From: drh <> Date: Thu, 2 Oct 2025 19:19:40 +0000 (+0000) Subject: Harden the debugging vtab "delta_parse()" which is part of the X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d9ec8b2eef4dd5b054fcfd4140f0fd3317c7b38;p=thirdparty%2Fsqlite.git Harden the debugging vtab "delta_parse()" which is part of the ext/misc/fossildelta.c extension against malicious inputs. [forum:/forumpost/be139437c3|forum post be139437c3]. FossilOrigin-Name: 4be6deee646f2c0f591ba81f902182ca9302050a7fb2729c7f64981307058b8b --- diff --git a/ext/misc/fossildelta.c b/ext/misc/fossildelta.c index 9f81270d7b..903631db06 100644 --- a/ext/misc/fossildelta.c +++ b/ext/misc/fossildelta.c @@ -868,11 +868,21 @@ static int deltaparsevtabNext(sqlite3_vtab_cursor *cur){ int i = 0; pCur->iCursor = pCur->iNext; + if( pCur->iCursor >= pCur->nDelta ){ + pCur->eOp = DELTAPARSE_OP_ERROR; + pCur->iNext = pCur->nDelta; + return SQLITE_OK; + } z = pCur->aDelta + pCur->iCursor; - pCur->a1 = deltaGetInt(&z, &i); + pCur->a2 = deltaGetInt(&z, &i); switch( z[0] ){ case '@': { z++; + if( pCur->iNext>=pCur->nDelta ){ + pCur->eOp = DELTAPARSE_OP_ERROR; + pCur->iNext = pCur->nDelta; + break; + } pCur->a2 = deltaGetInt(&z, &i); pCur->eOp = DELTAPARSE_OP_COPY; pCur->iNext = (int)(&z[1] - pCur->aDelta); @@ -926,8 +936,12 @@ static int deltaparsevtabColumn( if( pCur->eOp==DELTAPARSE_OP_COPY ){ sqlite3_result_int(ctx, pCur->a2); }else if( pCur->eOp==DELTAPARSE_OP_INSERT ){ - sqlite3_result_blob(ctx, pCur->aDelta+pCur->a2, pCur->a1, - SQLITE_TRANSIENT); + if( pCur->a2 + pCur->a1 > pCur->nDelta ){ + sqlite3_result_zeroblob(ctx, pCur->a1); + }else{ + sqlite3_result_blob(ctx, pCur->aDelta+pCur->a2, pCur->a1, + SQLITE_TRANSIENT); + } } break; } @@ -955,7 +969,7 @@ static int deltaparsevtabRowid(sqlite3_vtab_cursor *cur, sqlite_int64 *pRowid){ */ static int deltaparsevtabEof(sqlite3_vtab_cursor *cur){ deltaparsevtab_cursor *pCur = (deltaparsevtab_cursor*)cur; - return pCur->eOp==DELTAPARSE_OP_EOF; + return pCur->eOp==DELTAPARSE_OP_EOF || pCur->iCursor>=pCur->nDelta; } /* diff --git a/manifest b/manifest index f779a911b5..fef469a565 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C In\sthe\s".open"\scommand\sof\sthe\sCLI\sif\susing\sthe\s--new\soption\swith\sa\sURI\nfilename,\sthen\sdecode\sthe\sURI\sto\sextract\sthe\sactual\sfilename\sprior\sto\ntrying\sto\sdelete\sthat\sfile. -D 2025-10-02T18:31:19.026 +C Harden\sthe\sdebugging\svtab\s"delta_parse()"\swhich\sis\spart\sof\sthe\next/misc/fossildelta.c\sextension\sagainst\smalicious\sinputs.\n[forum:/forumpost/be139437c3|forum\spost\sbe139437c3]. +D 2025-10-02T19:19:40.709 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -374,7 +374,7 @@ F ext/misc/decimal.c 96a0ccd0b5f28720271d8e4409066ad4e2804d6987a9c1042016774dded F ext/misc/eval.c 04bc9aada78c888394204b4ed996ab834b99726fb59603b0ee3ed6e049755dc1 F ext/misc/explain.c 606100185fb90d6a1eade1ed0414d53503c86820d8956a06e3b0a56291894f2b F ext/misc/fileio.c 88cb2e5744296de6638af02ef6349fd468c2eb5e5f41ba405f88d9b4ad500f8e -F ext/misc/fossildelta.c 0aeb099e9627eea693cf21ae47826ecd1e0319b93143bed23090838b2ef0c162 +F ext/misc/fossildelta.c eed1d4c2277e067eed95bfc42a30fd68452d0974f43da04c37241101e2751f6b F ext/misc/fuzzer.c 6b231352815304ba60d8e9ec2ee73d4918e74d9b76bda8940ba2b64e8777515e F ext/misc/ieee754.c 176c061c94857b543313959289cb60cf777c999fd002f82b53d194b95e9f347a F ext/misc/memstat.c 43705d795090efb78c85c736b89251e743c291e23daaa8382fe7a0df2c6a283d @@ -2169,8 +2169,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P 2971d7470110fcd43bdc8ad5d09d1f2f63f5a3bccda41810948a683e310ad908 -R 336d33ed228557f8a4572eff7757820f +P 14ee3c1f03de274e5fa1efb471816a0001762623614253c24d58f41ea6af0628 +R 67844bc5f78215cc27118210335082c1 U drh -Z 771c3346d655dc279ea944b772a8bb1f +Z d1e9c075a08331b3b4810f0a951a73b6 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index ec565c95f4..d373c46595 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -14ee3c1f03de274e5fa1efb471816a0001762623614253c24d58f41ea6af0628 +4be6deee646f2c0f591ba81f902182ca9302050a7fb2729c7f64981307058b8b