0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa   ......T.........
+|     16: 01 a1 01 96 01 6f 01 54 00 00 00 00 00 00 00 00   .....o.T........
+|    112: 00 00 dd 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|    336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74   ...........eight
+|    352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e 25   eightsevenseven%
+|    368: 07 05 07 07 07 07 40 18 00 00 00 00 00 00 40 18   ......@.......@.
+|    384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14   ......@.......@.
+|    400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03   ................
+|    416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17   ................
+|    432: 17 73 65 76 65 6e 65 69 67 68 74 65 69 67 68 74   .seveneighteight
+|    448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00   seven%......@...
+|    464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00   ....@.......@...
+|    480: 00 00 00 00 40 14 00 00 00 00 00 00 09 02 05 01   ....@...........
+|    496: 01 01 01 03 04 04 03 07 01 05 09 01 01 09 02 02   ................
+| page 4 offset 1536
+|      0: 0d 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00   ................
+|    192: 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 00   ................
+|    208: 00 e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+| page 5 offset 2048
+|      0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc   ................
+|     16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00   ................
+|    240: 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00   ................
+|    400: 00 00 00 00 00 00 0f 04 17 07 01 65 69 67 68 74   ...........eight
+|    416: 65 69 67 68 74 08 15 04 07 07 01 40 18 00 00 00   eight......@....
+|    432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01   ...@............
+|    448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17   ................
+|    464: 01 73 65 76 65 6e 65 69 67 68 74 04 15 04 07 07   .seveneight.....
+|    480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00   .@.......@......
+|    496: 00 03 07 04 01 01 01 03 04 02 05 04 09 01 09 02   ................
+| page 6 offset 2560
+|      0: 0a 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00   ................
+|    464: 00 00 00 00 00 00 00 00 00 00 7f 00 00 00 00 00   ................
+| page 7 offset 3072
+|      0: 0d 00 00 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec   ................
+|     16: 01 e0 01 d4 01 cb 01 c2 00 00 00 00 00 00 00 00   ................
+|    448: 00 00 07 08 02 17 65 69 67 68 74 07 07 02 17 65   ......eight....e
+|    464: 69 67 68 74 0a 06 02 07 40 18 00 00 00 00 00 00   ight....@.......
+|    480: 0a 05 02 07 40 18 00 00 00 00 00 00 03 04 02 01   ....@...........
+|    496: 04 03 03 02 01 04 03 02 02 01 02 03 01 02 01 02   ................
+| end x/c02.db
+  }]
+  execsql {
+    DELETE FROM t3 WHERE x IN (SELECT x FROM t4);
+  }
+} {}
+
 finish_test