From: drh Date: Wed, 22 Jul 2020 18:03:56 +0000 (+0000) Subject: When parsing the schema, detect out-of-bounds rootpage values and throw an X-Git-Tag: version-3.33.0~36^2~8^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b3ddbae36ea40bf0f7d7ef707e722fdad8aa9c0;p=thirdparty%2Fsqlite.git When parsing the schema, detect out-of-bounds rootpage values and throw an error. FossilOrigin-Name: 6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8 --- diff --git a/manifest b/manifest index b8892c1ce2..a677fefb1e 100644 --- a/manifest +++ b/manifest @@ -1,24 +1,27 @@ B d2aac001204621062e6cb3230ce2ac1b4545cb83b3ebb6bfebccee4d51162e97 -C All\sTCL\stests\snow\spassing. -D 2020-07-22T17:12:59.996 +C When\sparsing\sthe\sschema,\sdetect\sout-of-bounds\srootpage\svalues\sand\sthrow\san\nerror. +D 2020-07-22T18:03:56.431 F src/analyze.c 5cffff3d355858cd22bfc6e20ac7203510d2e1cc935086eb06f4abb2f579f628 F src/btree.c a4720f51945a86379ecd962a715d6fe9de08651a67d1e6f7b4884612da83ceb5 F src/btree.h 7af72bbb4863c331c8f6753277ab40ee67d2a2125a63256d5c25489722ec162b F src/btreeInt.h 83166f6daeb91062b6ae9ee6247b3ad07e40eba58f3c05ba9e8dedad4ab1ea38 F src/build.c f2b73fbb2197fb6e6a35ff2e1750085f023dc50542185f1a2dfccd632223eb14 F src/pager.c a5f65ff2cd73b8d381cc7b338cac382ca6978d578fa0b84fdaa11d3cdc3c3e18 -F src/prepare.c 26be4805d6b6185229221152d6d1ce10e2a6619a1afe0d8bf3c5a3c4bacf402a +F src/prepare.c 752643468bab27081bee439a7a727b616db2997e2ecdae132e8c786f8e44bcec F src/select.c 0e75d64091200a2a8fdc02abafe176a0c2e9b2654c4cc34564f25f0b408e91de -F src/sqliteInt.h eb4f7746ca2f90dfd5ccaa182960daafccd63f3f7be83589f4257b41e0e5f70f +F src/sqliteInt.h ec260b2441d94ef0b5be424c323cf255ae30d23e2fb2bd1c42a3a59c2fbafedb F src/util.c 58bf59fb0923017619c9c53957a676ff2322314b2547f6a223e0707e7ba505de -F src/vdbe.c 44ac1776fa89e54dd49e71838aed17ceb316d993378d0d71818f7e853e934d0e +F src/vdbe.c 120fdb1add80309cf1b4d6cc88b7f4e0580e816ded743a8f495fff9ef35a4e0a F src/vdbe.h 83603854bfa5851af601fc0947671eb260f4363e62e960e8a994fb9bbcd2aaa1 F src/vdbeInt.h 762abffb7709f19c2cb74af1bba73a900f762e64f80d69c31c9ae89ed1066b60 F src/vdbeaux.c 1cbbbffdb874c6f3e7aab40f3deb48abac4a71df1043cd95bb0d652d4e053871 F src/wherecode.c 8064fe5c042824853a9b1fda670054a51a49033a6c79059988c97751ccf8088e F test/corrupt3.test 2520432b1fbf99994841e69804a3c59fb828183f4d09b85a1631bc7adca17e31 F tool/showdb.c 49e810f5c414c792b5bf38cd5557ca9639713ebfef32aaff32faf7cb7ccce513 -P 92e2ab38930c76811dbf5abfe6b9ea9e12562a4bb4bb06cdb0cf49ac30da0bc3 -R 9a8fcc1aa7a1542100ce070d51449c82 +P 4c5f3c6cacf84a36d0347790d98d82d1f584cd1537a13a2736348405c4d20367 +R ccc7b0ae4ada19d710420f989f7c9313 +T *branch * rootpage-bounds-check +T *sym-rootpage-bounds-check * +T -sym-larger-databases * U drh -Z 823bbfd3b3d1b49671a3ec5ee70353b6 +Z c08f65e2e744a2c088ae7728fbcd5c94 diff --git a/manifest.uuid b/manifest.uuid index d61058e2b5..b93907488d 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4c5f3c6cacf84a36d0347790d98d82d1f584cd1537a13a2736348405c4d20367 \ No newline at end of file +6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8 \ No newline at end of file diff --git a/src/prepare.c b/src/prepare.c index dab57682f9..84f2ee8a23 100644 --- a/src/prepare.c +++ b/src/prepare.c @@ -116,6 +116,10 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){ assert( db->init.busy ); db->init.iDb = iDb; sqlite3GetUInt32(argv[3], &db->init.newTnum); + if( db->init.newTnum>pData->mxPage && pData->mxPage!=0 ){ + corruptSchema(pData, argv[1], "invalid rootpage"); + return 0; + } db->init.orphanTrigger = 0; db->init.azInit = argv; pStmt = 0; @@ -151,6 +155,7 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){ if( pIndex==0 || sqlite3GetUInt32(argv[3],&pIndex->tnum)==0 || pIndex->tnum<2 + || (pIndex->tnum>pData->mxPage && pData->mxPage!=0) || sqlite3IndexHasDuplicateRootPage(pIndex) ){ corruptSchema(pData, argv[1], pIndex?"invalid rootpage":"orphan index"); @@ -207,6 +212,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){ initData.pzErrMsg = pzErrMsg; initData.mInitFlags = mFlags; initData.nInitRow = 0; + initData.mxPage = 0; sqlite3InitCallback(&initData, 5, (char **)azArg, 0); db->mDbFlags &= mask; if( initData.rc ){ @@ -329,6 +335,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){ /* Read the schema information out of the schema tables */ assert( db->init.busy ); + initData.mxPage = sqlite3BtreeLastPage(pDb->pBt); { char *zSql; zSql = sqlite3MPrintf(db, diff --git a/src/sqliteInt.h b/src/sqliteInt.h index 32155892fa..f2a26109c4 100644 --- a/src/sqliteInt.h +++ b/src/sqliteInt.h @@ -3629,6 +3629,7 @@ typedef struct { int rc; /* Result code stored here */ u32 mInitFlags; /* Flags controlling error messages */ u32 nInitRow; /* Number of rows processed */ + Pgno mxPage; /* Maximum page number. 0 for no limit. */ } InitData; /* diff --git a/src/vdbe.c b/src/vdbe.c index c86b54c8f8..5134da4b37 100644 --- a/src/vdbe.c +++ b/src/vdbe.c @@ -6122,6 +6122,7 @@ case OP_ParseSchema: { initData.iDb = iDb; initData.pzErrMsg = &p->zErrMsg; initData.mInitFlags = 0; + initData.mxPage = sqlite3BtreeLastPage(db->aDb[iDb].pBt); zSql = sqlite3MPrintf(db, "SELECT*FROM\"%w\".%s WHERE %s ORDER BY rowid", db->aDb[iDb].zDbSName, zSchema, pOp->p4.z);