Fix a potential NULL-pointer deference in RTREE due to corrupt shadow tables.

FossilOrigin-Name: 1fdd3604eef880414682e9e6f74d714520fe1c63f267ec4da752d2dc1da6bf72

diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index 9dd335d3d005cad7917a17df09381fcf17498e6c..421031c71b163deb7ac713b55ace555bbc548220 100644 (file)
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -2948,8 +2948,12 @@ static int rtreeDeleteRowid(Rtree *pRtree, sqlite3_int64 iDelete){
     rc = findLeafNode(pRtree, iDelete, &pLeaf, 0);
   }
 
+#ifdef CORRUPT_DB
+  assert( pLeaf!=0 || rc!=SQLITE_OK || CORRUPT_DB );
+#endif
+
   /* Delete the cell in question from the leaf node. */
-  if( rc==SQLITE_OK ){
+  if( rc==SQLITE_OK && pLeaf ){
     int rc2;
     rc = nodeRowidIndex(pRtree, pLeaf, iDelete, &iCell);
     if( rc==SQLITE_OK ){

diff --git a/ext/rtree/rtreefuzz001.test b/ext/rtree/rtreefuzz001.test
index 65648be7c7f458395e58c53581648f050b7d1f33..fbb5a4d8738e8379b350517380c96925f4550384 100644 (file)
--- a/ext/rtree/rtreefuzz001.test
+++ b/ext/rtree/rtreefuzz001.test
@@ -472,7 +472,6 @@ do_test rtreefuzz001-100 {
 do_test rtreefuzz001-200 {
   sqlite3 db {}
   db deserialize [decode_hexdb {
-.open --hexdb
 | size 16384 pagesize 4096 filename c3.db
 | page 1 offset 0
 |      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
@@ -568,4 +567,109 @@ do_test rtreefuzz001-210 {
   }
 } {1 {database disk image is malformed}}
 
+do_test rtreefuzz001-300 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+| size 16384 pagesize 4096 filename c4.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 04   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04   ................
+|     96: 00 00 00 00 0d 00 00 00 04 0e 9c 00 0f ad 0f 4f   ...............O
+|    112: 0e fc 0e 9c 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   3728: 00 00 00 00 00 00 00 00 00 00 00 00 5e 04 07 17   ............^...
+|   3744: 1f 1f 01 81 0b 74 61 62 6c 65 74 31 5f 70 61 72   .....tablet1_par
+|   3760: 65 6e 74 74 31 5f 70 61 72 65 6e 74 04 43 52 45   entt1_parent.CRE
+|   3776: 41 54 45 20 54 41 42 4c 45 20 22 74 31 5f 70 61   ATE TABLE "t1_pa
+|   3792: 72 65 6e 74 22 28 6e 6f 64 65 6e 6f 20 49 4e 54   rent"(nodeno INT
+|   3808: 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45 59   EGER PRIMARY KEY
+|   3824: 2c 70 61 72 65 6e 74 6e 6f 64 65 29 51 03 06 17   ,parentnode)Q...
+|   3840: 1b 1b 01 7b 74 61 62 6c 65 74 31 5f 6e 6f 64 65   ....tablet1_node
+|   3856: 74 31 5f 6e 6f 64 65 03 43 52 45 41 54 45 20 54   t1_node.CREATE T
+|   3872: 41 42 4c 45 20 22 74 31 5f 6e 6f 64 65 22 28 6e   ABLE "t1_node"(n
+|   3888: 6f 64 65 6e 6f 20 49 4e 54 45 47 45 52 20 50 52   odeno INTEGER PR
+|   3904: 49 4d 41 52 59 20 4b 45 59 2c 64 61 74 61 29 5c   IMARY KEY,data)\
+|   3920: 02 07 17 1d 1d 01 81 0b 74 61 62 6c 65 74 31 5f   ........tablet1_
+|   3936: 72 6f 77 69 64 74 31 5f 72 6f 77 69 64 02 43 52   rowidt1_rowid.CR
+|   3952: 45 41 54 45 20 54 41 42 4c 45 20 22 74 31 5f 72   EATE TABLE "t1_r
+|   3968: 6f 77 69 64 22 28 72 6f 77 69 64 20 49 4e 54 45   owid"(rowid INTE
+|   3984: 47 45 72 20 50 52 49 4d 41 52 59 20 4b 45 59 2c   GEr PRIMARY KEY,
+|   4000: 6e 6f 64 65 6e 6f 2c 61 30 2c 61 31 29 51 01 07   nodeno,a0,a1)Q..
+|   4016: 17 11 11 08 81 0f 74 61 62 6c 65 74 31 74 31 43   ......tablet1t1C
+|   4032: 52 45 41 54 45 20 56 49 52 54 55 41 4c 20 54 41   REATE VIRTUAL TA
+|   4048: 42 4c 45 20 74 31 20 55 53 49 4e 47 20 72 74 72   BLE t1 USING rtr
+|   4064: 65 65 28 69 64 2c 78 30 2c 78 31 2c 79 30 2c 79   ee(id,x0,x1,y0,y
+|   4080: 31 2c 2b 6c 61 62 65 6c 2c 2b 6f 74 68 65 72 29   1,+label,+other)
+| page 2 offset 4096
+|      0: 0d 00 00 00 0e 0e f7 00 0f e8 0f 00 fb 70 f9 e0   .............p..
+|     16: f9 10 f8 10 f7 00 f5 e0 f4 f0 f3 90 f2 90 f1 80   ................
+|     32: f0 60 ef 00 00 00 00 00 00 00 00 00 00 00 00 00   .`..............
+|   3824: 00 00 00 00 00 00 00 0d 0e 05 00 09 1d 00 74 6f   ..............to
+|   3840: 70 20 68 61 6c 66 10 0d 05 00 09 23 00 62 6f 74   p half.....#.bot
+|   3856: 74 6f 6d 20 68 61 6c 66 0f 0c 05 00 09 21 00 72   tom half.....!.r
+|   3872: 69 67 68 74 20 68 61 6c 66 0e 0b 05 00 09 1f 00   ight half.......
+|   3888: 6c 65 66 74 20 68 61 6c 66 14 0a 05 00 09 2b 00   left half.....+.
+|   3904: 00 03 98 20 49 98 2f 6c 62 05 74 68 69 6e 67 0d   ... I./lb.thing.
+|   3920: 09 05 00 09 1d 00 74 6f 70 20 65 64 67 65 10 08   ......top edge..
+|   3936: 05 00 09 23 00 62 6f 74 74 6f 6d 20 65 64 67 65   ...#.bottom edge
+|   3952: 0f 07 05 00 09 21 00 72 69 67 68 74 20 65 64 67   .....!.right edg
+|   3968: 65 0e 06 05 00 09 1f 00 6c 65 66 74 20 65 64 67   e.......left edg
+|   3984: 65 0b 05 05 00 09 19 00 63 65 6e 74 65 72 17 04   e.......center..
+|   4000: 05 00 09 31 00 75 70 70 65 72 2d 72 69 67 68 74   ...1.upper-right
+|   4016: 20 63 6f 72 6e 65 72 17 03 05 00 09 31 00 6c 6f    corner.....1.lo
+|   4032: 77 65 72 2d 72 69 67 68 74 20 63 6f 72 6e 65 72   wer-right corner
+|   4048: 16 02 05 00 09 2f 00 75 70 70 65 72 2d 6c 65 66   ...../.upper-lef
+|   4064: 74 20 63 6f 72 6e 65 72 16 01 05 00 09 2f 00 6c   t corner...../.l
+|   4080: 6f 77 65 72 2d 6c 65 66 74 20 63 6f 72 6e 65 72   ower-left corner
+| page 3 offset 8192
+|      0: 0d 00 00 00 01 0b 2d 00 0b 2d 00 00 00 00 00 00   ......-..-......
+|   2848: 00 00 00 00 00 00 00 00 00 00 00 00 00 89 50 01   ..............P.
+|   2864: 04 00 93 24 00 00 00 0e 00 00 00 00 00 00 00 01   ...$............
+|   2880: 00 00 00 04 01 20 00 00 00 00 00 04 12 00 00 00   ..... ..........
+|   2896: 00 00 00 00 00 00 00 23 00 00 00 00 41 20 00 00   .......#....A ..
+|   2912: 42 b4 00 00 42 c8 00 00 00 00 00 00 00 00 00 03   B...B...........
+|   2928: 42 b4 00 00 42 c8 00 00 00 00 00 00 41 20 00 00   B...B.......A ..
+|   2944: 00 00 00 00 00 00 00 04 42 b4 00 00 42 c8 00 00   ........B...B...
+|   2960: 42 b4 00 00 42 c8 00 00 00 00 00 00 00 00 00 05   B...B...........
+|   2976: 42 20 00 00 42 70 00 00 42 20 00 00 42 70 00 00   B ..Bp..B ..Bp..
+|   2992: 00 00 00 00 00 00 00 06 00 00 00 00 40 a0 00 00   ............@...
+|   3008: 00 00 00 04 2c 80 00 00 00 00 00 00 00 00 00 74   ....,..........t
+|   3024: 2b e0 00 04 2c 80 00 04 2c 80 00 00 00 00 00 00   +...,...,.......
+|   3040: 00 00 00 80 00 00 00 04 2c 80 00 00 00 00 00 04   ........,.......
+|   3056: 0a 00 00 00 00 00 b0 80 00 00 04 2c 80 00 04 2b   ...........,...+
+|   3072: e0 00 04 2c 80 00 00 00 00 00 00 00 00 00 a0 00   ...,............
+|   3088: 00 00 04 2c 80 00 00 00 00 00 04 2c 80 00 00 00   ...,.......,....
+|   3104: 00 00 00 00 00 00 b0 00 00 00 04 24 80 00 00 00   ...........$....
+|   3120: 00 00 04 2c 80 00 00 00 00 00 00 00 50 00 91 f0   ...,........P...
+|   3136: 06 c6 56 67 42 06 86 16 c6 61 40 a0 50 00 92 b0   ..VgB....a@.P...
+|   3152: 07 46 86 52 07 76 86 f6 c6 52 07 46 86 96 e6 70   .F.R.v...R.F...p
+|   3168: d0 90 50 00 91 d0 07 46 f7 02 06 56 46 76 51 00   ..P....F...VFvQ.
+|   3184: 80 50 00 92 30 06 26 f7 47 46 f6 d2 06 56 46 76   .P..0.&.GF...VFv
+|   3200: 50 f0 70 50 00 92 10 07 26 96 76 87 42 06 56 46   P.pP....&.v.B.VF
+|   3216: 76 50 e0 60 50 00 91 f0 06 c6 56 67 42 06 56 46   vP.`P.....VgB.VF
+|   3232: 76 50 b0 50 50 00 91 90 06 36 56 e7 46 57 21 70   vP.PP....6V.FW!p
+|   3248: 40 50 00 93 10 07 57 07 06 57 22 d7 26 96 76 87   @P....W..W".&.v.
+|   3264: 42 06 36 f7 26 e6 57 21 70 30 50 00 93 10 06 c6   B.6.&.W!p0P.....
+|   3280: f7 76 57 22 d7 26 96 76 87 42 06 36 f7 26 e6 57   .vW".&.v.B.6.&.W
+|   3296: 21 60 20 50 00 92 f0 07 57 07 06 57 22 d6 c6 56   !` P....W..W"..V
+|   3312: 60 00 00 c4 24 c0 00 04 2c 80 00 00 00 00 00 04   `...$...,.......
+|   3328: 2c 80 00 00 00 00 00 00 00 00 00 d0 00 00 00 04   ,...............
+|   3344: 2c 80 00 00 00 00 00 04 24 80 00 00 00 00 00 00   ,.......$.......
+|   3360: 00 00 00 e0 00 00 00 04 2c 80 00 04 24 c0 00 04   ........,...$...
+|   3376: 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ,...............
+| page 4 offset 12288
+|      0: 0d 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00   ................
+| end c4.db
+  }]
+  catchsql {
+    UPDATE t1 SET label='x';
+  }
+} {1 {malformed database schema (?)}}
+do_test rtreefuzz001-310 {
+  catchsql {
+    SELECT rtreecheck('t1');
+  }
+} {1 {database disk image is malformed}}
+
+
 finish_test

diff --git a/manifest b/manifest
index f7df01a6b75337c53de3078250c8998a94f9bdf0..0754cb2c7a83db8dc6e4888ec6578ea43e03c1b7 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Prevent\san\sinfinite\sloop\sin\srtree\sthat\scan\sresult\sfrom\sa\scorrupt\sshadow\stable.
-D 2018-12-21T16:53:58.424
+C Fix\sa\spotential\sNULL-pointer\sdeference\sin\sRTREE\sdue\sto\scorrupt\sshadow\stables.
+D 2018-12-21T17:51:30.020
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6
@@ -363,7 +363,7 @@ F ext/repair/test/checkindex01.test b530f141413b587c9eb78ff734de6bb79bc3515c3350
 F ext/repair/test/test.tcl 686d76d888dffd021f64260abf29a55c57b2cedfa7fc69150b42b1d6119aac3c
 F ext/rtree/README 6315c0d73ebf0ec40dedb5aa0e942bc8b54e3761
 F ext/rtree/geopoly.c d56ff997f2646b03be742eb85e8206f779d777f3a282fe0da576780ca0e11f20
-F ext/rtree/rtree.c 631b16a34589ce12dd917a73fb8d5323c113b146a0abd601de5aa2bf6d73224d
+F ext/rtree/rtree.c 382898f6e03a6ec1d07e1f952969a05e2b53c3be6f1e5256430174b77b326725
 F ext/rtree/rtree.h 4a690463901cb5e6127cf05eb8e642f127012fd5003830dbc974eca5802d9412
 F ext/rtree/rtree1.test 309afc04d4287542b2cd74f933296832cc681c7b014d9405cb329b62053a5349
 F ext/rtree/rtree2.test 5f25b01acd03470067a2d52783b2eb0a50bf836803d4342d20ca39e541220fe2
@@ -386,7 +386,7 @@ F ext/rtree/rtree_perf.tcl 6c18c1f23cd48e0f948930c98dfdd37dfccb5195
 F ext/rtree/rtree_util.tcl db734b4c5e75fed6acc56d9701f2235345acfdec750b5fc7b587936f5f6bceed
 F ext/rtree/rtreecheck.test d67d5b3e9e45bfa8cd90734e8e9302144ac415b8e9176c6f02d4f92892ee8a35
 F ext/rtree/rtreeconnect.test 225ad3fcb483d36cbee423a25052a6bbae762c9576ae9268332360c68c170d3d
-F ext/rtree/rtreefuzz001.test a83162d03fdbc5c35ff3e80718d2fb35099094f5250c58c4219e5faa0fbca8f4
+F ext/rtree/rtreefuzz001.test be2d8157d016aadd6bd219fe1b31c86391e4ba135c05b4c29eac98331ecd46af
 F ext/rtree/sqlite3rtree.h 03c8db3261e435fbddcfc961471795cbf12b24e03001d0015b2636b0f3881373
 F ext/rtree/tkt3363.test 142ab96eded44a3615ec79fba98c7bde7d0f96de
 F ext/rtree/util/randomshape.tcl 54ee03d0d4a1c621806f7f44d5b78d2db8fac26e0e8687c36c4bd0203b27dbff
@@ -1788,7 +1788,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P ed8531e57596f0d5911a05a26d5ae61e1eccfaadee49219d7f6e212cac288238
-R 98cfb68f6cdaf1a074ca8f9382198a96
+P 085667180b230587abb82abfdd14da8859e23620994d5cf152236b64c756dd04
+R 8aa7e243e065e6cca91da9a1f85fa7f3
 U drh
-Z c1c2d5a357948eaf32d5cca600098550
+Z bfbfee3ddfe8227db2e091eee3e56dcd

diff --git a/manifest.uuid b/manifest.uuid
index fa2a9cbb012110c8ca742e3901ddc901cdddd5e3..4b0e262d6ad050ee3ba0d2cda1a2eb98ecf8dafa 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-085667180b230587abb82abfdd14da8859e23620994d5cf152236b64c756dd04
\ No newline at end of file
+1fdd3604eef880414682e9e6f74d714520fe1c63f267ec4da752d2dc1da6bf72
\ No newline at end of file