Earlier detection of corruption in sqlite3VdbeRecordCompare() in order to

avoid a potential buffer overread.

FossilOrigin-Name: 28ddecff044dbc2dff50a7d8406ab67dfe06587f

diff --git a/manifest b/manifest
index ce3e7af4becd5e819e19b4d79270275e2126f570..b9c9cba60c66d287c630ccf715e485ae1662f4e9 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\san\sassert()\sand\sa\scomment\sto\sclarify\sthe\soperation\sof\sthe\nvdbeRecordCompareInt()\sroutine.
-D 2014-03-26T12:02:38.907
+C Earlier\sdetection\sof\scorruption\sin\ssqlite3VdbeRecordCompare()\sin\sorder\sto\navoid\sa\spotential\sbuffer\soverread.
+D 2014-03-26T14:51:07.017
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 2ef13430cd359f7b361bb863504e227b25cc7f81
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -282,7 +282,7 @@ F src/vdbe.c 74c7386e83eee56f921a17bb4a0396c9551f5bc7
 F src/vdbe.h fb2c48c198300a7c632f09fc940011d2ad2fc2ae
 F src/vdbeInt.h 2b9a6849166d0014c843ae3fd83a062be4efa325
 F src/vdbeapi.c 0ed6053f947edd0b30f64ce5aeb811872a3450a4
-F src/vdbeaux.c 9898720db88a8e733acce7d72fbd56f4565d6d82
+F src/vdbeaux.c f81ef920dcf76aceaa1ce77081e9fc5d7a0993dd
 F src/vdbeblob.c 15377abfb59251bccedd5a9c7d014a895f0c04aa
 F src/vdbemem.c 6fc77594c60f6155404f3f8d71bf36d1fdeb4447
 F src/vdbesort.c 4abb7c0f8f19b7d7d82f4558d5da1a30fdf9ea38
@@ -405,7 +405,7 @@ F test/corruptE.test 193b4ca4e927e77c1d5f4f56203ddc998432a7ee
 F test/corruptF.test be9fde98e4c93648f1ba52b74e5318edc8f59fe4
 F test/corruptG.test 58ec333a01997fe655e34e5bea52b7a2a6b9704d
 F test/corruptH.test 88ed71a086e13591c917aac6de32750e7c7281cb
-F test/corruptI.test 88886ec9cd1bdba835263566bbf60ee009c6ea09
+F test/corruptI.test 645794bfc0bbcb962df34302a52118b0ed6a21fb
 F test/count.test 42a251178e32f617eda33f76236a7f79825a50b5
 F test/coveridxscan.test cdb47d01acc4a634a34fd25abe85189e0d0f1e62
 F test/crash.test fb9dc4a02dcba30d4aa5c2c226f98b220b2b959f
@@ -1159,7 +1159,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh d1a6de74685f360ab718efda6265994b99bbea01
 F tool/win/sqlite.vsix 030f3eeaf2cb811a3692ab9c14d021a75ce41fff
-P 7922809ee0d3978ce9221fbb7df63aa0684d0c4d
-R 0dc0a56d9b4e58b2ad9ea1b209a9c778
+P 851abdb8fd9b5a8a6ce21db53d30dbac3c430cc7
+R 08734d76a115f4a142a4825f21f3cdab
 U drh
-Z d2e0055a9ca933f7d0981ccf44961bc7
+Z 2973842cba6cb939f8ad2063fb07de64

diff --git a/manifest.uuid b/manifest.uuid
index 7ab08ac1315a94ff234a74fd061b5b2fa4db6d20..8e8ee672b55c34fa4e01dc07707c2ba399e3ae98 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-851abdb8fd9b5a8a6ce21db53d30dbac3c430cc7
\ No newline at end of file
+28ddecff044dbc2dff50a7d8406ab67dfe06587f
\ No newline at end of file

diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 18862028e4dc58bfc2a49dd0c5297a907f674af2..f5e4b0a9fc10a6e2d8f1470aba48c126f15c6f59 100644 (file)
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -3434,6 +3434,7 @@ int sqlite3VdbeRecordCompare(
   }else{
     idx1 = getVarint32(aKey1, szHdr1);
     d1 = szHdr1;
+    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
     i = 0;
   }
 

diff --git a/test/corruptI.test b/test/corruptI.test
index 51cf64c9be41f2c1e0e65d1b2d8e94c968449e1f..c2eec8ba703c0975d9164cae8747df57edddae5e 100644 (file)
--- a/test/corruptI.test
+++ b/test/corruptI.test
@@ -40,13 +40,9 @@ do_test 1.2 {
   set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
   set off [expr 2*1024 + $offset + 1]
   hexio_write test.db $off FF06
-
-  breakpoint
-
   sqlite3 db test.db
   catchsql { SELECT * FROM t1 WHERE a = 10 }
-} {1 {database disk image is malformed}}
+} {0 {}}
 
 
 finish_test
-