From: dan Date: Fri, 26 Feb 2010 15:09:19 +0000 (+0000) Subject: Avoid a buffer overwrite that can occur with a corrupt database if secure-delete... X-Git-Tag: version-3.7.2~571 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ed11e7b18ead8e903ad47b2a6fe9341b81f9e82;p=thirdparty%2Fsqlite.git Avoid a buffer overwrite that can occur with a corrupt database if secure-delete is enabled. FossilOrigin-Name: 7bdb1e05faceddbb0b8e3efee7d070ad8c4611a3 --- diff --git a/manifest b/manifest index 4035effaba..3dbc1246f5 100644 --- a/manifest +++ b/manifest @@ -1,8 +1,5 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -C Avoid\sincorrect\scompiler\swarnings\sby\sdoing\sa\scouple\sof\sneedless\nvariable\sinitializations. -D 2010-02-26T13:07:37 +C Avoid\sa\sbuffer\soverwrite\sthat\scan\soccur\swith\sa\scorrupt\sdatabase\sif\ssecure-delete\sis\senabled. +D 2010-02-26T15:09:20 F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0 F Makefile.in 4f2f967b7e58a35bb74fb7ec8ae90e0f4ca7868b F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654 @@ -112,7 +109,7 @@ F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34 F src/backup.c b293534bc2df23c57668a585b17ee7faaaef0939 F src/bitvec.c 06ad2c36a9c3819c0b9cbffec7b15f58d5d834e0 F src/btmutex.c 96a12f50f7a17475155971a241d85ec5171573ff -F src/btree.c 65359edf313363a84a8d951a211873ad16ede53a +F src/btree.c 22bcd5cbc53a1f9ce4b39763aaf43a7333d9346b F src/btree.h 0e193b7e90f1d78b79c79474040e3d66a553a4fa F src/btreeInt.h 71ed5e7f009caf17b7dc304350b3cb64b5970135 F src/build.c 11100b66fb97638d2d874c1d34d8db90650bb1d7 @@ -295,7 +292,7 @@ F test/collateA.test b8218ab90d1fa5c59dcf156efabb1b2599c580d6 F test/colmeta.test 087c42997754b8c648819832241daf724f813322 F test/colname.test 08948a4809d22817e0e5de89c7c0a8bd90cb551b F test/conflict.test 0ed68b11f22721052d880ee80bd528a0e0828236 -F test/corrupt.test f413a96e5f7a3df55529a530339c5194efce59e0 +F test/corrupt.test 0d346c9fe064ca71281685a8a732fcc83461bb99 F test/corrupt2.test a571e30ea4e82318f319a24b6cc55935ce862079 F test/corrupt3.test 263e8bb04e2728df832fddf6973cf54c91db0c32 F test/corrupt4.test acdb01afaedf529004b70e55de1a6f5a05ae7fff @@ -795,14 +792,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f -P b5835d3e3d7f3fbf04431f9afe27dfef7b7f23c9 -R feb7fcb2626a9c46d3d79459fa07572c -U drh -Z 93c6029ace8e0b4c79551ba55a03f862 ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.6 (GNU/Linux) - -iD8DBQFLh8ecoxKgR168RlERAq/AAJ4kRAjfg0SA3XpKduC7rNmZht37jwCeOopy -3XEDjK4K1rR5rmo2LEX+6NQ= -=Fiyc ------END PGP SIGNATURE----- +P 8f29490da62df07ea922b03cab52b6edd2669edb +R 7b8c852b73b99027be1973f856f673bb +U dan +Z 2b638b55505849de93efc222bb43dd70 diff --git a/manifest.uuid b/manifest.uuid index b7775b5722..683efb2340 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -8f29490da62df07ea922b03cab52b6edd2669edb \ No newline at end of file +7bdb1e05faceddbb0b8e3efee7d070ad8c4611a3 \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index 827eceb17f..cf21b025fc 100644 --- a/src/btree.c +++ b/src/btree.c @@ -5815,8 +5815,15 @@ static int balance_nonroot( ** buffer. It will be copied out again as soon as the aSpace[] buffer ** is allocated. */ if( pBt->secureDelete ){ - memcpy(&aOvflSpace[apDiv[i]-pParent->aData], apDiv[i], szNew[i]); - apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; + int iOff = apDiv[i] - pParent->aData; + if( (iOff+szNew[i])>pBt->usableSize ){ + rc = SQLITE_CORRUPT_BKPT; + memset(apOld, 0, (i+1)*sizeof(MemPage*)); + goto balance_cleanup; + }else{ + memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); + apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; + } } dropCell(pParent, i+nxDiv-pParent->nOverflow, szNew[i], &rc); } diff --git a/test/corrupt.test b/test/corrupt.test index 1d3b5cfad9..fc84033fc4 100644 --- a/test/corrupt.test +++ b/test/corrupt.test @@ -71,7 +71,7 @@ set junk [string range $junk 0 255] # of the file. Then do various operations on the file to make sure that # the database engine can recover gracefully from the corruption. # -for {set i [expr {1*256}]} {0 && $i<$fsize-256} {incr i 256} { +for {set i [expr {1*256}]} {$i<$fsize-256} {incr i 256} { set tn [expr {$i/256}] db close copy_file test.bu test.db @@ -329,4 +329,23 @@ do_test corrupt-8.1 { catchsql { INSERT OR REPLACE INTO t1 VALUES(5, randomblob(1900)) } } {1 {database disk image is malformed}} +db close +file delete -force test.db test.db-journal +do_test corrupt-8.2 { + sqlite3 db test.db + execsql { + PRAGMA page_size = 1024; + PRAGMA secure_delete = on; + PRAGMA auto_vacuum = 0; + CREATE TABLE t1(x INTEGER PRIMARY KEY, y); + INSERT INTO t1 VALUES(5, randomblob(900)); + INSERT INTO t1 VALUES(6, randomblob(900)); + } + + hexio_write test.db 2047 FF + hexio_write test.db 24 [hexio_render_int32 45] + + catchsql { INSERT INTO t1 VALUES(4, randomblob(1900)) } +} {1 {database disk image is malformed}} + finish_test