From: dan <dan@noemail.net>
Date: Mon, 5 Mar 2018 21:17:20 +0000 (+0000)
Subject: Fix another crash in the sessions module triggered by malformed input.
X-Git-Tag: version-3.23.0~88
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6344edda80117a6e5853ecb4454e383fc5342d2a;p=thirdparty%2Fsqlite.git

Fix another crash in the sessions module triggered by malformed input.

FossilOrigin-Name: 7e70c9b86af557e86152748ddf1da467e62817b35df1da0d7d3b67941b198897
---

diff --git a/ext/session/session4.test b/ext/session/session4.test
index bf55e362c6..0b4af9e779 100644
--- a/ext/session/session4.test
+++ b/ext/session/session4.test
@@ -129,6 +129,7 @@ foreach {tn blob} {
   53 540101743400120003001200010000000000000002120002400C000000000000500401000000743100170001000002400C00000000000050040110000074310017000000000000050100000000000000030100000003001700010000666F7572
   54 540101743400120003001200010000000000000002120002400C000000000002120002400C00000000000050040100000074310017FF0050040100000074310017FF7F00000000000000050100000000000000030100000003001700010000666F7572
   55 540101743400120003001200010000000000000002120002400C00000000000050040100000074310017000100010080000001000000020003010100000300170100000003001700010000666F7572
+  56 5487ffffff7f
 } {
   do_test 2.$tn {
     set changeset [binary decode hex $blob]
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 04ca5b2b30..9b96c5ca6f 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -2786,7 +2786,14 @@ static int sessionChangesetBufferTblhdr(SessionInput *pIn, int *pnByte){
   rc = sessionInputBuffer(pIn, 9);
   if( rc==SQLITE_OK ){
     nRead += sessionVarintGet(&pIn->aData[pIn->iNext + nRead], &nCol);
-    if( nCol<0 ){
+    /* The hard upper limit for the number of columns in an SQLite
+    ** database table is, according to sqliteLimit.h, 32676. So 
+    ** consider any table-header that purports to have more than 65536 
+    ** columns to be corrupt. This is convenient because otherwise, 
+    ** if the (nCol>65536) condition below were omitted, a sufficiently 
+    ** large value for nCol may cause nRead to wrap around and become 
+    ** negative. Leading to a crash. */
+    if( nCol<0 || nCol>65536 ){
       rc = SQLITE_CORRUPT_BKPT;
     }else{
       rc = sessionInputBuffer(pIn, nRead+nCol+100);
diff --git a/manifest b/manifest
index 2c9a313961..045661d802 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Improved\scommand-line\shelp\sfor\sthe\s-A\soption\son\sthe\sCLI.
-D 2018-03-05T20:21:50.703
+C Fix\sanother\scrash\sin\sthe\ssessions\smodule\striggered\sby\smalformed\sinput.
+D 2018-03-05T21:17:20.992
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in a2d2fb8d17c39ab5ec52beb27850b903949080848236923f436156b72a958737
@@ -381,7 +381,7 @@ F ext/session/changeset.c 4ccbaa4531944c24584bf6a61ba3a39c62b6267a
 F ext/session/session1.test 736d7ff178662f0b717c37f46531b84a5ce0210ccb0c4edf629c55dbcbbc3ea1
 F ext/session/session2.test 284de45abae4cc1082bc52012ee81521d5ac58e0
 F ext/session/session3.test ce9ce3dfa489473987f899e9f6a0f2db9bde3479
-F ext/session/session4.test efd7a46ed6a954d51ab00bdc4d656d2bc31e46be64393224cf6acf1319fbd32c
+F ext/session/session4.test 3eea8058643e5adbd3293a5c553255c35e774ed90e7cbec09c9b010d176ad396
 F ext/session/session5.test 716bc6fafd625ce60dfa62ae128971628c1a1169
 F ext/session/session6.test 443789bc2fca12e4f7075cf692c60b8a2bea1a26
 F ext/session/session8.test 8e194b3f655d861ca36de5d4de53f702751bab3b
@@ -402,7 +402,7 @@ F ext/session/sessionfault.test da273f2712b6411e85e71465a1733b8501dbf6f7
 F ext/session/sessionfault2.test 04aa0bc9aa70ea43d8de82c4f648db4de1e990b0
 F ext/session/sessionstat1.test 41cd97c2e48619a41cdf8ae749e1b25f34719de638689221aa43971be693bf4e
 F ext/session/sessionwor.test 2f3744236dc8b170a695b7d8ddc8c743c7e79fdc
-F ext/session/sqlite3session.c 0b7f1b8eb5b5a83fd96127b93139eadd2f2e2915c1eaceab4f5d771719c0c22f
+F ext/session/sqlite3session.c 9edfaaa74977ddecd7bbd94e8f844d9b0f6eec22d1d547e806361670db814c1e
 F ext/session/sqlite3session.h 2e1584b030fbd841cefdce15ba984871978d305f586da2d1972f6e1958fa10b1
 F ext/session/test_session.c eb0bd6c1ea791c1d66ee4ef94c16500dad936386
 F ext/userauth/sqlite3userauth.h 7f3ea8c4686db8e40b0a0e7a8e0b00fac13aa7a3
@@ -1708,7 +1708,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9d8081fabc491ba75d26ea81b3548bd10aeeb3334b0ad1462d7ab656c8d7c35e
-R cf208e3188f8857ac2b128855f71c9f9
-U drh
-Z b77ef973214333cff99a9bfbab13dccb
+P d937ac181c5c78b9e5068db4ff1dab6becdba8c22cd27a3cfa0d4c12da1ec7ad
+R 81faf4bc4e37be1b18b8f0d06bd24da5
+U dan
+Z b0ded38a3d14d974acb7e101a7fd9d64
diff --git a/manifest.uuid b/manifest.uuid
index 01c92aabe5..7ccd9d570f 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-d937ac181c5c78b9e5068db4ff1dab6becdba8c22cd27a3cfa0d4c12da1ec7ad
\ No newline at end of file
+7e70c9b86af557e86152748ddf1da467e62817b35df1da0d7d3b67941b198897
\ No newline at end of file