Add checks to make sure cells in corrupt database files

author drh <drh@noemail.net>

Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)

committer drh <drh@noemail.net>

Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)
author drh <drh@noemail.net>
Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)
committer drh <drh@noemail.net>
Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)
diff --git a/manifest b/manifest

index fdf9ba1effe102f41ec58a4f419b80604395279e..4c460d652a676e826446f95614d361e1230178a0 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Enable\sthe\sthread\stest\slogic\sto\swork\swith\sthe\sSQLITE_HAS_CODEC\scompile-time\noption.
-D 2011-08-30T19:52:32.227
+C Add\schecks\sto\smake\ssure\scells\sin\scorrupt\sdatabase\sfiles\s\ndo\snot\soverflow\sa\spage\swhen\sdoing\sautovacuum.\nProblem\sdetected\sby\svalgrind.
+D 2011-08-31T13:27:19.588
  F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
  F Makefile.in d314143fa6be24828021d3f583ad37d9afdce505
  F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -124,7 +124,7 @@ F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
  F src/backup.c 28a4fe55327ff708bfaf9d4326d02686f7a553c3
  F src/bitvec.c af50f1c8c0ff54d6bdb7a80e2fceca5a93670bef
  F src/btmutex.c 976f45a12e37293e32cae0281b15a21d48a8aaa7
-F src/btree.c bd89d604a532063da8ed1a095f1805db49896325
+F src/btree.c 4a2856b3bde9959986a7b9327841b3ff94023784
  F src/btree.h 9ddf04226eac592d4cc3709c5a8b33b2351ff5f7
  F src/btreeInt.h 67978c014fa4f7cc874032dd3aacadd8db656bc3
  F src/build.c 2d5de52df616a3bf5a659cbca85211c46e2ba9bd
@@ -961,7 +961,7 @@ F tool/symbols.sh caaf6ccc7300fd43353318b44524853e222557d5
  F tool/tostr.awk 11760e1b94a5d3dcd42378f3cc18544c06cfa576
  F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f
  F tool/warnings.sh b7fdb2cc525f5ef4fa43c80e771636dd3690f9d2
-P f1bd5bbae505068d24bfd9cc6bab6a8b8940bad6
-R 6d1c7722e8d08f5c9ec39c32c435674d
+P 20ddfb4780b87953718f3a8e67b777dcff0e3b5e
+R 513927bc09bdb01972234dc3d07878fd
  U drh
-Z 883417057169f45a687263a717525500
+Z 7574b78d098e12a356337eb2bfd798e6
diff --git a/manifest.uuid b/manifest.uuid

index 8b4b3fb8bf6b58634c3feef907317a6b4c369b47..baf170c9f2ba6c078ce8ad901bb0cee96f5c21a3 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-20ddfb4780b87953718f3a8e67b777dcff0e3b5e
-\ No newline at end of file
+d0b347b412376d22e9f0770ac083dafb5e480dd0
+\ No newline at end of file
diff --git a/src/btree.c b/src/btree.c

index d77fce4c8e10162330347c35ca5be48f19c0aae2..7166b93b9075f43e01983b6b222d5e7d075ee469 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -2754,11 +2754,12 @@ static int modifyPagePointer(MemPage *pPage, Pgno iFrom, Pgno iTo, u8 eType){
        if( eType==PTRMAP_OVERFLOW1 ){
          CellInfo info;
          btreeParseCellPtr(pPage, pCell, &info);
-        if( info.iOverflow ){
-          if( iFrom==get4byte(&pCell[info.iOverflow]) ){
-            put4byte(&pCell[info.iOverflow], iTo);
-            break;
-          }
+        if( info.iOverflow
+         && pCell+info.iOverflow+3<=pPage->aData+pPage->maskPage
+         && iFrom==get4byte(&pCell[info.iOverflow])
+        ){
+          put4byte(&pCell[info.iOverflow], iTo);
+          break;
          }
        }else{
          if( get4byte(pCell)==iFrom ){
@@ -5190,6 +5191,9 @@ static int clearCell(MemPage *pPage, unsigned char *pCell){
    if( info.iOverflow==0 ){
      return SQLITE_OK;  /* No overflow pages. Return without doing anything */
    }
+  if( pCell+info.iOverflow+3 > pPage->aData+pPage->maskPage ){
+    return SQLITE_CORRUPT;  /* Cell extends past end of page */
+  }
    ovflPgno = get4byte(&pCell[info.iOverflow]);
    assert( pBt->usableSize > 4 );
    ovflPageSize = pBt->usableSize - 4;
author	drh <drh@noemail.net>
	Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)
committer	drh <drh@noemail.net>
	Wed, 31 Aug 2011 13:27:19 +0000 (13:27 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/btree.c		patch \| blob \| blame \| history