From: dan Date: Thu, 10 Jan 2019 17:08:20 +0000 (+0000) Subject: Avoid use-after-free and double-free errors that could occur if an fts5 table X-Git-Tag: version-3.27.0~185 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25e3073741c2bc23b846bd74dc50334295dd2c1a;p=thirdparty%2Fsqlite.git Avoid use-after-free and double-free errors that could occur if an fts5 table is modified in certain ways while there are active cursors. FossilOrigin-Name: 3291b2a6fe6f38ae91b933e5cd2bf7d97432374b4fb1fccd92b4bd759b02ee06 --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index c767899e02..88505fc18b 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -512,7 +512,6 @@ struct Fts5Iter { Fts5IndexIter base; /* Base class containing output vars */ Fts5Index *pIndex; /* Index that owns this iterator */ - Fts5Structure *pStruct; /* Database structure for this iterator */ Fts5Buffer poslist; /* Buffer containing current poslist */ Fts5Colset *pColset; /* Restrict matches to these columns */ @@ -2758,7 +2757,6 @@ static void fts5MultiIterFree(Fts5Iter *pIter){ for(i=0; inSeg; i++){ fts5SegIterClear(&pIter->aSeg[i]); } - fts5StructureRelease(pIter->pStruct); fts5BufferFree(&pIter->poslist); sqlite3_free(pIter); } @@ -3404,7 +3402,6 @@ static void fts5MultiIterNew( if( pNew==0 ) return; pNew->bRev = (0!=(flags & FTS5INDEX_QUERY_DESC)); pNew->bSkipEmpty = (0!=(flags & FTS5INDEX_QUERY_SKIPEMPTY)); - pNew->pStruct = pStruct; pNew->pColset = pColset; fts5StructureRef(pStruct); if( (flags & FTS5INDEX_QUERY_NOOUTPUT)==0 ){ diff --git a/ext/fts5/test/fts5corrupt3.test b/ext/fts5/test/fts5corrupt3.test index 6d3be1df8a..f2b8b20ecd 100644 --- a/ext/fts5/test/fts5corrupt3.test +++ b/ext/fts5/test/fts5corrupt3.test @@ -3512,6 +3512,40 @@ do_catchsql_test 30.1 { SELECT fts5_decode(id, block) FROM t1_data; } {1 {database disk image is malformed}} +#------------------------------------------------------------------------- +reset_db +do_test 31.0 { + sqlite3 db {} + db deserialize [decode_hexdb { +| size 8192 pagesize 4096 filename crash-7629f35f11d48e.db +| page 1 offset 0 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. +| 16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 02 .....@ ........ +| 32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 ................ +| 48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ +| 96: 00 00 00 00 0d 00 00 00 01 0f c7 00 0f c7 00 00 ................ +| 4032: 00 00 00 00 00 00 00 37 01 06 17 15 15 01 53 74 .......7......St +| 4048: 61 62 6c 65 64 75 61 6c 64 75 61 6c 02 43 52 45 abledualdual.CRE +| 4064: 41 54 45 20 54 41 42 4c 45 20 64 75 61 6c 28 64 ATE TABLE dual(d +| 4080: 75 6d 6d 79 20 76 61 72 28 31 29 29 0d 00 00 00 ummy var(1)).... +| page 2 offset 4096 +| 0: 01 0f fb 00 0f fb 00 00 00 00 00 00 00 00 00 00 ................ +| 4080: 00 00 00 00 00 00 00 00 00 00 00 03 01 02 0f 58 ...............X +| end crash-7629f35f11d48e.db +}]} {} + +do_execsql_test 31.1 { + CREATE VIRTUAL TABLE t1 USING fts5(a,b,c); + WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<72) + INSERT INTO t1(a) SELECT randomblob(2829) FROM c; + WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<10) + INSERT INTO t1(a) SELECT randomblob(3000) FROM c; +} + +do_catchsql_test 31.2 { + DELETE FROM t1 WHERE a MATCH X'6620e574f32a'; +} {0 {}} + sqlite3_fts5_may_be_corrupt 0 finish_test diff --git a/ext/fts5/test/fts5update.test b/ext/fts5/test/fts5update.test index b558c2fb7d..913c06e863 100644 --- a/ext/fts5/test/fts5update.test +++ b/ext/fts5/test/fts5update.test @@ -115,5 +115,24 @@ do_execsql_test 2.2.integrity { INSERT INTO x2(x2) VALUES('integrity-check'); } +#------------------------------------------------------------------------- +# +do_execsql_test 3.0 { + CREATE VIRTUAL TABLE x3 USING fts5(x, detail=%DETAIL%); + INSERT INTO x3 VALUES('one'); + INSERT INTO x3 VALUES('two'); + INSERT INTO x3 VALUES('one'); + INSERT INTO x3 VALUES('two'); + INSERT INTO x3 VALUES('one'); +} + +do_test 3.1 { + db eval { SELECT * FROM x3('one') } { + db eval { + INSERT INTO x3(x3) VALUES('optimize'); + } + } +} {} + } finish_test diff --git a/manifest b/manifest index 0482062965..b9b27db601 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sfurther\sproblems\swith\sfts5\shandling\scorrupt\sdatabases. -D 2019-01-10T15:17:32.879 +C Avoid\suse-after-free\sand\sdouble-free\serrors\sthat\scould\soccur\sif\san\sfts5\stable\nis\smodified\sin\scertain\sways\swhile\sthere\sare\sactive\scursors. +D 2019-01-10T17:08:20.419 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6 @@ -115,7 +115,7 @@ F ext/fts5/fts5_buffer.c 9d7bd654123832879c9f7e2d37f37aebcc3271e65a5e56d9410d81e F ext/fts5/fts5_config.c eeec97cb0237991e7fa3bbae07b5cc354e3f238b661200c11228fe167c18f882 F ext/fts5/fts5_expr.c 188d1dca5a262a0708efc5deb809f1aa6ecea4158986a439d2670cfe72d10b65 F ext/fts5/fts5_hash.c d415f5ad332b051f0ade564bcf1762c4467cc49b2ba8ea5873d8744c705d8d42 -F ext/fts5/fts5_index.c 8663717e84a7b5006c24fb35b5dd438e153281e41f846fb2ecdbab0584750281 +F ext/fts5/fts5_index.c ec0ca720bf3d564adc659791c6a9e7b98b019b4083882b4ea9173e1870035645 F ext/fts5/fts5_main.c 90062ccfc54031ff97660e277d868ec080c5b46e42d784856385b12645e60ed6 F ext/fts5/fts5_storage.c 00db5029ee470172c1a79d7182808b678ee21b7ea1f63618bcb0591bf8cf7f8a F ext/fts5/fts5_tcl.c 39bcbae507f594aad778172fa914cad0f585bf92fd3b078c686e249282db0d95 @@ -156,7 +156,7 @@ F ext/fts5/test/fts5connect.test 08030168fc96fc278fa81f28654fb7e90566f33aff269c0 F ext/fts5/test/fts5content.test 688d5ac7af194ebc67495daea76a69e3cd5480122c2320e72d41241b423b4116 F ext/fts5/test/fts5corrupt.test 77ae6f41a7eba10620efb921cf7dbe218b0ef232b04519deb43581cb17a57ebe F ext/fts5/test/fts5corrupt2.test 7453752ba12ce91690c469a6449d412561cc604b1dec994e16ab132952e7805f -F ext/fts5/test/fts5corrupt3.test c50be432a544a98761202b9814f40e17c5ef007bf351ec22474015d828f354d6 +F ext/fts5/test/fts5corrupt3.test 87c1289b4d9520f3ca5ca62d5ecf7926d09da8336d1d40a37aa52303ae5bcd06 F ext/fts5/test/fts5delete.test cbf87e3b8867c4d5cfcaed975c7475fd3f99d072bce2075fcedf43d1f82af775 F ext/fts5/test/fts5detail.test 31b240dbf6d44ac3507e2f8b65f29fdc12465ffd531212378c7ce1066766f54e F ext/fts5/test/fts5determin.test 1b77879b2ae818b5b71c859e534ee334dac088b7cf3ff3bf76a2c82b1c788d11 @@ -215,7 +215,7 @@ F ext/fts5/test/fts5unicode2.test 9b3df486de05fb4bde4aa7ee8de2e6dae1df6eb90e3f2e F ext/fts5/test/fts5unicode3.test 590c72e18195bda2446133f9d82d04a4e89d094bba58c75ae10f4afc6faa0744 F ext/fts5/test/fts5unicode4.test 6463301d669f963c83988017aa354108be0b947d325aef58d3abddf27147b687 F ext/fts5/test/fts5unindexed.test 9021af86a0fb9fc616f7a69a996db0116e7936d0db63892db6bafabbec21af4d -F ext/fts5/test/fts5update.test 0737876e20e97a6a6abf45de19fc99315727bcee6a83fadcada1cc080b9aa8f0 +F ext/fts5/test/fts5update.test 8486224b6174c71e459a467f49a9bb67a7656fd54a995b48be1b0dc3bdcf18af F ext/fts5/test/fts5version.test c8f2cc105f0abf0224965f93e584633dee3e06c91478bc67e468f7cfdf97fd6a F ext/fts5/test/fts5vocab.test 26e069050d6fb389e67f7a9402421948233152ae433e6b8da47cf15d3b5a8d26 F ext/fts5/test/fts5vocab2.test 5472d6cd852fe848876892c48a754c82af018bf08ca16f1f167db59dc64586f7 @@ -1797,7 +1797,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 10f9e39d6ed2413fa9abc6c82da3ed48f32a42b6190b6219fca7faf850d05113 -R 72fda51f0f3fbf7bf16292ae38b5ad54 +P 83c467d7af63bd2e7800aff4fe9b09dbd75557460b75a9e07205dfae7e28312c +R 3351e2aae6403322cbe69ee0af9a55bf U dan -Z 0a29b0d3fdcd0377c1379ed4158ea092 +Z 309e7dae9990d8d0bb0ac224fef52616 diff --git a/manifest.uuid b/manifest.uuid index 29dce9f4de..f9705c3603 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -83c467d7af63bd2e7800aff4fe9b09dbd75557460b75a9e07205dfae7e28312c \ No newline at end of file +3291b2a6fe6f38ae91b933e5cd2bf7d97432374b4fb1fccd92b4bd759b02ee06 \ No newline at end of file