From: dan Date: Fri, 26 Jun 2015 18:50:29 +0000 (+0000) Subject: Fix some cases in the fts5 code where a corrupt database could cause a buffer overread. X-Git-Tag: version-3.8.11~114^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6fbeb2259692e42438e73805db10eb44dabe79cd;p=thirdparty%2Fsqlite.git Fix some cases in the fts5 code where a corrupt database could cause a buffer overread. FossilOrigin-Name: 360c57bbb8bad6cc84af140f61e0282fa06462b4 --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index d82d194a52..ff66dce441 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -1847,7 +1847,7 @@ static void fts5SegIterNext( fts5SegIterNextPage(p, pIter); pLeaf = pIter->pLeaf; if( pLeaf==0 ) break; - if( (iOff = fts5GetU16(&pLeaf->p[0])) ){ + if( (iOff = fts5GetU16(&pLeaf->p[0])) && iOffn ){ iOff += sqlite3Fts5GetVarint(&pLeaf->p[iOff], (u64*)&pIter->iRowid); pIter->iLeafOffset = iOff; } @@ -1855,6 +1855,10 @@ static void fts5SegIterNext( pIter->iLeafOffset = iOff; bNewTerm = 1; } + if( iOff>=pLeaf->n ){ + p->rc = FTS5_CORRUPT; + return; + } } } @@ -2025,6 +2029,7 @@ static void fts5SegIterSeekInit( int h; int bGe = (flags & FTS5INDEX_QUERY_SCAN); int bDlidx = 0; /* True if there is a doclist-index */ + Fts5Data *pLeaf; assert( bGe==0 || (flags & FTS5INDEX_QUERY_DESC)==0 ); assert( pTerm && nTerm ); @@ -2063,21 +2068,25 @@ static void fts5SegIterSeekInit( pIter->iLeafPgno = iPg - 1; fts5SegIterNextPage(p, pIter); - if( pIter->pLeaf ){ + if( (pLeaf = pIter->pLeaf) ){ int res; - pIter->iLeafOffset = fts5GetU16(&pIter->pLeaf->p[2]); - fts5SegIterLoadTerm(p, pIter, 0); - fts5SegIterLoadNPos(p, pIter); - do { - res = fts5BufferCompareBlob(&pIter->term, pTerm, nTerm); - if( res>=0 ) break; - fts5SegIterNext(p, pIter, 0); - }while( pIter->pLeaf && p->rc==SQLITE_OK ); - - if( bGe==0 && res ){ - /* Set iterator to point to EOF */ - fts5DataRelease(pIter->pLeaf); - pIter->pLeaf = 0; + pIter->iLeafOffset = fts5GetU16(&pLeaf->p[2]); + if( pIter->iLeafOffset<4 || pIter->iLeafOffset>=pLeaf->n ){ + p->rc = FTS5_CORRUPT; + }else{ + fts5SegIterLoadTerm(p, pIter, 0); + fts5SegIterLoadNPos(p, pIter); + do { + res = fts5BufferCompareBlob(&pIter->term, pTerm, nTerm); + if( res>=0 ) break; + fts5SegIterNext(p, pIter, 0); + }while( pIter->pLeaf && p->rc==SQLITE_OK ); + + if( bGe==0 && res ){ + /* Set iterator to point to EOF */ + fts5DataRelease(pIter->pLeaf); + pIter->pLeaf = 0; + } } } @@ -2525,7 +2534,7 @@ static void fts5MultiIterNew( int nSegment, /* Number of segments to merge (iLevel>=0) */ Fts5MultiSegIter **ppOut /* New object */ ){ - int nSeg; /* Number of segment-iters in use */ + int nSeg = 0; /* Number of segment-iters in use */ int iIter = 0; /* */ int iSeg; /* Used to iterate through segments */ Fts5StructureLevel *pLvl; @@ -4928,8 +4937,12 @@ static void fts5IndexIntegrityCheckSegment( if( pLeaf ){ i64 iRowid; int iRowidOff = fts5GetU16(&pLeaf->p[0]); - fts5GetVarint(&pLeaf->p[iRowidOff], (u64*)&iRowid); - if( iRowid!=fts5DlidxIterRowid(pDlidx) ) p->rc = FTS5_CORRUPT; + if( iRowidOff>=pLeaf->n ){ + p->rc = FTS5_CORRUPT; + }else{ + fts5GetVarint(&pLeaf->p[iRowidOff], (u64*)&iRowid); + if( iRowid!=fts5DlidxIterRowid(pDlidx) ) p->rc = FTS5_CORRUPT; + } fts5DataRelease(pLeaf); } } diff --git a/manifest b/manifest index 77f03ee837..841501ef8d 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Merge\schanges\sto\sget\sFTS5\sworking\swith\sMSVC. -D 2015-06-26T17:10:12.989 +C Fix\ssome\scases\sin\sthe\sfts5\scode\swhere\sa\scorrupt\sdatabase\scould\scause\sa\sbuffer\soverread. +D 2015-06-26T18:50:29.818 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 285a0a234ed7610d431d91671c136098c2bd86a9 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -112,7 +112,7 @@ F ext/fts5/fts5_buffer.c 7428b0bcb257641cbecc3bacce7f40686cf99f36 F ext/fts5/fts5_config.c d40da53f5e94214c553b2af3d6fd9aebac5f3f05 F ext/fts5/fts5_expr.c 3386ab0a71dbab7e1259c3b16d6113c97d14123e F ext/fts5/fts5_hash.c c1cfdb2cae0fad00b06fae38a40eaf9261563ccc -F ext/fts5/fts5_index.c 0c5a5218eb9fddd65c7d5bbad72c383d102c9648 +F ext/fts5/fts5_index.c ad32235180757f182050b8d24c9dbe61056385d2 F ext/fts5/fts5_main.c c5b2a219d65967c07fd1bc8fd45206863a2fe360 F ext/fts5/fts5_storage.c 3e672a0d35f63979556903861b324e7b8932cecc F ext/fts5/fts5_tcl.c b82f13f73a30f0959f539743f8818bece994a970 @@ -1364,8 +1364,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 48bd54594752d5be3337f12c72f28d2080cb630b F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P c91a93b343b4d3b1a19afdb5d23d1c508f9779d2 bfcd16089cf8c65130c011a9718bf7812685c841 -R 297861c6724b6a9194bdf2ab25858763 -T +closed bfcd16089cf8c65130c011a9718bf7812685c841 -U mistachkin -Z d2f82b98bab3ebc4b4555fb7502228b7 +P 954231d29d60460d423ecb132bbfb725b0ea375a +R f24cf4dc2b8231a9cc4f2e0f89642df3 +U dan +Z eeb5dd5cce2b08a289c0b394982d9461 diff --git a/manifest.uuid b/manifest.uuid index 8cd37282a3..9fa8bd840d 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -954231d29d60460d423ecb132bbfb725b0ea375a \ No newline at end of file +360c57bbb8bad6cc84af140f61e0282fa06462b4 \ No newline at end of file