-C Avoid\sa\sbuffer\soverread\swhen\scomparing\sagainst\sa\scorrupt\srecord\sthat\sspans\sat\sleast\sone\soverflow\spage.
-D 2015-05-26T20:31:20.007
+C A\sdifferent\sapproach\sto\spreventing\sbuffer\soverreads\swhen\scomparing\sa\svector\sof\svalues\swith\sa\scorrupt\sindex\srecord\sthat\sspans\sat\sleast\sone\soverflow\spage.
+D 2015-05-27T14:21:05.738
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
F Makefile.in 3feb7cbdad8898fe7a8a24355b4a753029c3ec3b
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3
F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d
F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79
-F src/btree.c 51cafeb18184dcb46285120d5574da6e19c58362
+F src/btree.c 9c72a5a277ade34bc0f7137bfbad878f8f9011d7
F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1
F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4
F src/build.c 9552e7490b0310a8c73fcf3a0c36e7624789d8df
F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P b4a45d3b78fede2433ac18f20b1ab7bddee77059
-R f36cc3a04ab23b9a0c27493daaf0c4c0
+P 62a5b3633a086694ef0e579a0a82322cb1ae3d60
+R 38a24026d1368e2f6d8990260ef6671e
+T *branch * avoid-buffer-overread
+T *sym-avoid-buffer-overread *
+T -sym-trunk *
U dan
-Z 4ff3966eaffa78ba4bc7061be84a775f
+Z 60a303fb04c489d11c0663122f3a72f3
-62a5b3633a086694ef0e579a0a82322cb1ae3d60
\ No newline at end of file
+7e9e1b6123bc455dd7d1c894b6154ccd27acec18
\ No newline at end of file
/* The record flows over onto one or more overflow pages. In
** this case the whole cell needs to be parsed, a buffer allocated
** and accessPayload() used to retrieve the record into the
- ** buffer before VdbeRecordCompare() can be called. An extra
- ** byte of zeroed padding is allocated at the end of the buffer,
- ** as this stops the record-compare routines from reading past
- ** the end of the buffer if the record is corrupt. */
+ ** buffer before VdbeRecordCompare() can be called.
+ **
+ ** If the record is corrupt, the xRecordCompare routine may read
+ ** up to two varints past the end of the buffer. An extra 18
+ ** bytes of padding is allocated at the end of the buffer in
+ ** case this happens. */
void *pCellKey;
u8 * const pCellBody = pCell - pPage->childPtrSize;
btreeParseCellPtr(pPage, pCellBody, &pCur->info);
nCell = (int)pCur->info.nKey;
- pCellKey = sqlite3Malloc( nCell+1 );
+ testcase( nCell<0 );
+ if( nCell<2 ){
+ rc = SQLITE_CORRUPT_BKPT;
+ goto moveto_finish;
+ }
+ pCellKey = sqlite3Malloc( nCell+18 );
if( pCellKey==0 ){
rc = SQLITE_NOMEM;
goto moveto_finish;
}
pCur->aiIdx[pCur->iPage] = (u16)idx;
rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2);
- ((unsigned char *)pCellKey)[nCell] = 0;
if( rc ){
sqlite3_free(pCellKey);
goto moveto_finish;
projects / thirdparty / sqlite.git / commitdiff
