From: drh <>
Date: Mon, 12 Jun 2023 14:03:20 +0000 (+0000)
Subject: Extra space to prevent a buffer overread on corrupt STAT4 records.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c3ea529fd00232a18dad14407ddb44355390e26;p=thirdparty%2Fsqlite.git

Extra space to prevent a buffer overread on corrupt STAT4 records.
dbsqlfuzz 7128d1b41ce9df2c007f9c24c1e89e2f1b2590ca.

FossilOrigin-Name: 566c4c14dd0ff0b68ef20968b0bbaee92f88374ee969ee6251dc3764ce935267
---

diff --git a/manifest b/manifest
index ff981e9da8..2d8ad63f77 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Simplify\sa\smemcpy()\sin\sdefragmentPage().\s\sIt\snow\smight\scopy\smore\scontent\sthan\nis\sstrictly\snecessary,\sbut\sruns\sfaster\sand\suses\sless\scode\sspace.\s\sPossible\nreasons\sfor\sthe\simproved\sperformance:\n(1)\sthe\scopy\sis\snow\salways\s8-byte\saligned,\n(2)\sfewer\sintermediate\sresults\sare\srequired\swhich\smeans\sless\sregister\npressure\swhich\shelps\sthe\scompiler\sto\soptimize\sthe\ssubroutine.
-D 2023-06-12T13:57:42.491
+C Extra\sspace\sto\sprevent\sa\sbuffer\soverread\son\scorrupt\sSTAT4\srecords.\ndbsqlfuzz\s7128d1b41ce9df2c007f9c24c1e89e2f1b2590ca.
+D 2023-06-12T14:03:20.311
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -569,7 +569,7 @@ F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F sqlite_cfg.h.in baf2e409c63d4e7a765e17769b6ff17c5a82bbd9cbf1e284fd2e4cefaff3fcf2
 F src/alter.c 482c534877fbb543f8295992cde925df55443febac5db5438d5aaba6f78c4940
-F src/analyze.c a1f3061af16c99f73aed0362160176c31a6452de1b02ada1d68f6839f2a37df0
+F src/analyze.c d4cc28738c29e009640ec20ebb6936ba6fcefff0d11aa93398d9bb9a5ead6c1f
 F src/attach.c cc9d00d30da916ff656038211410ccf04ed784b7564639b9b61d1839ed69fd39
 F src/auth.c f4fa91b6a90bbc8e0d0f738aa284551739c9543a367071f55574681e0f24f8cf
 F src/backup.c 5c97e8023aab1ce14a42387eb3ae00ba5a0644569e3476f38661fa6f824c3523
@@ -710,7 +710,7 @@ F src/vdbe.c fedd2dfa5165256c8e372f2ae9454c4a82cf60ce79a04dff80a86ab2116ea15a
 F src/vdbe.h 637ae853b7d42ae3951034cc63ab7c8af837861f79504cdb5399552fcd89a884
 F src/vdbeInt.h a4147a4ddf613cb1bcb555ace9e9e74a9c099d65facd88155f191b1fb4d74cfb
 F src/vdbeapi.c b4982cde547054c4f7341198db3c3008a48e1eb028f757601bf5bf2fc026cbcf
-F src/vdbeaux.c 6ee48db408d4c297a363f1e31145c09793a580e7c508bb36063dd017d67117a2
+F src/vdbeaux.c f247001fd9f4f873121289b27ee367d4f88f46d73b2405dfe3bde96c7e1e9982
 F src/vdbeblob.c 2516697b3ee8154eb8915f29466fb5d4f1ae39ee8b755ea909cefaf57ec5e2ce
 F src/vdbemem.c 1cac4028c0dabbf1f3259f107440e2780e05ac9fe419e9709e6eb4e166ba714b
 F src/vdbesort.c 43756031ca7430f7aec3ef904824a7883c4ede783e51f280d99b9b65c0796e35
@@ -755,7 +755,7 @@ F test/altertab2.test 62597b6fd08feaba1b6bfe7d31dac6117c67e06dc9ce9c478a3abe75b5
 F test/altertab3.test 6c432fbb9963e0bd6549bf1422f6861d744ee5a80cb3298564e81e556481df16
 F test/altertrig.test fb5951d21a2c954be3b8a8cf8e10b5c0fa20687c53fd67d63cea88d08dd058d5
 F test/amatch1.test b5ae7065f042b7f4c1c922933f4700add50cdb9f
-F test/analyze.test 547bb700f903107b38611b014ca645d6b5bb819f5210d7bf39c40802aafeb7d7
+F test/analyze.test 2fb21d7d64748636384e6cb8998dbf83968caf644c07fcb4f76c18f2e7ede94b
 F test/analyze3.test 03f4b3d794760cf15da2d85a52df9bae300e51c8fefe9c36cfae1f86dc10d23f
 F test/analyze4.test 68bd069f3ac7ac1e652ddd9f04f57d5606ddb4208450f5297005db7aa0dd707d
 F test/analyze5.test fa5131952303ac4146aba101b116b9c8cb89e2637531c334a6df7f7d19dddc0d
@@ -2070,9 +2070,10 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 67cf7c40961f6d181577783e1c656abb56c4848d087794b6fc98f4d42aba48ea
-Q +6e5607ae4d872954483a8d7a5c866aa41e4af70fae9652fb7eb211b316ab724d
-R 9e713197d26123ab8cb7e4a08c8553b3
+P 1292d676ea68b9347e3b65b9945749deb45f07bf4c83aa5386c3efcade346932
+Q +ac1d3860af4eb30e4a7444b01d7b5afc91a4b1f5e3fe5414a491c6edc7ff1631
+Q +b99135288b157044e2319833e8632c89483778f876aa45ee66e46ffb6ae42ab2
+R cab5cfce99b12809365e97c7ceb9e8b2
 U drh
-Z baab49b89405629e93065e9370fc3930
+Z ee9f0385471ba7a1914d129936b18de9
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 53b3f366e4..dcde303a13 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-1292d676ea68b9347e3b65b9945749deb45f07bf4c83aa5386c3efcade346932
\ No newline at end of file
+566c4c14dd0ff0b68ef20968b0bbaee92f88374ee969ee6251dc3764ce935267
\ No newline at end of file
diff --git a/src/analyze.c b/src/analyze.c
index 0823bcaefc..a7a8b6d665 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1849,14 +1849,15 @@ static int loadStatTbl(
     decodeIntArray((char*)sqlite3_column_text(pStmt,2),nCol,pSample->anLt,0,0);
     decodeIntArray((char*)sqlite3_column_text(pStmt,3),nCol,pSample->anDLt,0,0);
 
-    /* Take a copy of the sample. Add two 0x00 bytes the end of the buffer.
+    /* Take a copy of the sample. Add 8 extra 0x00 bytes the end of the buffer.
     ** This is in case the sample record is corrupted. In that case, the
     ** sqlite3VdbeRecordCompare() may read up to two varints past the
     ** end of the allocated buffer before it realizes it is dealing with
-    ** a corrupt record. Adding the two 0x00 bytes prevents this from causing
+    ** a corrupt record.  Or it might try to read a large integer from the
+    ** buffer.  In any case, eight 0x00 bytes prevents this from causing
     ** a buffer overread.  */
     pSample->n = sqlite3_column_bytes(pStmt, 4);
-    pSample->p = sqlite3DbMallocZero(db, pSample->n + 2);
+    pSample->p = sqlite3DbMallocZero(db, pSample->n + 8);
     if( pSample->p==0 ){
       sqlite3_finalize(pStmt);
       return SQLITE_NOMEM_BKPT;
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index ecbf2d892e..37bd3d845e 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -4231,6 +4231,15 @@ static int vdbeRecordCompareDebug(
     if( d1+(u64)serial_type1+2>(u64)nKey1
      && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1 
     ){
+      if( serial_type1>=1
+       && serial_type1<=7
+       && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)<=(u64)nKey1+8
+       && CORRUPT_DB
+      ){
+        return 1;  /* corrupt record not detected by
+                   ** sqlite3VdbeRecordCompareWithSkip().  Return true
+                   ** to avoid firing the assert() */
+      }
       break;
     }
 
diff --git a/test/analyze.test b/test/analyze.test
index ca6c9b096d..f97c78aff1 100644
--- a/test/analyze.test
+++ b/test/analyze.test
@@ -377,4 +377,23 @@ do_execsql_test analyze-6.1 {
   SELECT tbl FROM sqlite_stat1 WHERE idx IS NULL ORDER BY tbl;
 } {SQLiteDemo2 sqliteDemo t1}
 
+# The following caused a small buffer overread in STAT4 processing prior
+# to check-in [b99135288b157044].
+#
+ifcapable stat4 {
+  reset_db
+  database_may_be_corrupt
+  do_execsql_test analyze-7.1 {
+    CREATE TABLE t1(a INTEGER PRIMARY KEY, b INTEGER);
+    INSERT INTO t1 VALUES(1, 7223372036854775);
+    INSERT INTO t1 VALUES(2, 7223372036854776);
+    INSERT INTO t1 VALUES(3, 7223372036854777);
+    CREATE INDEX i1 ON t1(b);
+    ANALYZE;
+    UPDATE sqlite_stat4 SET sample = substr(sample, 0, 4);
+    ANALYZE sqlite_schema;
+    SELECT * FROM t1 WHERE b>7223372036854775
+  } {2 7223372036854776 3 7223372036854777}
+}
+
 finish_test