]> git.ipfire.org Git - thirdparty/sqlite.git/commitdiff
Fix a potential crash that can occur while reading an index from a corrupt
authordrh <drh@noemail.net>
Mon, 1 Oct 2018 13:54:30 +0000 (13:54 +0000)
committerdrh <drh@noemail.net>
Mon, 1 Oct 2018 13:54:30 +0000 (13:54 +0000)
database file.  The corruption is a record-header-size that is larger than
0x7fffffff.  Problem detected by OSSFuzz against GDAL and reported to us
(with a suggested fix) by Even Rouault.  The test case is in TH3.

FossilOrigin-Name: 8ac2cdda68f92b0352bc7f0b4be5fca4bb58565ca65055fb34153cc284ed6922

manifest
manifest.uuid
src/vdbeaux.c

index b5a3086cb6cda8d0a6d2866ae92a62efb607d84f..3cea376d3c6e7319db7781481958744d6dbb7dd1 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sproblem\swith\sALTER\sTABLE\scommands\swhen\sthe\sschema\sfeatures\san\sINSTEAD\sof\ntrigger\sthat\suses\sNEW.*\sor\sOLD.*.
-D 2018-10-01T07:04:12.490
+C Fix\sa\spotential\scrash\sthat\scan\soccur\swhile\sreading\san\sindex\sfrom\sa\scorrupt\ndatabase\sfile.\s\sThe\scorruption\sis\sa\srecord-header-size\sthat\sis\slarger\sthan\n0x7fffffff.\s\sProblem\sdetected\sby\sOSSFuzz\sagainst\sGDAL\sand\sreported\sto\sus\s\n(with\sa\ssuggested\sfix)\sby\sEven\sRouault.\s\sThe\stest\scase\sis\sin\sTH3.
+D 2018-10-01T13:54:30.911
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 01e95208a78b57d056131382c493c963518f36da4c42b12a97eb324401b3a334
@@ -578,7 +578,7 @@ F src/vdbe.c 005e691ea4c7d51e6c1a69d9389aeb34700884c85f51681817ddea3fdc2fc39b
 F src/vdbe.h 5081dcc497777efe5e9ebe7330d283a044a005e4bdda2e2e984f03bf89a0d907
 F src/vdbeInt.h f1f35f70460698d8f5a2bdef1001114babf318e2983a067804e2ae077d8e9827
 F src/vdbeapi.c 2ba821c5929a2769e4b217dd85843479c718b8989d414723ec8af0616a83d611
-F src/vdbeaux.c c3c397274380f13db702baa3506ba87379446a4d71135a1177b624f73dd3c830
+F src/vdbeaux.c 9fe7760a6b9739f21f3e19ad5364330b0f681998fc52c32358243b0060423474
 F src/vdbeblob.c f5c70f973ea3a9e915d1693278a5f890dc78594300cf4d54e64f2b0917c94191
 F src/vdbemem.c 81329ab760e4ec0162119d9cd10193e0303c45c5935bb20c7ae9139d44dd6641
 F src/vdbesort.c 90aad5a92608f2dd771c96749beabdb562c9d881131a860a7a5bccf66dc3be7f
@@ -1770,7 +1770,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P d04b2013b5436430ebbf7053d637fd89c1b15affcb42787dcf1cf5ffc3ae54e2
-R 479306dd49205e8d1f89a577af9e0033
-U dan
-Z 3eb383fba7fc036a1656cc373d9dc1ea
+P c52f457e56eb9d573eb67093731eb231aaf6fd6dbdc397e6f948b82736fbe3ab
+R c75c41f8def35162ce620ba59792b15c
+U drh
+Z 2db3890d5903ac5d614f7b18f951a8a9
index e3f42f7fe93a5969ccedfc4b216b4f5cc2aec952..d9b29688df65b82cc53c062821fbf7845bba3be8 100644 (file)
@@ -1 +1 @@
-c52f457e56eb9d573eb67093731eb231aaf6fd6dbdc397e6f948b82736fbe3ab
\ No newline at end of file
+8ac2cdda68f92b0352bc7f0b4be5fca4bb58565ca65055fb34153cc284ed6922
\ No newline at end of file
index 5ec3d131e0a635818d2ffb87f64701ee0edfe2ce..99df43596650d923b10cf0b8e130549e2747061d 100644 (file)
@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){
   (void)getVarint32((u8*)m.z, szHdr);
   testcase( szHdr==3 );
   testcase( szHdr==m.n );
-  if( unlikely(szHdr<3 || (int)szHdr>m.n) ){
+  testcase( szHdr>0x7fffffff );
+  assert( m.n>=0 );
+  if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){
     goto idx_rowid_corruption;
   }