Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread....

FossilOrigin-Name: daef5869f4d62ebb24eb03b79fe4be0812fa0496

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 8e2fb35f0f99efbf57c42dccfa24b028a040c67c..7f9a931b022c3ce893485ad5be7d984c20cd9457 100644 (file)
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -698,6 +698,7 @@ static Fts5Data *fts5DataRead(Fts5Index *p, i64 iRowid){
   return pRet;
 }
 
+
 /*
 ** Release a reference to data record returned by an earlier call to
 ** fts5DataRead().
@@ -2154,6 +2155,10 @@ static void fts5LeafSeek(
   iPgidx = szLeaf;
   iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
   iOff = iTermOff;
+  if( iOff>n ){
+    p->rc = FTS5_CORRUPT;
+    return;
+  }
 
   while( 1 ){
 

diff --git a/manifest b/manifest
index afbce79f63c0630f9f2711bd675af242e170eedf..329486cbd8443752f4a5458528d43b10407673f9 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\san\sfts5\sproblem\scausing\s'optimize'\sto\scorrupt\sthe\sfts\sindex\sunder\ssome\scircumstances.\sCherrypick\sof\s[251d6473f7].
-D 2016-03-01T14:50:55.628
+C Fix\sa\sproblem\sin\sfts5\swhere\sa\scorrupt\sdb\scould\slead\sto\sa\s(huge)\sbuffer\soverread.\sCherrypick\sof\s[c9a30e117f].
+D 2016-03-01T14:51:36.262
 F Makefile.in 4e90dc1521879022aa9479268a4cd141d1771142
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc 30f075dc4f27a07abb76088946b2944178d85347
@@ -104,7 +104,7 @@ F ext/fts5/fts5_buffer.c 4c1502d4c956cd092c89ce4480867f9d8bf325cd
 F ext/fts5/fts5_config.c 35c5173cae4eb17e82164a7f5aeef56a48903079
 F ext/fts5/fts5_expr.c 8e8e4635f655133eb39018072fc0f0942a2c4337
 F ext/fts5/fts5_hash.c f3a7217c86eb8f272871be5f6aa1b6798960a337
-F ext/fts5/fts5_index.c a32f4059b48ee800a94e8a286bf953d67b75185e
+F ext/fts5/fts5_index.c ecc70368618c6bae4bb59124abc343c02634ad0c
 F ext/fts5/fts5_main.c db24ac714c6c4a1b3c24a1f8c25889f2952148c1
 F ext/fts5/fts5_storage.c f8343db90d8c95a4d4b52f6676e354b4649ffd6e
 F ext/fts5/fts5_tcl.c f8731e0508299bd43f1a2eff7dbeaac870768966
@@ -1427,8 +1427,8 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh ef6ebc6fd8d2dc35db3b622015c16a023d4fef4f
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P ce0f1ed517e387ca6a687b805088d7c529cd257b
-Q +251d6473f7c9ad95adbdcc49cb8eaf7c0956764b
-R 5f7a25988e6c8801d10d40ebf8cc999a
+P 5b1b7ab5d67f3d691e52ba57dbc14c52d90c6631
+Q +c9a30e117f2c6c9ef0cc0c6ca5227d2961715b8f
+R 9e1a768531e15f702b1609ee77fd97cc
 U dan
-Z 645a7ae1e10094786fc6e926b7bb55a9
+Z 25f98900ae0232bf213e8bdd46c5ac6f

diff --git a/manifest.uuid b/manifest.uuid
index ef13a6ec43f861da26556fa35c894bc1c7bdcf17..45cc164a6f28e588339440e25f01615044653251 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-5b1b7ab5d67f3d691e52ba57dbc14c52d90c6631
\ No newline at end of file
+daef5869f4d62ebb24eb03b79fe4be0812fa0496
\ No newline at end of file