Avoid a buffer overread in fts3 that could occur when processing a corrupt record.

FossilOrigin-Name: 1f91fe4bfc81bf66f9c8f0aebe0acdbac89e2c20d90a5eb4ea0a3c560b82a9cd

diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index 6a727eaf5f9cdbe5c0400d643e7cd3404d47b412..393f8a8717112f59716b4fb7dae9084ec68ac158 100644 (file)
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -2667,16 +2667,18 @@ static int fts3MsrBufferData(
   char *pList,
   i64 nList
 ){
-  if( nList>pMsr->nBuffer ){
+  if( (nList+FTS3_NODE_PADDING)>pMsr->nBuffer ){
     char *pNew;
-    pMsr->nBuffer = nList*2;
-    pNew = (char *)sqlite3_realloc64(pMsr->aBuffer, pMsr->nBuffer);
+    int nNew = nList*2 + FTS3_NODE_PADDING;
+    pNew = (char *)sqlite3_realloc64(pMsr->aBuffer, nNew);
     if( !pNew ) return SQLITE_NOMEM;
     pMsr->aBuffer = pNew;
+    pMsr->nBuffer = nNew;
   }
 
   assert( nList>0 );
   memcpy(pMsr->aBuffer, pList, nList);
+  memset(&pMsr->aBuffer[nList], 0, FTS3_NODE_PADDING);
   return SQLITE_OK;
 }
 

diff --git a/manifest b/manifest
index 9feaa29db8b6e98fe1aaf89f0e8872cc16d79919..9d4324fe66101913157661e1018f728e2ec31942 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\spotential\sbuffer\soverread\sin\sthe\srecovery\sextension.
-D 2023-03-17T14:22:45.322
+C Avoid\sa\sbuffer\soverread\sin\sfts3\sthat\scould\soccur\swhen\sprocessing\sa\scorrupt\srecord.
+D 2023-03-19T10:30:02.960
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -76,7 +76,7 @@ F ext/fts3/fts3_tokenizer.h 64c6ef6c5272c51ebe60fc607a896e84288fcbc3
 F ext/fts3/fts3_tokenizer1.c c1de4ae28356ad98ccb8b2e3388a7fdcce7607b5523738c9afb6275dab765154
 F ext/fts3/fts3_unicode.c de426ff05c1c2e7bce161cf6b706638419c3a1d9c2667de9cb9dc0458c18e226
 F ext/fts3/fts3_unicode2.c 416eb7e1e81142703520d284b768ca2751d40e31fa912cae24ba74860532bf0f
-F ext/fts3/fts3_write.c 4fb644df0ff840267e47a724286c7a1fa5540273a7ce15756dd5913a101ec302
+F ext/fts3/fts3_write.c 33d2d0db4dd4e7a7a7e9a7f790414293277f9e7682a2fd9d61c713bfc37cd8b6
 F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
 F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
 F ext/fts3/tool/fts3view.c 413c346399159df81f86c4928b7c4a455caab73bfbc8cd68f950f632e5751674
@@ -2045,9 +2045,9 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P c5bd0ea3b5b2f3ed8e971c5fd6e85e8f06d8055d74df65612c3794138306e6ba
-Q +0b3b5bf9597615589a1d045aaa697c13550553ee4fe4b9008a8e51415b6fe96a
-R 02be6c39e06df877a266747f4a17bfe1
-U dan
-Z 81691bf1b00f2e41170fc3675011bfa2
+P 78836713c965066cb9c1cc732a9cecb1d74a25f37775a01c088393881e4fd8d6
+Q +02ac2297abee6af64c8df230b42b07f21cff4565d7e315860b2396a7c0c556ca
+R 51d66f282cfe6d040bc294a4f796ba07
+U drh
+Z f9cdc83baba5df0bf81faea6836bdc84
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 59fbf7f78e9db7f68eda2b54ebd8d05ffdc7624d..e0b8ad2c9463200dd10ae0c3d759c4ad1a550e15 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-78836713c965066cb9c1cc732a9cecb1d74a25f37775a01c088393881e4fd8d6
\ No newline at end of file
+1f91fe4bfc81bf66f9c8f0aebe0acdbac89e2c20d90a5eb4ea0a3c560b82a9cd
\ No newline at end of file