From: drh Date: Wed, 15 Oct 2014 11:55:51 +0000 (+0000) Subject: Add a four-byte prefix to the BtShared.pTmpSpace buffer to avoid reading X-Git-Tag: version-3.8.7~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92787cf0424ab04692843582c2ab9552c82b1c21;p=thirdparty%2Fsqlite.git Add a four-byte prefix to the BtShared.pTmpSpace buffer to avoid reading before the beginning of an allocation. FossilOrigin-Name: 9386bfca128023583a24303e5f1d832987a49d43 --- diff --git a/manifest b/manifest index c9b3f13dde..66f8f35d8a 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Rearrange\san\sexpression\sin\svdbemem.c\sto\savoid\sa\s(harmless)\sreference\sto\sa\spossibly\sunitialized\svariable. -D 2014-10-15T11:31:35.560 +C Add\sa\sfour-byte\sprefix\sto\sthe\sBtShared.pTmpSpace\sbuffer\sto\savoid\sreading\nbefore\sthe\sbeginning\sof\san\sallocation. +D 2014-10-15T11:55:51.434 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in cf57f673d77606ab0f2d9627ca52a9ba1464146a F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -172,9 +172,9 @@ F src/auth.c d8abcde53426275dab6243b441256fcd8ccbebb2 F src/backup.c a31809c65623cc41849b94d368917f8bb66e6a7e F src/bitvec.c 19a4ba637bd85f8f63fc8c9bae5ade9fb05ec1cb F src/btmutex.c 49ca66250c7dfa844a4d4cb8272b87420d27d3a5 -F src/btree.c c9fcae8145436f728c61272cba72b1469c07f30d +F src/btree.c 1b1123cba0c65caa0baa51e71b8c089e3167c3ed F src/btree.h a79aa6a71e7f1055f01052b7f821bd1c2dce95c8 -F src/btreeInt.h 1bd7957161a1346a914f1f09231610e777a8e58d +F src/btreeInt.h 026d0129724e8f265fdc60d44ec240cf5a4e6179 F src/build.c 9dc2bd94347b878c89627000c92b0c8d97ec2919 F src/callback.c 7b44ce59674338ad48b0e84e7b72f935ea4f68b0 F src/complete.c 535183afb3c75628b78ce82612931ac7cdf26f14 @@ -1204,7 +1204,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P eab82330631187dcc3e5d2dddd23dbda5752904b -R c46357701a0c6687b1cdb44cc5cea3cc -U dan -Z f35b20ba175f90e21204e2589425beed +P 4a7b3fa049a9aa0668e318287edd4a78c0588bf8 +R 0eaa9fa075886c1412c89d2319c66fd1 +U drh +Z fdb81bbd00d8de95e4a04ef38ee80f55 diff --git a/manifest.uuid b/manifest.uuid index 2ed282008d..864a483132 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4a7b3fa049a9aa0668e318287edd4a78c0588bf8 \ No newline at end of file +9386bfca128023583a24303e5f1d832987a49d43 \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index 3553924c0f..758dfe6335 100644 --- a/src/btree.c +++ b/src/btree.c @@ -2108,7 +2108,8 @@ static int removeFromSharingList(BtShared *pBt){ /* ** Make sure pBt->pTmpSpace points to an allocation of -** MX_CELL_SIZE(pBt) bytes. +** MX_CELL_SIZE(pBt) bytes with a 4-byte prefix for a left-child +** pointer. */ static void allocateTempSpace(BtShared *pBt){ if( !pBt->pTmpSpace ){ @@ -2123,8 +2124,16 @@ static void allocateTempSpace(BtShared *pBt){ ** it into a database page. This is not actually a problem, but it ** does cause a valgrind error when the 1 or 2 bytes of unitialized ** data is passed to system call write(). So to avoid this error, - ** zero the first 4 bytes of temp space here. */ - if( pBt->pTmpSpace ) memset(pBt->pTmpSpace, 0, 4); + ** zero the first 4 bytes of temp space here. + ** + ** Also: Provide four bytes of initialized space before the + ** beginning of pTmpSpace as an area available to prepend the + ** left-child pointer to the beginning of a cell. + */ + if( pBt->pTmpSpace ){ + memset(pBt->pTmpSpace, 0, 8); + pBt->pTmpSpace += 4; + } } } @@ -2132,8 +2141,11 @@ static void allocateTempSpace(BtShared *pBt){ ** Free the pBt->pTmpSpace allocation */ static void freeTempSpace(BtShared *pBt){ - sqlite3PageFree( pBt->pTmpSpace); - pBt->pTmpSpace = 0; + if( pBt->pTmpSpace ){ + pBt->pTmpSpace -= 4; + sqlite3PageFree(pBt->pTmpSpace); + pBt->pTmpSpace = 0; + } } /* diff --git a/src/btreeInt.h b/src/btreeInt.h index 9f648fceb0..2368e6c884 100644 --- a/src/btreeInt.h +++ b/src/btreeInt.h @@ -436,7 +436,7 @@ struct BtShared { BtLock *pLock; /* List of locks held on this shared-btree struct */ Btree *pWriter; /* Btree with currently open write transaction */ #endif - u8 *pTmpSpace; /* BtShared.pageSize bytes of space for tmp use */ + u8 *pTmpSpace; /* Temp space sufficient to hold a single cell */ }; /*