Fix a buffer overread in the sessions extension that could occur when processing...

author drh <>

Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)

committer drh <>

Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)
author drh <>
Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)
committer drh <>
Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c

index 9f862f246542eb20cc1d8c8782c7537bfc0ea433..0491549231b49fe4f58f4d3e68942c02fd5350d5 100644 (file)
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -3236,15 +3236,19 @@ static int sessionReadRecord(
          }
        }
        if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
-        sqlite3_int64 v = sessionGetI64(aVal);
-        if( eType==SQLITE_INTEGER ){
-          sqlite3VdbeMemSetInt64(apOut[i], v);
+        if( (pIn->nData-pIn->iNext)<8 ){
+          rc = SQLITE_CORRUPT_BKPT;
          }else{
-          double d;
-          memcpy(&d, &v, 8);
-          sqlite3VdbeMemSetDouble(apOut[i], d);
+          sqlite3_int64 v = sessionGetI64(aVal);
+          if( eType==SQLITE_INTEGER ){
+            sqlite3VdbeMemSetInt64(apOut[i], v);
+          }else{
+            double d;
+            memcpy(&d, &v, 8);
+            sqlite3VdbeMemSetDouble(apOut[i], d);
+          }
+          pIn->iNext += 8;
          }
-        pIn->iNext += 8;
        }
      }
    }
diff --git a/manifest b/manifest

index 58da6017f3360a10b16bd023469025752e9a435f..5f0f2b4a4aaa910695d0bd286e0cd1b22a2345a8 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Version\snumber\sto\s3.43.1.
-D 2023-09-07T11:48:29.585
+C Fix\sa\sbuffer\soverread\sin\sthe\ssessions\sextension\sthat\scould\soccur\swhen\sprocessing\sa\scorrupt\schangeset.
+D 2023-09-07T14:04:01.612
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
  F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -522,7 +522,7 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
  F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
  F ext/session/sessionstat1.test b039e38e2ba83767b464baf39b297cc0b1cc6f3292255cb467ea7e12d0d0280c
  F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c 1971b61ca45babf0d9e4bb669a65b0903135e9828af2fcd4f0c8f1b7acf36b6f
+F ext/session/sqlite3session.c 0fe9107318140cefa1b50f2e1e0f330ab359022599e5976820db349f33efae11
  F ext/session/sqlite3session.h 653e9d49c4edae231df8a4c8d69c2145195aedb32462d4b44229dbee7d2680fb
  F ext/session/test_session.c 5285482f83cd92b4c1fe12fcf88210566a18312f4f2aa110f6399dae46aeccbb
  F ext/userauth/sqlite3userauth.h 7f3ea8c4686db8e40b0a0e7a8e0b00fac13aa7a3
@@ -1604,7 +1604,7 @@ F test/temptable3.test d11a0974e52b347e45ee54ef1923c91ed91e4637
  F test/temptrigger.test 38f0ca479b1822d3117069e014daabcaacefffcc
  F test/tester.tcl 68454ef88508c196d19e8694daa27bff7107a91857799eaa12f417188ae53ede
  F test/testrunner.tcl a9fee4df57276bc9e446961b160068c269da5902cc8ffc3e8852d77626b7594c
-F test/testrunner_data.tcl c448693eb6fdbadb78cb26f6253d4f335666f9836f988afa575de960b666b19f
+F test/testrunner_data.tcl 968cfee74688eb698b6917b7e53aba2993a1789430192d5efd27d2173c2e36c6
  F test/thread001.test a0985c117eab62c0c65526e9fa5d1360dd1cac5b03bde223902763274ce21899
  F test/thread002.test c24c83408e35ba5a952a3638b7ac03ccdf1ce4409289c54a050ac4c5f1de7502
  F test/thread003.test ee4c9efc3b86a6a2767516a37bd64251272560a7
@@ -2092,8 +2092,9 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
  F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
  F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
  F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 6795a6107bc8e6965c078fb4ddecbaae1f6a8e273effe4c8c0555358f0fbf32b
-R 8d7e90bc1f6e281aa35f60d7ac955d3b
+P fdfe4d60b3226516d497a57a3fb1c5ce52b8da368e7b9b9a301df7c6e0c9ebfd
+Q +0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
+R a09136cd70a89c18a41573ca96bad88a
  U drh
-Z 5d0b66d6cac77c919d22e7ed60fa887b
+Z 44d0eda7edac6bacd1af52ef5035e91e
  # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid

index 8fec8b863c0c43b5d1f1abe7d1d7223ce018746c..cdde70f7d49df9f66a6effc8d16817897eff15d5 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-fdfe4d60b3226516d497a57a3fb1c5ce52b8da368e7b9b9a301df7c6e0c9ebfd
-\ No newline at end of file
+6009c871a48555efd2451b8b44d441548b9bdbc71141a52b81c1f4c7d99d3790
+\ No newline at end of file
diff --git a/test/testrunner_data.tcl b/test/testrunner_data.tcl

index ce2ce01dd60ebf4e755cc0c63f867a66b9007cf6..2493970ea2ccd6e5a0b29c074c7bc07cd9f085fa 100644 (file)
--- a/test/testrunner_data.tcl
+++ b/test/testrunner_data.tcl
@@ -98,7 +98,10 @@ namespace eval trd {
    set build(All-O0) {
      -O0 --enable-all
    }
-  set build(All-Sanitize) { --enable-all -fsanitize=address,undefined }
+  set build(All-Sanitize) { 
+    -DSQLITE_OMIT_LOOKASIDE=1
+    --enable-all -fsanitize=address,undefined 
+  }
  
    set build(Sanitize) {
      CC=clang -fsanitize=address,undefined
author	drh <>
	Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)
committer	drh <>
	Thu, 7 Sep 2023 14:04:01 +0000 (14:04 +0000)
ext/session/sqlite3session.c		patch \| blob \| blame \| history
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
test/testrunner_data.tcl		patch \| blob \| blame \| history