When parsing the schema, detect out-of-bounds rootpage values and throw an

error.

FossilOrigin-Name: 6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8

diff --git a/manifest b/manifest
index b8892c1ce20c578149babb6354d37f121a2be454..a677fefb1e3d79e413af815d594ba089640dc11e 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,24 +1,27 @@
 B d2aac001204621062e6cb3230ce2ac1b4545cb83b3ebb6bfebccee4d51162e97
-C All\sTCL\stests\snow\spassing.
-D 2020-07-22T17:12:59.996
+C When\sparsing\sthe\sschema,\sdetect\sout-of-bounds\srootpage\svalues\sand\sthrow\san\nerror.
+D 2020-07-22T18:03:56.431
 F src/analyze.c 5cffff3d355858cd22bfc6e20ac7203510d2e1cc935086eb06f4abb2f579f628
 F src/btree.c a4720f51945a86379ecd962a715d6fe9de08651a67d1e6f7b4884612da83ceb5
 F src/btree.h 7af72bbb4863c331c8f6753277ab40ee67d2a2125a63256d5c25489722ec162b
 F src/btreeInt.h 83166f6daeb91062b6ae9ee6247b3ad07e40eba58f3c05ba9e8dedad4ab1ea38
 F src/build.c f2b73fbb2197fb6e6a35ff2e1750085f023dc50542185f1a2dfccd632223eb14
 F src/pager.c a5f65ff2cd73b8d381cc7b338cac382ca6978d578fa0b84fdaa11d3cdc3c3e18
-F src/prepare.c 26be4805d6b6185229221152d6d1ce10e2a6619a1afe0d8bf3c5a3c4bacf402a
+F src/prepare.c 752643468bab27081bee439a7a727b616db2997e2ecdae132e8c786f8e44bcec
 F src/select.c 0e75d64091200a2a8fdc02abafe176a0c2e9b2654c4cc34564f25f0b408e91de
-F src/sqliteInt.h eb4f7746ca2f90dfd5ccaa182960daafccd63f3f7be83589f4257b41e0e5f70f
+F src/sqliteInt.h ec260b2441d94ef0b5be424c323cf255ae30d23e2fb2bd1c42a3a59c2fbafedb
 F src/util.c 58bf59fb0923017619c9c53957a676ff2322314b2547f6a223e0707e7ba505de
-F src/vdbe.c 44ac1776fa89e54dd49e71838aed17ceb316d993378d0d71818f7e853e934d0e
+F src/vdbe.c 120fdb1add80309cf1b4d6cc88b7f4e0580e816ded743a8f495fff9ef35a4e0a
 F src/vdbe.h 83603854bfa5851af601fc0947671eb260f4363e62e960e8a994fb9bbcd2aaa1
 F src/vdbeInt.h 762abffb7709f19c2cb74af1bba73a900f762e64f80d69c31c9ae89ed1066b60
 F src/vdbeaux.c 1cbbbffdb874c6f3e7aab40f3deb48abac4a71df1043cd95bb0d652d4e053871
 F src/wherecode.c 8064fe5c042824853a9b1fda670054a51a49033a6c79059988c97751ccf8088e
 F test/corrupt3.test 2520432b1fbf99994841e69804a3c59fb828183f4d09b85a1631bc7adca17e31
 F tool/showdb.c 49e810f5c414c792b5bf38cd5557ca9639713ebfef32aaff32faf7cb7ccce513
-P 92e2ab38930c76811dbf5abfe6b9ea9e12562a4bb4bb06cdb0cf49ac30da0bc3
-R 9a8fcc1aa7a1542100ce070d51449c82
+P 4c5f3c6cacf84a36d0347790d98d82d1f584cd1537a13a2736348405c4d20367
+R ccc7b0ae4ada19d710420f989f7c9313
+T *branch * rootpage-bounds-check
+T *sym-rootpage-bounds-check *
+T -sym-larger-databases *
 U drh
-Z 823bbfd3b3d1b49671a3ec5ee70353b6
+Z c08f65e2e744a2c088ae7728fbcd5c94

diff --git a/manifest.uuid b/manifest.uuid
index d61058e2b556f290d162156dbb47697b5bd8ca43..b93907488d35286d287b71719a0d85bd6eaff1cd 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4c5f3c6cacf84a36d0347790d98d82d1f584cd1537a13a2736348405c4d20367
\ No newline at end of file
+6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8
\ No newline at end of file

diff --git a/src/prepare.c b/src/prepare.c
index dab57682f97ca0cfd4376f913782c373a27cf1bb..84f2ee8a231ad989ed113a2a6aafd162e3725964 100644 (file)
--- a/src/prepare.c
+++ b/src/prepare.c
@@ -116,6 +116,10 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){
     assert( db->init.busy );
     db->init.iDb = iDb;
     sqlite3GetUInt32(argv[3], &db->init.newTnum);
+    if( db->init.newTnum>pData->mxPage && pData->mxPage!=0 ){
+      corruptSchema(pData, argv[1], "invalid rootpage");
+      return 0;
+    }
     db->init.orphanTrigger = 0;
     db->init.azInit = argv;
     pStmt = 0;
@@ -151,6 +155,7 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){
     if( pIndex==0
      || sqlite3GetUInt32(argv[3],&pIndex->tnum)==0
      || pIndex->tnum<2
+     || (pIndex->tnum>pData->mxPage && pData->mxPage!=0)
      || sqlite3IndexHasDuplicateRootPage(pIndex)
     ){
       corruptSchema(pData, argv[1], pIndex?"invalid rootpage":"orphan index");
@@ -207,6 +212,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){
   initData.pzErrMsg = pzErrMsg;
   initData.mInitFlags = mFlags;
   initData.nInitRow = 0;
+  initData.mxPage = 0;
   sqlite3InitCallback(&initData, 5, (char **)azArg, 0);
   db->mDbFlags &= mask;
   if( initData.rc ){
@@ -329,6 +335,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){
   /* Read the schema information out of the schema tables
   */
   assert( db->init.busy );
+  initData.mxPage = sqlite3BtreeLastPage(pDb->pBt);
   {
     char *zSql;
     zSql = sqlite3MPrintf(db, 

diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 32155892fad84980ccea20972f2726a36d4dc6ff..f2a26109c420e10d0be5e0fd91a431b21f7588c3 100644 (file)
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -3629,6 +3629,7 @@ typedef struct {
   int rc;             /* Result code stored here */
   u32 mInitFlags;     /* Flags controlling error messages */
   u32 nInitRow;       /* Number of rows processed */
+  Pgno mxPage;        /* Maximum page number.  0 for no limit. */
 } InitData;
 
 /*

diff --git a/src/vdbe.c b/src/vdbe.c
index c86b54c8f86cc76fec5131bf7c290f5336166cd4..5134da4b376762afffea2833dd2fb2bfd512bd45 100644 (file)
--- a/src/vdbe.c
+++ b/src/vdbe.c
@@ -6122,6 +6122,7 @@ case OP_ParseSchema: {
     initData.iDb = iDb;
     initData.pzErrMsg = &p->zErrMsg;
     initData.mInitFlags = 0;
+    initData.mxPage = sqlite3BtreeLastPage(db->aDb[iDb].pBt);
     zSql = sqlite3MPrintf(db,
        "SELECT*FROM\"%w\".%s WHERE %s ORDER BY rowid",
        db->aDb[iDb].zDbSName, zSchema, pOp->p4.z);