From: drh Date: Wed, 22 Jul 2020 20:12:10 +0000 (+0000) Subject: Improvements to rootpage bounds checking during schema parse. X-Git-Tag: version-3.33.0~36^2~8^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69306bf43a3abef2af1de9d9846b76650914485f;p=thirdparty%2Fsqlite.git Improvements to rootpage bounds checking during schema parse. FossilOrigin-Name: 75599a9731be19e213a8ae174b038a43381bc6883a6b7f4058c2c1625fdea432 --- diff --git a/manifest b/manifest index a677fefb1e..f6a100715d 100644 --- a/manifest +++ b/manifest @@ -1,16 +1,16 @@ B d2aac001204621062e6cb3230ce2ac1b4545cb83b3ebb6bfebccee4d51162e97 -C When\sparsing\sthe\sschema,\sdetect\sout-of-bounds\srootpage\svalues\sand\sthrow\san\nerror. -D 2020-07-22T18:03:56.431 +C Improvements\sto\srootpage\sbounds\schecking\sduring\sschema\sparse. +D 2020-07-22T20:12:10.870 F src/analyze.c 5cffff3d355858cd22bfc6e20ac7203510d2e1cc935086eb06f4abb2f579f628 F src/btree.c a4720f51945a86379ecd962a715d6fe9de08651a67d1e6f7b4884612da83ceb5 F src/btree.h 7af72bbb4863c331c8f6753277ab40ee67d2a2125a63256d5c25489722ec162b F src/btreeInt.h 83166f6daeb91062b6ae9ee6247b3ad07e40eba58f3c05ba9e8dedad4ab1ea38 F src/build.c f2b73fbb2197fb6e6a35ff2e1750085f023dc50542185f1a2dfccd632223eb14 F src/pager.c a5f65ff2cd73b8d381cc7b338cac382ca6978d578fa0b84fdaa11d3cdc3c3e18 -F src/prepare.c 752643468bab27081bee439a7a727b616db2997e2ecdae132e8c786f8e44bcec +F src/prepare.c 8e7300f91270fd2dca9852419eb0a0d282220b0faddb04890131738f7fcd5c56 F src/select.c 0e75d64091200a2a8fdc02abafe176a0c2e9b2654c4cc34564f25f0b408e91de F src/sqliteInt.h ec260b2441d94ef0b5be424c323cf255ae30d23e2fb2bd1c42a3a59c2fbafedb -F src/util.c 58bf59fb0923017619c9c53957a676ff2322314b2547f6a223e0707e7ba505de +F src/util.c 9ae0b629657ca10abde2f27f5dc3e545cb66d298d111bac062b236a099f8df2d F src/vdbe.c 120fdb1add80309cf1b4d6cc88b7f4e0580e816ded743a8f495fff9ef35a4e0a F src/vdbe.h 83603854bfa5851af601fc0947671eb260f4363e62e960e8a994fb9bbcd2aaa1 F src/vdbeInt.h 762abffb7709f19c2cb74af1bba73a900f762e64f80d69c31c9ae89ed1066b60 @@ -18,10 +18,7 @@ F src/vdbeaux.c 1cbbbffdb874c6f3e7aab40f3deb48abac4a71df1043cd95bb0d652d4e053871 F src/wherecode.c 8064fe5c042824853a9b1fda670054a51a49033a6c79059988c97751ccf8088e F test/corrupt3.test 2520432b1fbf99994841e69804a3c59fb828183f4d09b85a1631bc7adca17e31 F tool/showdb.c 49e810f5c414c792b5bf38cd5557ca9639713ebfef32aaff32faf7cb7ccce513 -P 4c5f3c6cacf84a36d0347790d98d82d1f584cd1537a13a2736348405c4d20367 -R ccc7b0ae4ada19d710420f989f7c9313 -T *branch * rootpage-bounds-check -T *sym-rootpage-bounds-check * -T -sym-larger-databases * +P 6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8 +R 8ead1dc407d0990e3de43a2746002935 U drh -Z c08f65e2e744a2c088ae7728fbcd5c94 +Z 6533392daf1a1cab3900f2468d6a420b diff --git a/manifest.uuid b/manifest.uuid index b93907488d..de3900513b 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8 \ No newline at end of file +75599a9731be19e213a8ae174b038a43381bc6883a6b7f4058c2c1625fdea432 \ No newline at end of file diff --git a/src/prepare.c b/src/prepare.c index 84f2ee8a23..0be11a226b 100644 --- a/src/prepare.c +++ b/src/prepare.c @@ -115,10 +115,10 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){ assert( db->init.busy ); db->init.iDb = iDb; - sqlite3GetUInt32(argv[3], &db->init.newTnum); - if( db->init.newTnum>pData->mxPage && pData->mxPage!=0 ){ + if( sqlite3GetUInt32(argv[3], &db->init.newTnum)==0 + || (db->init.newTnum>pData->mxPage && pData->mxPage>0) + ){ corruptSchema(pData, argv[1], "invalid rootpage"); - return 0; } db->init.orphanTrigger = 0; db->init.azInit = argv; @@ -152,13 +152,15 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){ */ Index *pIndex; pIndex = sqlite3FindIndex(db, argv[1], db->aDb[iDb].zDbSName); - if( pIndex==0 - || sqlite3GetUInt32(argv[3],&pIndex->tnum)==0 + if( pIndex==0 ){ + corruptSchema(pData, argv[1], "orphan index"); + }else + if( sqlite3GetUInt32(argv[3],&pIndex->tnum)==0 || pIndex->tnum<2 || (pIndex->tnum>pData->mxPage && pData->mxPage!=0) || sqlite3IndexHasDuplicateRootPage(pIndex) ){ - corruptSchema(pData, argv[1], pIndex?"invalid rootpage":"orphan index"); + corruptSchema(pData, argv[1], "invalid roopage"); } } return 0; diff --git a/src/util.c b/src/util.c index 58d1cdd5c3..64ab4e95dc 100644 --- a/src/util.c +++ b/src/util.c @@ -874,9 +874,9 @@ int sqlite3GetUInt32(const char *z, u32 *pI){ int i; for(i=0; sqlite3Isdigit(z[i]); i++){ v = v*10 + z[i] - '0'; - if( v>4294967296LL ) return 0; + if( v>4294967296LL ){ *pI = 0; return 0; } } - if( i==0 || z[i]!=0 ) return 0; + if( i==0 || z[i]!=0 ){ *pI = 0; return 0; } *pI = (u32)v; return 1; }