Increase the size of some variables associated with the PMA sorter in order

to avoid any possibility of a signed integer overflow.
[https://bugs.chromium.org/p/chromium/issues/detail?id=1489025|Chromium fuzzer issue 1489025].

FossilOrigin-Name: dc3be3af471d90dd810c1e2cc59e83cf6a57f01971b1258ea0da402e4d577ef2

diff --git a/manifest b/manifest
index a58b92ef8a3f57b620bdae19895597ac940cced6..6a279af6628acc1a6d400d3e21f88944222a4a4e 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Improved\sdetection\sof\scorrupt\sdatabases\sin\sbalance_nonroot().\ndbsqlfuzz\sd1cf013c50a620b68c2a5bd240d29afd65e5f58e.
-D 2023-10-05T11:06:10.790
+C Increase\sthe\ssize\sof\ssome\svariables\sassociated\swith\sthe\sPMA\ssorter\sin\sorder\nto\savoid\sany\spossibility\sof\sa\ssigned\sinteger\soverflow.\n[https://bugs.chromium.org/p/chromium/issues/detail?id=1489025|Chromium\sfuzzer\sissue\s1489025].
+D 2023-10-06T12:15:01.126
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -787,7 +787,7 @@ F src/vdbeapi.c 4184402246172220418c0ef49ff4cf1a19ced9a4ac6c843c2f0773fb5c543f37
 F src/vdbeaux.c 5b415e09b5b9d5be6c0f4fcbf18ea9d7d16f6a29ced2f14a3b2041020f63e9c1
 F src/vdbeblob.c 2516697b3ee8154eb8915f29466fb5d4f1ae39ee8b755ea909cefaf57ec5e2ce
 F src/vdbemem.c 317b9f48708139db6239ade40c7980b4bc8233168383690d588dad6d8437f722
-F src/vdbesort.c 0d40dca073c94e158ead752ef4225f4fee22dee84145e8c00ca2309afb489015
+F src/vdbesort.c 237840ca1947511fa59bd4e18b9eeae93f2af2468c34d2427b059f896230a547
 F src/vdbetrace.c fe0bc29ebd4e02c8bc5c1945f1d2e6be5927ec12c06d89b03ef2a4def34bf823
 F src/vdbevtab.c 57fa8f56478e5b5cb558cb425e7878515e0a105c54f96f1d1bbf4b9433529254
 F src/vtab.c 154725ebecd3bc02f7fbd7ad3974334f73fff76e02a964e828e48a7c5fb7efff
@@ -2123,8 +2123,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 325bcdea4a436e514d83095d3893caf07a714b718e1b643507179b101c108e3b
-R 30f43ae2972b7eeb2a422e3f17ecbd1a
+P a2464bbb825b5976ef974a2e6c17ea150f5e6fcd0dd0f144b9f9c1c22a9c9c82
+R d4dbf5f4ac62b99dade7d05b682773ba
 U drh
-Z f02a428d25ebde125df5f15b29c884ab
+Z 00019479dba428369c8d2c81fe6aa8ba
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 80b839fb4c3932750803d7a05824dc887eac5ce8..cb86fc701d71196d7d4b5ecd460dc4ad9078c6b9 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-a2464bbb825b5976ef974a2e6c17ea150f5e6fcd0dd0f144b9f9c1c22a9c9c82
\ No newline at end of file
+dc3be3af471d90dd810c1e2cc59e83cf6a57f01971b1258ea0da402e4d577ef2
\ No newline at end of file

diff --git a/src/vdbesort.c b/src/vdbesort.c
index 2b7da94f7f8da2fba6f9892effadb58e97ab2704..00836903088c5d48e05b78ba1fca778de4ecf794 100644 (file)
--- a/src/vdbesort.c
+++ b/src/vdbesort.c
@@ -186,7 +186,7 @@ struct SorterFile {
 struct SorterList {
   SorterRecord *pList;            /* Linked list of records */
   u8 *aMemory;                    /* If non-NULL, bulk memory to hold pList */
-  int szPMA;                      /* Size of pList as PMA in bytes */
+  i64 szPMA;                      /* Size of pList as PMA in bytes */
 };
 
 /*
@@ -295,10 +295,10 @@ typedef int (*SorterCompare)(SortSubtask*,int*,const void*,int,const void*,int);
 struct SortSubtask {
   SQLiteThread *pThread;          /* Background thread, if any */
   int bDone;                      /* Set if thread is finished but not joined */
+  int nPMA;                       /* Number of PMAs currently in file */
   VdbeSorter *pSorter;            /* Sorter that owns this sub-task */
   UnpackedRecord *pUnpacked;      /* Space to unpack a record */
   SorterList list;                /* List for thread to write to a PMA */
-  int nPMA;                       /* Number of PMAs currently in file */
   SorterCompare xCompare;         /* Compare function to use */
   SorterFile file;                /* Temp file for level-0 PMAs */
   SorterFile file2;               /* Space for other PMAs */
@@ -1772,8 +1772,8 @@ int sqlite3VdbeSorterWrite(
   int rc = SQLITE_OK;             /* Return Code */
   SorterRecord *pNew;             /* New list element */
   int bFlush;                     /* True to flush contents of memory to PMA */
-  int nReq;                       /* Bytes of memory required */
-  int nPMA;                       /* Bytes of PMA space required */
+  i64 nReq;                       /* Bytes of memory required */
+  i64 nPMA;                       /* Bytes of PMA space required */
   int t;                          /* serial type of first record field */
 
   assert( pCsr->eCurType==CURTYPE_SORTER );