From: dan <dan@noemail.net>
Date: Thu, 24 Jan 2019 17:41:12 +0000 (+0000)
Subject: Fix a buffer overread in fts3 that could occur in a prefix query on a corrupted database.
X-Git-Tag: version-3.27.0~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=813ed78054b8d765631150fad12bd60cd437e263;p=thirdparty%2Fsqlite.git

Fix a buffer overread in fts3 that could occur in a prefix query on a corrupted database.

FossilOrigin-Name: d0d5689371577b2861d4a9464443d055f3256f3f51d89e0388233a4cbe2601ee
---

diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index 267f85163b..9996611b16 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -2548,7 +2548,7 @@ static int fts3DoclistOrMerge(
   ** A symetric argument may be made if the doclists are in descending 
   ** order.
   */
-  aOut = sqlite3_malloc64((sqlite3_int64)n1+n2+FTS3_VARINT_MAX-1);
+  aOut = sqlite3_malloc64((i64)n1+n2+FTS3_VARINT_MAX-1+FTS3_BUFFER_PADDING);
   if( !aOut ) return SQLITE_NOMEM;
 
   p = aOut;
@@ -2577,10 +2577,12 @@ static int fts3DoclistOrMerge(
   if( rc!=SQLITE_OK ){
     sqlite3_free(aOut);
     p = aOut = 0;
+  }else{
+    assert( (p-aOut)<=n1+n2+FTS3_VARINT_MAX-1 );
+    memset(&aOut[(p-aOut)], 0, FTS3_BUFFER_PADDING);
   }
   *paOut = aOut;
   *pnOut = (int)(p-aOut);
-  assert( *pnOut<=n1+n2+FTS3_VARINT_MAX-1 );
   return rc;
 }
 
diff --git a/manifest b/manifest
index aff3852092..eeded3f3c7 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sproblem\swith\srunning\sALTER\sTABLE\son\sa\sschema\sthat\scontains\sexpressions\sof\sthe\stype\s"col\sIN\s()"\s(empty\sset\son\sRHS\sof\sIN\soperator).
-D 2019-01-24T16:27:10.406
+C Fix\sa\sbuffer\soverread\sin\sfts3\sthat\scould\soccur\sin\sa\sprefix\squery\son\sa\scorrupted\sdatabase.
+D 2019-01-24T17:41:12.741
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 0e7c107ebcaff26681bc5bcf017557db85aa828d6f7fd652d748b7a78072c298
@@ -80,7 +80,7 @@ F ext/fts3/README.content fdc666a70d5257a64fee209f97cf89e0e6e32b51
 F ext/fts3/README.syntax a19711dc5458c20734b8e485e75fb1981ec2427a
 F ext/fts3/README.tokenizers e0a8b81383ea60d0334d274fadf305ea14a8c314
 F ext/fts3/README.txt 8c18f41574404623b76917b9da66fcb0ab38328d
-F ext/fts3/fts3.c 560cc692cf054c3599b462836c4ed5cfc015fb49cf42e9700a84f7df84dbd181
+F ext/fts3/fts3.c c8b68202dd9ae7a4a1f843c8c7bab108a9b43729444d4544d357eac59715b8cd
 F ext/fts3/fts3.h 3a10a0af180d502cecc50df77b1b22df142817fe
 F ext/fts3/fts3Int.h 6c666f314caaeb8fe8e4c1a2d84f8b34406647429a43e8f475b0b0074ad41861
 F ext/fts3/fts3_aux.c 32e3ecada9014ff577022f9b44c9c5654d59405b39dc57ba8977298157e8c89b
@@ -918,7 +918,7 @@ F test/fts3conf.test c84bbaec81281c1788aa545ac6e78a6bd6cde2bdbbce2da261690e3659f
 F test/fts3corrupt.test 46b9ddda7f6588fd5a5b1f4bb4fc0618dc45010e7dddb8a3a188baf3197177ae
 F test/fts3corrupt2.test bf55c3fa0b0dc8ea1c0fe5543623bd27714585da6a129038fd6999fe3b0d25f3
 F test/fts3corrupt3.test 0d5b69a0998b4adf868cc301fc78f3d0707745f1d984ce044c205cdb764b491f
-F test/fts3corrupt4.test 9cc4ae536c28eef2d5a01ca2e128dd9237bd162beb9774a0314b3b34ee5f2053
+F test/fts3corrupt4.test c2797baa11665b2ca87287b3e33155d4464cc4461b5e7e000b0b24a6035fd352
 F test/fts3cov.test cb932743da52a1c79a1ab8983e26c8121cf02263d6ff16e1f642e6f9b8348338
 F test/fts3d.test 2bd8c97bcb9975f2334147173b4872505b6a41359a4f9068960a36afe07a679f
 F test/fts3defer.test f4c20e4c7153d20a98ee49ee5f3faef624fefc9a067f8d8d629db380c4d9f1de
@@ -1802,7 +1802,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 008112bcef561a8a3ebfb007cbef36cbc0071f547e6ebdba3d3bbb39e2c48c7a
-R 523a2eff32fe7ae56ab8feb2e43f8b41
+P 2d9cd06715092c312c8c0ec392696a0e90ed090b074e2082e0b830f1399aa941
+R aefdd33a1c83587ad3b0becf4339d1cc
 U dan
-Z 25bb1be3c29e0b5fdd31f536b284fa69
+Z df47a0dfd1efad16167473814c8098a6
diff --git a/manifest.uuid b/manifest.uuid
index c0b6dffa95..c8a242b3f7 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-2d9cd06715092c312c8c0ec392696a0e90ed090b074e2082e0b830f1399aa941
\ No newline at end of file
+d0d5689371577b2861d4a9464443d055f3256f3f51d89e0388233a4cbe2601ee
\ No newline at end of file
diff --git a/test/fts3corrupt4.test b/test/fts3corrupt4.test
index e38425be95..d98f69a666 100644
--- a/test/fts3corrupt4.test
+++ b/test/fts3corrupt4.test
@@ -2151,5 +2151,16 @@ do_catchsql_test 14.2 {
   INSERT INTO t1(t1) VALUES('optimize');
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 15.0 {
+  CREATE VIRTUAL TABLE t1 USING fts3(a, content="");
+  INSERT INTO t1_segdir VALUES(0,0,0,0,'0 665',X'000261640303040002086970697363696e670301080001056c6971756103020c00050269700304040001036d65740301060001036e6a6d03080900010375746503050300000663696c6c756d0306020001066f6d6d6f646f0304070002096e736563746574757203010700050471756174030408000104756c7061030804000207706964617461740307050000086465736572756e740308070001016f0302030002036c6f720601040004050005016506020a00040300010375697303050200000265610304060001066975736d6f640302040001036c69740301090001036e696d13030300010373736503050b0002017403080b0001017403020900010175030604000101780304050002076365707465757203070100020a65726369746174696f6e030309000006667567696174030605000002696403080a0001016e070506040003030002086369646964756e740302060001047073756d030103000104727572650305040000066c61626f7265030208000502697303030b000502756d03080c0001046f72656d0301020000056d61676e6103020b000104696e696d0303050001056f6c6c69740308080000046e6973690304020001026f6e0307060002057374727564030308000104756c6c610306060000086f636361656361740307040001066666696369610308060000087061726961747572030607000107726f6964656e740307070000037175690308050003017303030700000d726570726568656e6465726974030507000003736564030202000103696e7403070300020174030105000103756e7403080200000674656d706f72030205000007756c6c616d636f03030a0001017409020700010200010300000576656c697403050a0002046e69616d0303060001086f6c75707461746503050900');
+}
+
+do_execsql_test 15.1 {
+  SELECT quote(matchinfo(t1, t1 ))==0 FROM t1 WHERE t1 MATCH 'e*';
+} {0 0 0 0 0 0}
+
 finish_test