Avoid a buffer overread in fts3 that could occur when handling corrupt data structures.

author dan <Dan Kennedy>

Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)

committer dan <Dan Kennedy>

Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)
author dan <Dan Kennedy>
Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)
committer dan <Dan Kennedy>
Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)
diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c

index c2e6bbcbd52373131422d2a0a5216ccd53f15673..56c59ce3ae1d9f07b873c4f32f314e47a406fc13 100644 (file)
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -2003,8 +2003,8 @@ static int fts3PrefixCompress(
    int nNext                       /* Size of buffer zNext in bytes */
  ){
    int n;
-  UNUSED_PARAMETER(nNext);
-  for(n=0; n<nPrev && zPrev[n]==zNext[n]; n++);
+  for(n=0; n<nPrev && n<nNext && zPrev[n]==zNext[n]; n++);
+  assert_fts3_nc( n<nNext );
    return n;
  }
  
diff --git a/manifest b/manifest

index 818c477169399dd63ec0af329f00c88924aa6345..6ad13fc3a86af5954066a2cd6b7001c52db311a0 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sbuffer\soverread\sthat\scould\soccur\sin\sfts5\swhen\shandling\scorrupt\srecords.
-D 2021-06-07T17:36:57.686
+C Avoid\sa\sbuffer\soverread\sin\sfts3\sthat\scould\soccur\swhen\shandling\scorrupt\sdata\sstructures.
+D 2021-06-08T12:15:56.225
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
  F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -102,7 +102,7 @@ F ext/fts3/fts3_tokenizer.h 64c6ef6c5272c51ebe60fc607a896e84288fcbc3
  F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004
  F ext/fts3/fts3_unicode.c de426ff05c1c2e7bce161cf6b706638419c3a1d9c2667de9cb9dc0458c18e226
  F ext/fts3/fts3_unicode2.c 416eb7e1e81142703520d284b768ca2751d40e31fa912cae24ba74860532bf0f
-F ext/fts3/fts3_write.c b0441839fd34bc23cce2e1bcdfb9489f716ff6ee0ef24308cea70ddfb5f14162
+F ext/fts3/fts3_write.c 98edfd77aeb53afcb26d8de3ed0a87f16468ee05f84f8c1752e6e378c354cd7a
  F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
  F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100
  F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
@@ -974,7 +974,7 @@ F test/fts3corrupt2.test e318f0676e5e78d5a4b702637e2bb25265954c08a1b1e4aaf93c788
  F test/fts3corrupt3.test 0d5b69a0998b4adf868cc301fc78f3d0707745f1d984ce044c205cdb764b491f
  F test/fts3corrupt4.test 1b3333822577b0888c95de8490a1a6152c47cb33a763fe62c54825202c31812f
  F test/fts3corrupt5.test 0549f85ec4bd22e992f645f13c59b99d652f2f5e643dac75568bfd23a6db7ed5
-F test/fts3corrupt6.test d274f139ec173392002c768631f404fefc007ae02ffa1b03d8cbd096c3fc00f9
+F test/fts3corrupt6.test 657b4b8e5791d8d4adc93c90588fb25f1c7346544dd877c6c298a0746749146d
  F test/fts3cov.test 7eacdbefd756cfa4dc2241974e3db2834e9b372ca215880e00032222f32194cf
  F test/fts3d.test 2bd8c97bcb9975f2334147173b4872505b6a41359a4f9068960a36afe07a679f
  F test/fts3defer.test f4c20e4c7153d20a98ee49ee5f3faef624fefc9a067f8d8d629db380c4d9f1de
@@ -1918,7 +1918,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
  F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
  F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
  F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9d0b6b0f42a47a3892ebc765250756fb8b844e8399d992a8b65f55af3800ea06
-R 23d59505d159d31d2ffb5d1777058548
+P 078962a2164a784b135bacee51ef10973dc2e30de04353d48698d0e72edd63d8
+R 5a17f4e5ebbfe022e0c97e67ae492f79
  U dan
-Z 86b1a535909414fcc97ab5a0253c5f21
+Z 7b7192d0a99b7f6acb9424a14999a3f8
diff --git a/manifest.uuid b/manifest.uuid

index 8a422a631125e4182feee8b0d0f784c558cf80ff..d9b791e0f61a5b3241f37e429be0014010f4ca32 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-078962a2164a784b135bacee51ef10973dc2e30de04353d48698d0e72edd63d8
-\ No newline at end of file
+45f459d2fa4be97d9bbb970efbc0b5d40efaf93f52ed111fd0fcdc572c24327b
+\ No newline at end of file
diff --git a/test/fts3corrupt6.test b/test/fts3corrupt6.test

index 8788a61d671c60d56b4079d1aa0c244a62f0dab2..fde2fba2ecacd409afd6434b56acce1412442951 100644 (file)
--- a/test/fts3corrupt6.test
+++ b/test/fts3corrupt6.test
@@ -62,5 +62,17 @@ do_execsql_test 2.1 {
    SELECT count(*) FROM t0 WHERE t0 MATCH '(1 NEAR 1) AND (aaaa OR 1)';
  } 1
  
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0 {
+  CREATE VIRTUAL TABLE main.Table0 USING fts3();
+  INSERT INTO Table0 VALUES (1), (printf('%8.1280000X') ), (1), (printf('%8.1280000X') ), (1)  ;
+  INSERT INTO Table0 VALUES (0), (printf('%8.1280000X%8.1280000X') ), (1), (printf('%1280000.1280000X%#1280000.1280000E%8.1280000X') ), (1)  ;
+  INSERT INTO Table0 VALUES (1)  ;
+  UPDATE Table0_segdir SET start_block = 1;
+  INSERT INTO Table0 VALUES (1)  ;
+  INSERT INTO Table0(Table0) VALUES('merge=6,8');
+}
+
  set sqlite_fts3_enable_parentheses $saved_sqlite_fts3_enable_parentheses
  finish_test
author	dan <Dan Kennedy>
	Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)
committer	dan <Dan Kennedy>
	Tue, 8 Jun 2021 12:15:56 +0000 (12:15 +0000)
ext/fts3/fts3_write.c		patch \| blob \| blame \| history
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
test/fts3corrupt6.test		patch \| blob \| blame \| history