From: dan Date: Thu, 14 Sep 2017 20:41:17 +0000 (+0000) Subject: Avoid an out-of-bounds read that can be caused by a specially constructed X-Git-Tag: version-3.21.0~88 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=629ec14abc44aa8292923db945263f8d0f96440d;p=thirdparty%2Fsqlite.git Avoid an out-of-bounds read that can be caused by a specially constructed journal file. FossilOrigin-Name: cf5bf42cad6e019a38dc0a36ff1f53ada619eef5259e175c3554a16669e03202 --- diff --git a/manifest b/manifest index 00998942b5..7b324d258b 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Avoid\san\sout-of-bounds\sread\son\sa\srecovery\sattempt\susing\sa\scarefully\scrafted\ndatabase\sand\srollback\sjournal\swith\smismatched\spage\ssizes.\s\sThe\stest\scase\sfor\nthis\sis\sin\sTH3. -D 2017-09-14T02:36:27.714 +C Avoid\san\sout-of-bounds\sread\sthat\scan\sbe\scaused\sby\sa\sspecially\sconstructed\njournal\sfile. +D 2017-09-14T20:41:17.170 F Makefile.in c644bbe8ebe4aae82ad6783eae6b6beea4c727b99ff97568b847ced5e2ac7afb F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 6a7a74bf60ad395098c0bd175ab054cd65ef85d7f034198d52bcc4d9e5fb4c6b @@ -441,7 +441,7 @@ F src/os.c 93e0979b9b55df29c0c4923f73b48e9d3fe728f01dd8ed4f6a9d2f1d79779bc8 F src/os.h 8e976e59eb4ca1c0fca6d35ee803e38951cb0343 F src/os_common.h b2f4707a603e36811d9b1a13278bffd757857b85 F src/os_setup.h 0dbaea40a7d36bf311613d31342e0b99e2536586 -F src/os_unix.c 489aa972ccc34f7b4770b891694b32101c59ddd4be4ef0ddd9a4da58c145c1a6 +F src/os_unix.c 0e365b4c95bd6f5a9d3cea650272eba46706bad2c833f1d0e7ac38521331ddba F src/os_win.c 225432ab6512f63ab2f37eb76872f818b01f0483ba0bea04a7a1168be3070ea5 F src/os_win.h 7b073010f1451abe501be30d12f6bc599824944a F src/pager.c 2a523bf8ec77678b35fe56b43ac24045d2f97ad44d58c6a0894c131feda3eeff @@ -1046,6 +1046,7 @@ F test/misc6.test 953cc693924d88e6117aeba16f46f0bf5abede91 F test/misc7.test edd0b63e2ee29a256900b0514f6fff27e19e9bb2 F test/misc8.test ba03aaa08f02d62fbb8d3b2f5595c1b33aa9bbc5 F test/misuse.test 9e7f78402005e833af71dcab32d048003869eca5abcaccc985d4f8dc1d86bcc7 +F test/mjournal.test 479076d56e89659cce2197ee0054df4a6578f43e10bdda9bdfcdb6eefaa02575 F test/mmap1.test d2cfc1635171c434dcff0ece2f1c8e0a658807ce F test/mmap2.test 9d6dd9ddb4ad2379f29cc78f38ce1e63ed418022 F test/mmap3.test b3c297e78e6a8520aafcc1a8f140535594c9086e @@ -1653,7 +1654,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 43c6023bbf6b808ab4cfdbd1a63a516cbe2f1794c7787f8230632bae12e2ff59 -R 751623e94f5ae53084bb1caa4a774bfe -U drh -Z 37756b1d45e36db238c0646514cfea00 +P 378afa16381a222aafa6009dbbbc92473a69683537f1c265694678b0595a42c8 +R c2746be599de5d7ee9f8e8da17342031 +U dan +Z cb084e7d60ad5fef0134c6ef29bfedb3 diff --git a/manifest.uuid b/manifest.uuid index e1134062ff..97f1e33d3b 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -378afa16381a222aafa6009dbbbc92473a69683537f1c265694678b0595a42c8 \ No newline at end of file +cf5bf42cad6e019a38dc0a36ff1f53ada619eef5259e175c3554a16669e03202 \ No newline at end of file diff --git a/src/os_unix.c b/src/os_unix.c index 0d7e494147..3951989359 100644 --- a/src/os_unix.c +++ b/src/os_unix.c @@ -5300,17 +5300,6 @@ static int fillInUnixFile( assert( pNew->pInode==NULL ); - /* Usually the path zFilename should not be a relative pathname. The - ** exception is when opening the proxy "conch" file in builds that - ** include the special Apple locking styles. - */ -#if defined(__APPLE__) && SQLITE_ENABLE_LOCKING_STYLE - assert( zFilename==0 || zFilename[0]=='/' - || pVfs->pAppData==(void*)&autolockIoFinder ); -#else - assert( zFilename==0 || zFilename[0]=='/' ); -#endif - /* No locking occurs in temporary files */ assert( zFilename!=0 || (ctrlFlags & UNIXFILE_NOLOCK)!=0 ); @@ -5673,16 +5662,11 @@ static int findCreateFileMode( */ nDb = sqlite3Strlen30(zPath) - 1; while( zPath[nDb]!='-' ){ -#ifndef SQLITE_ENABLE_8_3_NAMES - /* In the normal case (8+3 filenames disabled) the journal filename - ** is guaranteed to contain a '-' character. */ - assert( nDb>0 ); - assert( sqlite3Isalnum(zPath[nDb]) ); -#else - /* If 8+3 names are possible, then the journal file might not contain - ** a '-' character. So check for that case and return early. */ + /* In normal operation, the journal file name will always contain + ** a '-' character. However in 8+3 filename mode, or if a corrupt + ** rollback journal specifies a master journal with a goofy name, then + ** the '-' might be missing. */ if( nDb==0 || zPath[nDb]=='.' ) return SQLITE_OK; -#endif nDb--; } memcpy(zDb, zPath, nDb); @@ -5968,6 +5952,7 @@ static int unixOpen( } #endif + assert( zPath==0 || zPath[0]=='/' || eType==SQLITE_OPEN_MASTER_JOURNAL ); rc = fillInUnixFile(pVfs, fd, pFile, zPath, ctrlFlags); open_finished: diff --git a/test/mjournal.test b/test/mjournal.test new file mode 100644 index 0000000000..74d567e842 --- /dev/null +++ b/test/mjournal.test @@ -0,0 +1,62 @@ +# 2017 September 15 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# This file implements regression tests for SQLite library. +# + +set testdir [file dirname $argv0] +source $testdir/tester.tcl +set testprefix mjournal + +# Test that nothing bad happens if a journal file contains a pointer to +# a master journal file that does not have a "-" in the name. At one point +# this was causing a segfault on unix. +# +do_execsql_test 1.0 { + CREATE TABLE t1(a, b); +} + +do_test 1.1 { + forcedelete test.db2journal test.db-journal + + close [open test.db-journal w] + + hexio_write test.db-journal 0 746573742e6462326a6f75726e616c00 + hexio_write test.db-journal 16 00000010 + hexio_write test.db-journal 20 000005e1 + hexio_write test.db-journal 24 d9d505f920a163d7 + + close [open test.db2journal w] + hexio_write test.db2journal 0 abcd +} {2} + +do_execsql_test 1.2 { + SELECT * FROM t1; +} + +do_test 1.3 { + forcedelete test0db2journal test.db-journal + close [open test.db-journal w] + hexio_write test.db-journal 0 74657374306462326a6f75726e616c00 + hexio_write test.db-journal 16 00000010 + hexio_write test.db-journal 20 000005e3 + hexio_write test.db-journal 24 d9d505f920a163d7 + + close [open test0db2journal w] + hexio_write test0db2journal 0 abcd +} {2} + +do_execsql_test 1.4 { + SELECT * FROM t1; +} + + + +finish_test