From: dan Date: Mon, 8 Jun 2026 15:20:49 +0000 (+0000) Subject: Fix a buffer overread that could occur in fts5 when processing corrupt records. Bug... X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19a2ba1f5b504bef08349e2fd0eb56bc7e6f95af;p=thirdparty%2Fsqlite.git Fix a buffer overread that could occur in fts5 when processing corrupt records. Bug [bugs:/info/2026-06-08T11:15:52Z | 2026-06-08T11:15:52Z] FossilOrigin-Name: b07441cfc06b8e6b47a4f4a6e0f5c261da580d5afe82444cc7f42a9f39ea7026 --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 787003ca38..6bc11c44b1 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -2123,7 +2123,7 @@ static void fts5SegIterReverseNewPage(Fts5Index *p, Fts5SegIter *pIter){ while( p->rc==SQLITE_OK && pIter->iLeafPgno>pIter->iTermLeafPgno ){ Fts5Data *pNew; pIter->iLeafPgno--; - pNew = fts5DataRead(p, FTS5_SEGMENT_ROWID( + pNew = fts5LeafRead(p, FTS5_SEGMENT_ROWID( pIter->pSeg->iSegid, pIter->iLeafPgno )); if( pNew ){ diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test index ac89366f0f..4334f520ac 100644 --- a/ext/fts5/test/fts5corruptA.test +++ b/ext/fts5/test/fts5corruptA.test @@ -193,5 +193,46 @@ do_catchsql_test 4.6 { ) } {0 4879} +#------------------------------------------------------------------------- +reset_db + +do_execsql_test 5.0 { + CREATE VIRTUAL TABLE t USING fts5(x); + INSERT INTO t(t,rank) VALUES('pgsz', 64); + WITH s(i) AS ( + SELECT 1 UNION ALL SELECT i+1 FROM s WHERE i<80 + ) + INSERT INTO t SELECT 'shared word' || (i%10) || ' shared shared' FROM s; + INSERT INTO t(t) VALUES('optimize'); +} + +set lLeaf [db eval { SELECT id FROM t_data }] +db_save_and_close + +foreach leaf $lLeaf { + db_restore_and_reopen + set leaf [expr $leaf] + set hex [db one { + SELECT hex(block) FROM t_data WHERE id=$leaf + }] + + # Replace the first 4 bytes of each leaf page with the size of the leaf in + # bytes plus 50 as a 2 byte integer, followed by 0x7FFF. + # + set nn [expr [string length $hex]/2] + set first "[format %.4x [expr $nn+50]]7FFF" + set hex [string replace $hex 0 7 $first] + + db eval { UPDATE t_data SET block=unhex($hex) WHERE id=$leaf } + do_test 5.1.$leaf { + catchsql { + SELECT rowid FROM t WHERE t MATCH 'shared' ORDER BY rowid DESC; + } + set {} {} + } {} +} + sqlite3_fts5_may_be_corrupt 0 finish_test + + diff --git a/manifest b/manifest index 011290e7c0..fea3cd72f1 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Avoid\sa\spotential\suse-after-free\sin\sfts5.\sReport\s[bugs:/info/2026-06-08T08:45:27Z\s|\s2026-06-08T08:45:27Z]. -D 2026-06-08T12:03:52.132 +C Fix\sa\sbuffer\soverread\sthat\scould\soccur\sin\sfts5\swhen\sprocessing\scorrupt\srecords.\sBug\s[bugs:/info/2026-06-08T11:15:52Z\s|\s2026-06-08T11:15:52Z] +D 2026-06-08T15:20:49.700 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c 20e41452e4f83899a3a1bc66d018701186a0bbbc3a1a524f8cae447e0b150f05 F ext/fts5/fts5_hash.c d5871df92ce3fa210a650cf419ee916b87c29977e86084d06612edf772bff6f5 -F ext/fts5/fts5_index.c bd7fbe5c0dfe435324dcaa0821abbce974b4267053de860a4816398014193695 +F ext/fts5/fts5_index.c c1de5d6f756681ec36943067ca00230423b3bcd094b06b6fe303e45e66fc3390 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -170,7 +170,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe -F ext/fts5/test/fts5corruptA.test c854c6d1fa7068d8dc32bce610a703e92b6b934c8c8f252df4c5f81e8ba07b50 +F ext/fts5/test/fts5corruptA.test 2de1281f42e894ca98c982348fd6ea68fc345935aa7c9dfc0c52aa5e7c14ee75 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4 @@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 4af1d9b3e54a7c42552e61284456bbd7089e525d4aa55e580f7518956d8521bb -R b1e80cf3a6883a25ef2b4ff2a670c932 +P 9c018b02dbfb071c748d540ad679a4dbdc0fb88a62988e02cb51a3403509febe +R c8d6f28c71925d449fb0b28905996c6a U dan -Z aecf307d98bf176f8b105e87f5816f53 +Z f9cd6166bc69f79189e73ac981532cc3 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 54d11290a7..b1da578fff 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -9c018b02dbfb071c748d540ad679a4dbdc0fb88a62988e02cb51a3403509febe +b07441cfc06b8e6b47a4f4a6e0f5c261da580d5afe82444cc7f42a9f39ea7026