Fix a potential buffer overread in the dbstat virtual table when processing

author drh <drh@noemail.net>

Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)

committer drh <drh@noemail.net>

Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)
author drh <drh@noemail.net>
Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)
committer drh <drh@noemail.net>
Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)
diff --git a/manifest b/manifest

index cf13926f0325ed4c8682ee11b172eb2e65a1aa67..d563673ceed0fddf532bcc800f0f3ab68cb7ff6f 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Turn\son\sASAN\sfor\sthe\sdbfuzz2\sutility.\s\sFix\sa\sbuffer\soverread\sassociated\nwith\ssqlite3_deserialize().
-D 2018-11-13T19:51:41.357
+C Fix\sa\spotential\sbuffer\soverread\sin\sthe\sdbstat\svirtual\stable\swhen\sprocessing\na\scorrupt\sdatabase\sfile.
+D 2018-11-13T20:21:52.241
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
  F Makefile.in b730006b54c990461d864c5387f2e6f13aadb0236804555fb010ed6865a5f058
@@ -456,7 +456,7 @@ F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
  F src/ctime.c 109e58d00f62e8e71ee1eb5944ac18b90171c928ab2e082e058056e1137cc20b
  F src/date.c ebe1dc7c8a347117bb02570f1a931c62dd78f4a2b1b516f4837d45b7d6426957
  F src/dbpage.c cfa87c8a9e3b5267a72faa3a592a497cd3810146c056c53a3472caf763c8556b
-F src/dbstat.c 9ad3f2d9d19a915d414870b9405b19493eed41975f3ad0d13f70fdd0831853b4
+F src/dbstat.c d54c2449d03f7d8a2e11a18f50364520ae1e364457fddb5e4dd79450bad428a0
  F src/delete.c cec65c0e74be7492cafba1b77580732b0b1a41a4dbc4ac70909ac44b65b2a20b
  F src/expr.c 9aacc0b72348ba90010b672dcbbbe2fa56e1182043bc917a3a147b2bc57a5497
  F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
@@ -1778,7 +1778,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
  F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
  F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
  F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P f9755f81b1c0fd29f242dce78a2fba570fa2714d76e93b8563f426a040352513
-R 98a6d1adc30b12dd5c82022baece83c9
+P 4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d
+R a67b2811aa07e1e1e0992fd02687f209
  U drh
-Z 74a6937661c8cfdeda0ca01cd02a14d0
+Z 582daefcbaa8d9f654e4fc231aaea0cb
diff --git a/manifest.uuid b/manifest.uuid

index 9d2e0dae3d376d6cdc9b7ba03d8d2bfabff6099e..d71ad82a9489b25ff1d93ea4ef61f523dd846ec9 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d
-\ No newline at end of file
+a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5
+\ No newline at end of file
diff --git a/src/dbstat.c b/src/dbstat.c

index a2c6fe08949455c43a5861913ea0d3511834aa7f..e49ace11f30f811b49fa5e2ed1e973dc49eff5e0 100644 (file)
--- a/src/dbstat.c
+++ b/src/dbstat.c
@@ -397,6 +397,7 @@ static int statDecodePage(Btree *pBt, StatPage *p){
          if( nPayload>(u32)nLocal ){
            int j;
            int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4);
+          if( iOff+nLocal>nUsable ) goto statPageIsCorrupt;
            pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4);
            pCell->nOvfl = nOvfl;
            pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl);
author	drh <drh@noemail.net>
	Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)
committer	drh <drh@noemail.net>
	Tue, 13 Nov 2018 20:21:52 +0000 (20:21 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/dbstat.c		patch \| blob \| blame \| history