Avoid exceeding array bounds when reading a corrupt database file in

author drh <drh@noemail.net>

Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)

committer drh <drh@noemail.net>

Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)
author drh <drh@noemail.net>
Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)
committer drh <drh@noemail.net>
Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)
diff --git a/manifest b/manifest

index 5d38b63563c797b66a332a0a49147379b305f459..0cb8889843f051deaf08cf9f77cdec7f57ee76e6 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\sincluding\sfts3_term.c\sin\sthe\samalgamation,\sas\sit\scontains\stest\scode\sonly.
-D 2011-05-17T14:41:36.521
+C Avoid\sexceeding\sarray\sbounds\swhen\sreading\sa\scorrupt\sdatabase\sfile\sin\nautovacuum\smode.\s\sFixes\sa\sproblem\sdiscovered\sby\sJohn\sRegehr\sand\sPeng\sLi\nusing\sa\scustomized\sclang\scompiler.
+D 2011-05-17T15:21:56.657
  F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
  F Makefile.in 11dcc00a8d0e5202def00e81732784fb0cc4fe1d
  F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -122,7 +122,7 @@ F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
  F src/backup.c 986c15232757f2873dff35ee3b35cbf935fc573c
  F src/bitvec.c af50f1c8c0ff54d6bdb7a80e2fceca5a93670bef
  F src/btmutex.c 976f45a12e37293e32cae0281b15a21d48a8aaa7
-F src/btree.c 26f8a9d6169413c5682b89b5397d20437b653154
+F src/btree.c 975ad691a57eb1fb60f1ec76ad0b6571eace62f9
  F src/btree.h f5d775cd6cfc7ac32a2535b70e8d2af48ef5f2ce
  F src/btreeInt.h 67978c014fa4f7cc874032dd3aacadd8db656bc3
  F src/build.c 0132bc6631fa617a1d28ef805921f6dbac18a514
@@ -936,7 +936,7 @@ F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
  F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
  F tool/split-sqlite3c.tcl d9be87f1c340285a3e081eb19b4a247981ed290c
  F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f
-P db7e500f69faf1906a84991ba67d26a195f02ae5
-R ae580e6a17ad522b073057ba8349f079
-U dan
-Z c7b8c78d63b81a588c33ebb0305a0680
+P f392b7ae0266b4c694836583cb91b10f2b6c0752
+R cf53219bce3a7dbccc0e0612301125fc
+U drh
+Z 6f0c0bbdb12e972d7467056dbeea9264
diff --git a/manifest.uuid b/manifest.uuid

index 608d6308f7379b0363e825aeea506fb968bde4f8..7f322c90bc8eba326f768fade6510c707915e622 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f392b7ae0266b4c694836583cb91b10f2b6c0752
-\ No newline at end of file
+f7c525f5fc31e909721df2b1e66fc62dfb105718
+\ No newline at end of file
diff --git a/src/btree.c b/src/btree.c

index d021893241bd66fc6af003da935712af31156cf8..df75053743a620ef022619f4a8d03bb38b9ada7d 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -788,6 +788,7 @@ static void ptrmapPut(BtShared *pBt, Pgno key, u8 eType, Pgno parent, int *pRC){
      *pRC = SQLITE_CORRUPT_BKPT;
      goto ptrmap_exit;
    }
+  assert( offset <= (int)pBt->usableSize-5 );
    pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
  
    if( eType!=pPtrmap[offset] || get4byte(&pPtrmap[offset+1])!=parent ){
@@ -827,6 +828,11 @@ static int ptrmapGet(BtShared *pBt, Pgno key, u8 *pEType, Pgno *pPgno){
    pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
  
    offset = PTRMAP_PTROFFSET(iPtrmap, key);
+  if( offset<0 ){
+    sqlite3PagerUnref(pDbPage);
+    return SQLITE_CORRUPT_BKPT;
+  }
+  assert( offset <= (int)pBt->usableSize-5 );
    assert( pEType!=0 );
    *pEType = pPtrmap[offset];
    if( pPgno ) *pPgno = get4byte(&pPtrmap[offset+1]);
author	drh <drh@noemail.net>
	Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)
committer	drh <drh@noemail.net>
	Tue, 17 May 2011 15:21:56 +0000 (15:21 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/btree.c		patch \| blob \| blame \| history