Fix a buffer overread in the sessions extension that could occur when

processing a corrupt changeset.

FossilOrigin-Name: 5833174c9df7df2307718c2d01c3c766deef24290f34f8b8016952b9604fc31e

diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 67940884949c060542d4cca72f116ad2870c53e1..e3aabeb3ac31657274bece13937f9bec4017de5b 100644 (file)
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -3235,15 +3235,19 @@ static int sessionReadRecord(
         }
       }
       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
-        sqlite3_int64 v = sessionGetI64(aVal);
-        if( eType==SQLITE_INTEGER ){
-          sqlite3VdbeMemSetInt64(apOut[i], v);
+        if( (pIn->nData-pIn->iNext)<8 ){
+          rc = SQLITE_CORRUPT_BKPT;
         }else{
-          double d;
-          memcpy(&d, &v, 8);
-          sqlite3VdbeMemSetDouble(apOut[i], d);
+          sqlite3_int64 v = sessionGetI64(aVal);
+          if( eType==SQLITE_INTEGER ){
+            sqlite3VdbeMemSetInt64(apOut[i], v);
+          }else{
+            double d;
+            memcpy(&d, &v, 8);
+            sqlite3VdbeMemSetDouble(apOut[i], d);
+          }
+          pIn->iNext += 8;
         }
-        pIn->iNext += 8;
       }
     }
   }

diff --git a/manifest b/manifest
index 82984e2150e9fad582028368c4f0ebf23d961d6a..d7cdcfe90f0c004e6db210eca38a5595920656ab 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sproblem\swith\san\sfts5\ssecure-delete\son\sa\srowid/term\spair\sthat\sfollows\sa\slegacy\sdelete\sof\sthe\ssame\spair.
-D 2023-10-12T20:03:26.613
+C Fix\sa\sbuffer\soverread\sin\sthe\ssessions\sextension\sthat\scould\soccur\swhen\nprocessing\sa\scorrupt\schangeset.
+D 2025-08-05T19:36:05.591
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -473,7 +473,7 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test b039e38e2ba83767b464baf39b297cc0b1cc6f3292255cb467ea7e12d0d0280c
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c e50a9218ee360db0a25298adc6614162d80ebe65d3f6a5b0a021e0902f6536a1
+F ext/session/sqlite3session.c 85cef207b58ac8ec014394e970ff1d177446523a9f829fce74157bbbdd3e6ebf
 F ext/session/sqlite3session.h 653e9d49c4edae231df8a4c8d69c2145195aedb32462d4b44229dbee7d2680fb
 F ext/session/test_session.c 5285482f83cd92b4c1fe12fcf88210566a18312f4f2aa110f6399dae46aeccbb
 F ext/userauth/sqlite3userauth.h 7f3ea8c4686db8e40b0a0e7a8e0b00fac13aa7a3
@@ -2070,9 +2070,9 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P cc0f82a480a400c670ae1d4193007640056bd545aed75613c088d5869a3fc817
-Q +579aea0c28e01a79620ac758edc02db3a01baaa073e7773b8f0b6f610479520b
-R b7a5408321af10b9c9e549cedd295741
-U dan
-Z ab0fdc1c5a4c27f598bdf219b81ee1e7
+P f5913e763290043cb0243fc4a9a6c1f56520f291f05e072fd86ceab560985958
+Q +6009c871a48555efd2451b8b44d441548b9bdbc71141a52b81c1f4c7d99d3790
+R 7e84bc1255a0f48a20030d0c06647029
+U drh
+Z d18ae482dcbf8064951357af9452d63a
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 8698f096a8d20258fe0660cde35673cd556d417e..cab6fd20191d209f7a43f77fc2fe3cee402962fa 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f5913e763290043cb0243fc4a9a6c1f56520f291f05e072fd86ceab560985958
\ No newline at end of file
+5833174c9df7df2307718c2d01c3c766deef24290f34f8b8016952b9604fc31e