const char *zCsr = zNode; /* Cursor to iterate through node */
const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
char *zBuffer = 0; /* Buffer to load terms into */
- int nAlloc = 0; /* Size of allocated buffer */
+ i64 nAlloc = 0; /* Size of allocated buffer */
int isFirstTerm = 1; /* True when processing first term on page */
sqlite3_int64 iChild; /* Block id of child node to descend to */
isFirstTerm = 0;
zCsr += fts3GetVarint32(zCsr, &nSuffix);
- if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){
+ if( nPrefix<0 || nSuffix<0 || nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
rc = FTS_CORRUPT_VTAB;
goto finish_scan;
}
- if( nPrefix+nSuffix>nAlloc ){
+ if( (i64)nPrefix+nSuffix>nAlloc ){
char *zNew;
- nAlloc = (nPrefix+nSuffix) * 2;
- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
if( !zNew ){
rc = SQLITE_NOMEM;
goto finish_scan;
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nPrefix<0 || nSuffix<=0
- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
+ if( nSuffix<=0
+ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+ || nPrefix>pReader->nTermAlloc
){
return FTS_CORRUPT_VTAB;
}
- if( nPrefix+nSuffix>pReader->nTermAlloc ){
- int nNew = (nPrefix+nSuffix)*2;
- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+ ** overflow - hence the (i64) casts. */
+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
if( !zNew ){
return SQLITE_NOMEM;
}
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
}
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+ return SQLITE_CORRUPT_VTAB;
+ }
blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
if( rc==SQLITE_OK ){
memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
p->iOff += nSuffix;
if( p->iChild==0 ){
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+ if( (p->nNode-p->iOff)<p->nDoclist ){
+ return SQLITE_CORRUPT_VTAB;
+ }
p->aDoclist = &p->aNode[p->iOff];
p->iOff += p->nDoclist;
}
}
assert( p->iOff<=p->nNode );
-
return rc;
}
-C Add\snew\sinterfaces\ssqlite3_result_pointer(),\sand\nsqlite3_value_pointer()\sand\suse\sthem\sto\stransfer\sthe\seponymous\sFTS3\scolumn\npointer\sto\sthe\ssnippet()\sand\soffsets()\sroutines.\s\sThis\schanges\sis\sa\s\ncherry-pick\sof\s[f0f49224]\svia\s[69906880cee]\sand\sis\sultimately\sinspired\nby\scheck-in\s[72de49f2].
-D 2017-07-21T07:56:09.541
+C Add\sextra\sdefenses\sagainst\sstrategically\scorrupt\sdatabases\sto\sfts3/4.
+D 2018-12-19T01:38:18.228
F Makefile.in 1cc758ce3374a32425e4d130c2fe7b026b20de5b8843243de75f087c0a2661fb
F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
F Makefile.msc 1faf9f06aadc9284c212dea7bbc7c0dea7e8337f0287c81001eff500912c790a
F ext/fts3/README.syntax a19711dc5458c20734b8e485e75fb1981ec2427a
F ext/fts3/README.tokenizers e0a8b81383ea60d0334d274fadf305ea14a8c314
F ext/fts3/README.txt 8c18f41574404623b76917b9da66fcb0ab38328d
-F ext/fts3/fts3.c 8825caa44d63e663ed6197c3cc4b7a59e061edc4ed8ba235f99f656672fe8372
+F ext/fts3/fts3.c 10aa75a09601f032ddda578cac06db49e53e21fee536afcca6ba3455153973a1
F ext/fts3/fts3.h 3a10a0af180d502cecc50df77b1b22df142817fe
F ext/fts3/fts3Int.h eb2502000148e80913b965db3e59f29251266d0a
F ext/fts3/fts3_aux.c 9edc3655fcb287f0467d0a4b886a01c6185fe9f1
F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004
F ext/fts3/fts3_unicode.c 525a3bd9a7564603c5c061b7de55403a565307758a94600e8a2f6b00d1c40d9d
F ext/fts3/fts3_unicode2.c cc04fc672bfd42b1e650398cb0bf71f64f9aae032cfe75bbcfe75b9cf966029c
-F ext/fts3/fts3_write.c a51d48d646974ee2fb4b17fcd5da0416a5759a32dcacc2cce2ba00d5a767848e
+F ext/fts3/fts3_write.c 0559fca37710bfeacc5c21f46f4ae66b31f6098560c39e686cd7d9f569c0798b
F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100
F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
F test/fts3conf.test 60317efd562080e198b5bdc9fcd222ce32cf01d7
F test/fts3corrupt.test 2710b77983cc7789295ddbffea52c1d3b7506dbb
F test/fts3corrupt2.test 6d96efae2f8a6af3eeaf283aba437e6d0e5447ba
+F test/fts3corrupt4.test 98022cbacbd6ddc4708f210768f5684f041f50ce330c461f2631752492611d96
F test/fts3cov.test e0fb00d8b715ddae4a94c305992dfc3ef70353d7
F test/fts3d.test d3e9c8fb75135ada06bf3bab4f9666224965d708
F test/fts3defer.test 0be4440b73a2e651fc1e472066686d6ada4b9963
F test/pcache.test c8acbedd3b6fd0f9a7ca887a83b11d24a007972b
F test/pcache2.test af7f3deb1a819f77a6d0d81534e97d1cf62cd442
F test/percentile.test 4243af26b8f3f4555abe166f723715a1f74c77ff
-F test/permutations.test af720e7d139e7e5417341d0f0eef2b911c0b067852138dc2f5b6a451b5725118
+F test/permutations.test b174d61355dcf33f2c7c53a3e74559266a3288c41c1aa1fc52ec6a1f2825e67b
F test/pragma.test 1e94755164a3a3264cd39836de4bebcb7809e5f8
F test/pragma2.test e5d5c176360c321344249354c0c16aec46214c9f
F test/pragma3.test 14c12bc5352b1e100e0b6b44f371053a81ccf8ed
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 036ebf729e4b21035d7f4f8e35a6f705e6bf99887889e2dc14ebf2242e7930dd
-Q +69906880cee1f246cce494672402e0c7f29bd4ec19c437d26d603870d2bd625d
-R 2e56a1f5490467a8d54a3be8a641c4eb
+P 8201f4e1c566f7223c71c07e6b703d1352801f1b2daa0fd00895a18e1944cb4d
+Q +d44318f59044162e229a444582692e9788f17b5c404b4eb702f4c2114b22fefe
+R f9b606b494915b85d296116cb554bff6
U drh
-Z e8289bedb0f223c421d419834bd45b3f
+Z e69443cf57e9f97cbc9063032c431665
-8201f4e1c566f7223c71c07e6b703d1352801f1b2daa0fd00895a18e1944cb4d
\ No newline at end of file
+4bb21d8205b3c72b94442018a0544ecc55e3320ef2593f0e3350142b7f2a7663
\ No newline at end of file
--- /dev/null
+# 2006 September 9
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#*************************************************************************
+# This file implements regression tests for SQLite library. The
+# focus of this script is testing the FTS3 module.
+#
+# $Id: fts3aa.test,v 1.1 2007/08/20 17:38:42 shess Exp $
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix fts3corrupt4
+
+# If SQLITE_ENABLE_FTS3 is defined, omit this file.
+ifcapable !fts3 {
+ finish_test
+ return
+}
+
+do_execsql_test 1.0 {
+ BEGIN;
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft VALUES('aback');
+ INSERT INTO ft VALUES('abaft');
+ INSERT INTO ft VALUES('abandon');
+ COMMIT;
+}
+
+proc blob {a} { binary decode hex $a }
+db func blob blob
+
+do_execsql_test 1.1 {
+ SELECT quote(root) FROM ft_segdir;
+} {X'0005616261636B03010200030266740302020003046E646F6E03030200'}
+
+do_execsql_test 1.2 {
+ UPDATE ft_segdir SET root = blob(
+ '0005616261636B03010200 FFFFFFFF0702 66740302020003046E646F6E03030200'
+ );
+}
+
+do_catchsql_test 1.3 {
+ SELECT * FROM ft WHERE ft MATCH 'abandon';
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 2.0.0 {
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 2.0.1 {
+ for {set i 0} {$i < 12} {incr i} {
+ execsql {
+ BEGIN;
+ INSERT INTO ft VALUES('abc' || $i);
+ INSERT INTO ft VALUES('abc' || $i || 'x' );
+ INSERT INTO ft VALUES('abc' || $i || 'xx' );
+ COMMIT
+ }
+ }
+ execsql {
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+ }
+} {12 0}
+
+do_execsql_test 2.1 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+} {12 3}
+
+do_execsql_test 2.2 {
+ SELECT quote(block) FROM ft_segments WHERE blockid=2
+} {X'00056162633130031F0200'}
+
+db func blob blob
+do_execsql_test 2.3.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 FFFFFFFF07FF55 66740302020003046E646F6E03030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.3.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.4.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 02FFFFFFFF07 66740302020003046E646F6E03030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.4.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.5.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 0202 6674 FFFFFF070302020003046E646F6E030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.5.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0.0 {
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 3.0.1 {
+ execsql BEGIN
+ for {set i 0} {$i < 20} {incr i} {
+ execsql { INSERT INTO ft VALUES('abc' || $i) }
+ }
+ execsql {
+ COMMIT;
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+ }
+} {1 5}
+
+do_execsql_test 3.1 {
+ SELECT quote(root) FROM ft_segdir
+} {X'0101056162633132040136030132030136'}
+
+db func blob blob
+do_execsql_test 3.2 {
+ UPDATE ft_segdir
+ SET root = blob('0101056162633132FFFFFFFF070236030132030136');
+}
+
+do_catchsql_test 3.1 {
+ SELECT * FROM ft WHERE ft MATCH 'abc20'
+} {1 {database disk image is malformed}}
+
+finish_test
+
+
fts3am.test fts3an.test fts3ao.test fts3atoken.test
fts3auto.test fts3aux1.test fts3aux2.test fts3b.test
fts3comp1.test fts3conf.test fts3corrupt2.test fts3corrupt.test
+ fts3corrupt4.test
fts3cov.test fts3c.test fts3defer2.test fts3defer3.test
fts3defer.test fts3drop.test fts3d.test fts3e.test
fts3expr2.test fts3expr3.test fts3expr4.test fts3expr5.test
projects / thirdparty / sqlite.git / commitdiff
