The MemPage.aDataEnd field should point to the end of the data buffer for

the page, not just the end of the usable portion of that buffer.  The purpose
aDataEnd is to detect cells that overflow the page, and that won't work on a
page with reserved bytes and a cell that starts in the reserved region, unless
the boundary is at the very end of the page. Chromium issue 1276294.

FossilOrigin-Name: f839c0bc8388a31f6db5081906b66b9e129855ba27a13cf13bd995b083f7386e

diff --git a/manifest b/manifest
index a705549b4ba49281de04fee20d096b277754903a..cb0879e53d2376cba771ded9e3866e175fcf6e3a 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sminor\stypo\sin\sa\scomment.
-D 2022-03-01T19:19:20.084
+C The\sMemPage.aDataEnd\sfield\sshould\spoint\sto\sthe\send\sof\sthe\sdata\sbuffer\sfor\nthe\spage,\snot\sjust\sthe\send\sof\sthe\susable\sportion\sof\sthat\sbuffer.\s\sThe\spurpose\naDataEnd\sis\sto\sdetect\scells\sthat\soverflow\sthe\spage,\sand\sthat\swon't\swork\son\sa\npage\swith\sreserved\sbytes\sand\sa\scell\sthat\sstarts\sin\sthe\sreserved\sregion,\sunless\nthe\sboundary\sis\sat\sthe\svery\send\sof\sthe\spage.\sChromium\sissue\s1276294.
+D 2022-03-01T20:15:04.332
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -492,9 +492,9 @@ F src/auth.c f4fa91b6a90bbc8e0d0f738aa284551739c9543a367071f55574681e0f24f8cf
 F src/backup.c a2891172438e385fdbe97c11c9745676bec54f518d4447090af97189fd8e52d7
 F src/bitvec.c 7c849aac407230278445cb069bebc5f89bf2ddd87c5ed9459b070a9175707b3d
 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
-F src/btree.c 7e9400d1582136ca86af9bbb07f8f3e933b284e969cda516bdc755285d137eb2
+F src/btree.c 752fc154c07e03fd77a5426f6d625aa5aeeacd0054e0d5be9a89dd217d8b7f02
 F src/btree.h 74d64b8f28cfa4a894d14d4ed64fa432cd697b98b61708d4351482ae15913e22
-F src/btreeInt.h 7282a6e77775f93a6eb78d3a41dab372a01a4ec1d93d3b4728d191d15fda42e2
+F src/btreeInt.h 1ca477727c5f420a8321208dc5b14d93cb46cec8f941bc49318feb0e00bc961f
 F src/build.c 9891c2160886cf7e344d7e8f1f7177f9612916c7c67ffeacd64cb34a92d387a8
 F src/callback.c 4c19af69835787bfe790ac560f3071a824eb629f34e41f97b52ce5235c77de1c
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
@@ -1944,8 +1944,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 3b36ed79d82fae47a08a7d27f4fcefb7978fdf0e7f8c0f4a82f59501f201b32b
-R 672415af5b93cf666a13cbb4e5190cf0
+P 86ba06aa4c55d3aefe030b19b2b5c08baf46bbb2218b04ac1228ab76682a929b
+R 759bdd2426153bccb0e084e1cc68e2b8
 U drh
-Z f44c78af05c98bc038cc5e60cffa1d77
+Z c62f0605f7573e50ae4553081294f184
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 4a625fe34159e2ac7fe62a7d5bb9488bfdc1cf13..f5f5a33e679054d26475ba4ccfb9120251c4a49b 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-86ba06aa4c55d3aefe030b19b2b5c08baf46bbb2218b04ac1228ab76682a929b
\ No newline at end of file
+f839c0bc8388a31f6db5081906b66b9e129855ba27a13cf13bd995b083f7386e
\ No newline at end of file

diff --git a/src/btree.c b/src/btree.c
index fdf259766fcd3be78a103bcb5a30ba6297afea10..fb35bbbc5f741e4dc26422ab68fb84271075cae3 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -2107,7 +2107,7 @@ static int btreeInitPage(MemPage *pPage){
   pPage->nOverflow = 0;
   pPage->cellOffset = pPage->hdrOffset + 8 + pPage->childPtrSize;
   pPage->aCellIdx = data + pPage->childPtrSize + 8;
-  pPage->aDataEnd = pPage->aData + pBt->usableSize;
+  pPage->aDataEnd = pPage->aData + pBt->pageSize;
   pPage->aDataOfst = pPage->aData + pPage->childPtrSize;
   /* EVIDENCE-OF: R-37002-32774 The two-byte integer at offset 3 gives the
   ** number of cells on the page. */
@@ -2158,7 +2158,7 @@ static void zeroPage(MemPage *pPage, int flags){
   pPage->nFree = (u16)(pBt->usableSize - first);
   decodeFlags(pPage, flags);
   pPage->cellOffset = first;
-  pPage->aDataEnd = &data[pBt->usableSize];
+  pPage->aDataEnd = &data[pBt->pageSize];
   pPage->aCellIdx = &data[first];
   pPage->aDataOfst = &data[pPage->childPtrSize];
   pPage->nOverflow = 0;

diff --git a/src/btreeInt.h b/src/btreeInt.h
index e038f313e2fbb929b214d15e5ca12239d3f61cf2..3b0572e954cc1bd6b0efafa6288fe041c380b71f 100644 (file)
--- a/src/btreeInt.h
+++ b/src/btreeInt.h
@@ -293,7 +293,9 @@ struct MemPage {
   u8 *apOvfl[4];       /* Pointers to the body of overflow cells */
   BtShared *pBt;       /* Pointer to BtShared that this page is part of */
   u8 *aData;           /* Pointer to disk image of the page data */
-  u8 *aDataEnd;        /* One byte past the end of usable data */
+  u8 *aDataEnd;        /* One byte past the end of the entire page - not just
+                       ** the usable space, the entire page.  Used to prevent
+                       ** corruption-induced of buffer overflow. */
   u8 *aCellIdx;        /* The cell index area */
   u8 *aDataOfst;       /* Same as aData for leaves.  aData+4 for interior */
   DbPage *pDbPage;     /* Pager page handle */