Fix a case where a corrupt stat4 record could go unrecognized due to integer overflow.

FossilOrigin-Name: 240a4a48b27a2b1070bba6d7da76a8df8e3f1808e262045d7ad2cf910df08f3d

diff --git a/manifest b/manifest
index fb4e2976156b1706cc0bd3eb19a621e03d818463..b4352e70e41fe72f665edf80d2611ef63b133f5e 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\scomments\slinking\sthe\sassert()\sadded\sin\s[cef4d9e3ba586735]\sto\sthe\splaces\nwhere\sthe\sprecondition\sthat\sthe\sassert()\stests\sare\sactually\srequired.
-D 2024-04-24T11:51:51.477
+C Fix\sa\scase\swhere\sa\scorrupt\sstat4\srecord\scould\sgo\sunrecognized\sdue\sto\sinteger\soverflow.
+D 2024-04-24T14:18:20.595
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -827,7 +827,7 @@ F src/vdbeInt.h 949669dfd8a41550d27dcb905b494f2ccde9a2e6c1b0b04daa1227e2e74c2b2c
 F src/vdbeapi.c 80235ac380e9467fec1cb0883354d841f2a771976e766995f7e0c77f845406df
 F src/vdbeaux.c 6385727adf51a649e4993098870a62c3945fe21dbc0e0fd9013772aff930b8fb
 F src/vdbeblob.c 13f9287b55b6356b4b1845410382d6bede203ceb29ef69388a4a3d007ffacbe5
-F src/vdbemem.c 213bf303826c0ef702e3a2a69dab2309d84b8381b822c6787885859fd7cd4c4e
+F src/vdbemem.c 385c8b89da3b5ef9a468d77a466958aa72ee1212d5cb005f23ec63df1d413054
 F src/vdbesort.c 237840ca1947511fa59bd4e18b9eeae93f2af2468c34d2427b059f896230a547
 F src/vdbetrace.c fe0bc29ebd4e02c8bc5c1945f1d2e6be5927ec12c06d89b03ef2a4def34bf823
 F src/vdbevtab.c 2143db7db0ceed69b21422581f434baffc507a08d831565193a7a02882a1b6a7
@@ -1020,7 +1020,7 @@ F test/corruptH.test 79801d97ec5c2f9f3c87739aa1ec2eb786f96454
 F test/corruptI.test 9d8cbf6214e492abe9e822e759b9751ae336cec0a6fe3ff3b37bfbd8ff9c22ca
 F test/corruptJ.test 4d5ccc4bf959464229a836d60142831ef76a5aa4
 F test/corruptK.test 5b4212fe346699831c5ad559a62c54e11c0611bdde1ea8423a091f9c01aa32af
-F test/corruptL.test 504d90502d9993440226edc355d2275524b89064ea3df5ee5c27f7028ec59d07
+F test/corruptL.test 652fc8ac0763a6fd3eb28b951d481924167b2d9936083bcc68253b2274a0c8fe
 F test/corruptM.test 7d574320e08c1b36caa3e47262061f186367d593a7e305d35f15289cc2c3e067
 F test/corruptN.test 7c099d153a554001b4fb829c799b01f2ea6276cbc32479131e0db0da4efd9cc4
 F test/cost.test cc434a026b1e9d0d98137a147e24e5daf1b1ad09e9ff7da63b34c83ddd136d92
@@ -2185,8 +2185,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 1c0b0345451853846076467831884f951c92ec79476be40ce7f7b766fd2d8fc1
-R 09140f401f2e5de2029c7707ae39c044
-U drh
-Z 19c09d10e1b97b5d9274dbb80f3447f0
+P 6f0e7e195275aeb4aefd9da20348af35e3ef7f0a6b2768a34824daeace16eff1
+R 8aa170676bd507dd4717ebad9ca82758
+U dan
+Z 3e9a5a5005e3601585922bc0e00c59cc
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index fd80c6f25253683db8939af4df833dd416f64cee..1442db0c13ad198a698a3348582e43a7bc4e6d15 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-6f0e7e195275aeb4aefd9da20348af35e3ef7f0a6b2768a34824daeace16eff1
\ No newline at end of file
+240a4a48b27a2b1070bba6d7da76a8df8e3f1808e262045d7ad2cf910df08f3d
\ No newline at end of file

diff --git a/src/vdbemem.c b/src/vdbemem.c
index d0015206d5814992e829d1511dcee68387f8b3b2..8a4011e10fdd849c9b97fcf6bc1165ecc729145c 100644 (file)
--- a/src/vdbemem.c
+++ b/src/vdbemem.c
@@ -1949,10 +1949,10 @@ int sqlite3Stat4Column(
   sqlite3_value **ppVal           /* OUT: Extracted value */
 ){
   u32 t = 0;                      /* a column type code */
-  int nHdr;                       /* Size of the header in the record */
-  int iHdr;                       /* Next unread header byte */
-  int iField;                     /* Next unread data byte */
-  int szField = 0;                /* Size of the current data field */
+  u32 nHdr;                       /* Size of the header in the record */
+  u32 iHdr;                       /* Next unread header byte */
+  i64 iField;                     /* Next unread data byte */
+  u32 szField = 0;                /* Size of the current data field */
   int i;                          /* Column index */
   u8 *a = (u8*)pRec;              /* Typecast byte array */
   Mem *pMem = *ppVal;             /* Write result into this Mem object */

diff --git a/test/corruptL.test b/test/corruptL.test
index cf38764415722241d353833b428d9c643f14f86c..52adf6fd72bb114a9915177fca3094371240f6ac 100644 (file)
--- a/test/corruptL.test
+++ b/test/corruptL.test
@@ -1505,4 +1505,89 @@ do_catchsql_test 19.4 {
   PRAGMA integrity_check;
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_test 18.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+.open --hexdb
+| size 20480 pagesize 4096 filename crash-a4150b729051e4.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 05   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|     64: 00 00 00 00 00 00 00 00 00 00 ff f0 00 00 00 00   ................
+|     96: 00 00 00 00 0d 00 00 00 04 0e e5 00 0f c2 0f 75   ...............u
+|    112: 0f 19 0e e5 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|   3808: 00 00 00 00 00 32 04 06 17 17 11 01 4b 69 6e 64   .....2......Kind
+|   3824: 65 78 74 31 61 62 63 74 31 05 43 52 45 41 54 45   ext1abct1.CREATE
+|   3840: 20 49 4e 44 45 58 20 74 31 61 62 63 20 4f 4e 20    INDEX t1abc ON 
+|   3856: 74 31 28 61 2c 62 2c 63 29 5a 03 06 17 25 25 01   t1(a,b,c)Z...%%.
+|   3872: 79 74 61 62 6c 65 73 71 6c 69 74 65 5f 73 74 61   ytablesqlite_sta
+|   3888: 74 34 73 71 6c 69 74 65 5f 73 74 61 74 34 04 43   t4sqlite_stat4.C
+|   3904: 52 45 41 54 45 20 54 41 42 4c 45 20 73 71 6c 69   REATE TABLE sqli
+|   3920: 74 65 5f 73 74 61 74 34 28 74 62 6c 2c 69 64 78   te_stat4(tbl,idx
+|   3936: 2c 6e 65 71 2c 6e 6c 74 2c 6e 64 6c 74 2c 73 61   ,neq,nlt,ndlt,sa
+|   3952: 6d 70 6c 65 29 4b 02 06 17 25 25 01 5b 74 61 62   mple)K...%%.[tab
+|   3968: 6c 65 73 71 6c 69 74 65 5f 73 74 61 74 31 73 71   lesqlite_stat1sq
+|   3984: 6c 69 74 65 5f 73 74 61 74 31 03 43 52 45 41 54   lite_stat1.CREAT
+|   4000: 45 20 54 41 42 4c 45 20 73 71 6c 69 74 65 5f 73   E TABLE sqlite_s
+|   4016: 74 61 74 31 28 74 62 6c 2c 69 64 78 2c 73 74 61   tat1(tbl,idx,sta
+|   4032: 74 29 3c 01 06 17 11 11 01 65 74 61 62 6c 65 74   t)<......etablet
+|   4048: 31 74 31 02 43 52 45 41 54 45 20 54 41 42 4c 45   1t1.CREATE TABLE
+|   4064: 20 74 31 28 61 20 54 45 58 54 2c 20 62 20 49 4e    t1(a TEXT, b IN
+|   4080: 54 2c 20 63 20 49 4e 54 2c 20 64 20 49 4e 54 29   T, c INT, d INT)
+| page 2 offset 4096
+|      0: 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   4000: 0b 07 05 13 01 01 01 62 63 64 64 06 0b 0c 06 05   .......bcdd.....
+|   4016: 13 02 01 01 64 65 66 01 59 09 0a 0c 05 05 13 03   ....def.Y.......
+|   4032: 01 01 64 65 66 02 6f 08 09 0c 04 05 13 02 01 01   ..def.o.........
+|   4048: 61 62 63 01 59 07 08 0c 03 05 13 02 01 01 87 62   abc.Y..........b
+|   4064: 63 00 ea 06 07 0c 02 05 13 02 01 01 61 62 63 00   c...........abc.
+|   4080: ea 06 06 0b 01 05 13 01 01 01 61 62 63 7b 04 04   ..........abc...
+| page 3 offset 8192
+|      0: 0d 00 00 00 01 0f e0 00 0f e1 00 00 00 00 00 00   ................
+|   4064: 00 1d 01 04 11 17 31 74 31 74 31 61 62 63 31 30   ......1t1t1abc10
+|   4080: 30 30 30 20 35 30 30 30 20 32 30 30 30 20 31 30   000 5000 2000 10
+| page 4 offset 12288
+|      0: 0d 00 00 00 07 0e ac 00 0f d1 0f a0 0f 6f 0f 3e   .............o.>
+|     16: 0f 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   3744: 00 00 00 00 00 00 00 00 00 00 00 00 2f 07 07 11   ............/...
+|   3760: 17 1b 1b 1b 24 74 31 74 31 61 62 63 32 20 31 20   ....$t1t1abc2 1 
+|   3776: 31 20 31 35 20 36 20 36 20 36 32 20 35 20 36 20   1 15 6 6 62 5 6 
+|   3792: 36 05 13 02 01 01 64 65 66 02 37 08 05 2f 06 07   6.....def.7../..
+|   3808: 11 17 1b 1b 1b 24 74 41 74 31 61 62 63 32 20 31   .....$tAt1abc2 1
+|   3824: 20 31 20 31 35 20 35 20 55 20 35 32 20 34 20 35    1 15 5 U 52 4 5
+|   3840: 20 35 05 13 02 01 01 64 65 66 01 59 09 06 2e 05    5.....def.Y....
+|   3856: 07 11 17 1b 1b 1b 22 74 31 74 31 61 62 63 31 20   .......t1t1abc1 
+|   3872: 31 20 31 20 31 34 20 34 20 34 20 34 31 20 33 20   1 1 14 4 4 41 3 
+|   3888: 34 20 34 08 b3 cd f0 f1 62 63 64 64 06 07 2f 05   4 4.....bcdd../.
+|   3904: 07 11 17 1b 1b 1b 24 74 37 74 31 61 62 63 34 20   ......$t7t1abc4 
+|   3920: 31 20 31 20 31 30 20 33 20 33 20 33 30 20 32 20   1 1 10 3 3 30 2 
+|   3936: 33 20 33 05 13 02 01 01 61 62 63 01 59 07 04 2f   3 3.....abc.Y../
+|   3952: 03 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63 34   .......$t1t1abc4
+|   3968: 20 32 20 31 20 31 30 20 31 20 32 20 32 30 20 31    2 1 10 1 2 20 1
+|   3984: 20 32 20 32 05 13 02 01 01 61 62 63 00 ea 06 03    2 2.....abc....
+|   4000: 2f 02 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63   /.......$t1t1abc
+|   4016: 34 20 32 20 31 20 31 30 20 31 20 31 20 31 30 20   4 2 1 10 1 1 10 
+|   4032: 31 20 31 20 31 05 13 02 01 01 61 62 63 00 ea 05   1 1 1.....abc...
+|   4048: 02 2d 01 07 11 17 1b 1b 1b 20 74 31 74 31 61 62   .-....... t1t1ab
+|   4064: 63 34 20 31 20 31 20 31 30 20 30 20 30 1f 30 30   c4 1 1 10 0 0.00
+|   4080: 20 30 20 30 20 30 05 13 01 01 09 61 62 63 7b 04    0 0 0.....abc..
+| page 5 offset 16384
+|      0: 0a 00 00 00 07 0f a8 00 0f f5 00 00 00 00 00 00   ................
+|   4000: 00 00 00 00 00 00 00 00 0c 05 13 02 01 01 64 65   ..............de
+|   4016: 66 02 37 08 05 0c 05 13 02 01 01 64 65 66 01 59   f.7........def.Y
+|   4032: 09 06 0b 05 12 01 01 01 62 63 64 64 06 07 0c 05   ........bcdd....
+|   4048: 13 02 01 01 61 62 63 01 59 07 01 2c 05 13 02 01   ....abc.Y..,....
+|   4064: 01 61 62 63 00 ea 06 03 0c 05 13 02 01 01 61 62   .abc..........ab
+|   4080: 63 00 ea 05 00 00 00 00 00 00 00 00 00 00 00 00   c...............
+| end crash-a4150b729051e4.db
+}]} {}
+
+do_catchsql_test 18.1 {
+  SELECT a FROM t1 WHERE b GLOB b AND b GLOB '0^x]␅6␚xz]';
+} {1 {database disk image is malformed}}
+
 finish_test