From: drh <>
Date: Tue, 1 Mar 2022 20:15:04 +0000 (+0000)
Subject: The MemPage.aDataEnd field should point to the end of the data buffer for
X-Git-Tag: version-3.39.0~352
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a055abb8c4189f5867852a8f67ec6b454eb7e058;p=thirdparty%2Fsqlite.git

The MemPage.aDataEnd field should point to the end of the data buffer for
the page, not just the end of the usable portion of that buffer.  The purpose
aDataEnd is to detect cells that overflow the page, and that won't work on a
page with reserved bytes and a cell that starts in the reserved region, unless
the boundary is at the very end of the page. Chromium issue 1276294.

FossilOrigin-Name: f839c0bc8388a31f6db5081906b66b9e129855ba27a13cf13bd995b083f7386e
---

diff --git a/manifest b/manifest
index a705549b4b..cb0879e53d 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sminor\stypo\sin\sa\scomment.
-D 2022-03-01T19:19:20.084
+C The\sMemPage.aDataEnd\sfield\sshould\spoint\sto\sthe\send\sof\sthe\sdata\sbuffer\sfor\nthe\spage,\snot\sjust\sthe\send\sof\sthe\susable\sportion\sof\sthat\sbuffer.\s\sThe\spurpose\naDataEnd\sis\sto\sdetect\scells\sthat\soverflow\sthe\spage,\sand\sthat\swon't\swork\son\sa\npage\swith\sreserved\sbytes\sand\sa\scell\sthat\sstarts\sin\sthe\sreserved\sregion,\sunless\nthe\sboundary\sis\sat\sthe\svery\send\sof\sthe\spage.\sChromium\sissue\s1276294.
+D 2022-03-01T20:15:04.332
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -492,9 +492,9 @@ F src/auth.c f4fa91b6a90bbc8e0d0f738aa284551739c9543a367071f55574681e0f24f8cf
 F src/backup.c a2891172438e385fdbe97c11c9745676bec54f518d4447090af97189fd8e52d7
 F src/bitvec.c 7c849aac407230278445cb069bebc5f89bf2ddd87c5ed9459b070a9175707b3d
 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
-F src/btree.c 7e9400d1582136ca86af9bbb07f8f3e933b284e969cda516bdc755285d137eb2
+F src/btree.c 752fc154c07e03fd77a5426f6d625aa5aeeacd0054e0d5be9a89dd217d8b7f02
 F src/btree.h 74d64b8f28cfa4a894d14d4ed64fa432cd697b98b61708d4351482ae15913e22
-F src/btreeInt.h 7282a6e77775f93a6eb78d3a41dab372a01a4ec1d93d3b4728d191d15fda42e2
+F src/btreeInt.h 1ca477727c5f420a8321208dc5b14d93cb46cec8f941bc49318feb0e00bc961f
 F src/build.c 9891c2160886cf7e344d7e8f1f7177f9612916c7c67ffeacd64cb34a92d387a8
 F src/callback.c 4c19af69835787bfe790ac560f3071a824eb629f34e41f97b52ce5235c77de1c
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
@@ -1944,8 +1944,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 3b36ed79d82fae47a08a7d27f4fcefb7978fdf0e7f8c0f4a82f59501f201b32b
-R 672415af5b93cf666a13cbb4e5190cf0
+P 86ba06aa4c55d3aefe030b19b2b5c08baf46bbb2218b04ac1228ab76682a929b
+R 759bdd2426153bccb0e084e1cc68e2b8
 U drh
-Z f44c78af05c98bc038cc5e60cffa1d77
+Z c62f0605f7573e50ae4553081294f184
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 4a625fe341..f5f5a33e67 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-86ba06aa4c55d3aefe030b19b2b5c08baf46bbb2218b04ac1228ab76682a929b
\ No newline at end of file
+f839c0bc8388a31f6db5081906b66b9e129855ba27a13cf13bd995b083f7386e
\ No newline at end of file
diff --git a/src/btree.c b/src/btree.c
index fdf259766f..fb35bbbc5f 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -2107,7 +2107,7 @@ static int btreeInitPage(MemPage *pPage){
   pPage->nOverflow = 0;
   pPage->cellOffset = pPage->hdrOffset + 8 + pPage->childPtrSize;
   pPage->aCellIdx = data + pPage->childPtrSize + 8;
-  pPage->aDataEnd = pPage->aData + pBt->usableSize;
+  pPage->aDataEnd = pPage->aData + pBt->pageSize;
   pPage->aDataOfst = pPage->aData + pPage->childPtrSize;
   /* EVIDENCE-OF: R-37002-32774 The two-byte integer at offset 3 gives the
   ** number of cells on the page. */
@@ -2158,7 +2158,7 @@ static void zeroPage(MemPage *pPage, int flags){
   pPage->nFree = (u16)(pBt->usableSize - first);
   decodeFlags(pPage, flags);
   pPage->cellOffset = first;
-  pPage->aDataEnd = &data[pBt->usableSize];
+  pPage->aDataEnd = &data[pBt->pageSize];
   pPage->aCellIdx = &data[first];
   pPage->aDataOfst = &data[pPage->childPtrSize];
   pPage->nOverflow = 0;
diff --git a/src/btreeInt.h b/src/btreeInt.h
index e038f313e2..3b0572e954 100644
--- a/src/btreeInt.h
+++ b/src/btreeInt.h
@@ -293,7 +293,9 @@ struct MemPage {
   u8 *apOvfl[4];       /* Pointers to the body of overflow cells */
   BtShared *pBt;       /* Pointer to BtShared that this page is part of */
   u8 *aData;           /* Pointer to disk image of the page data */
-  u8 *aDataEnd;        /* One byte past the end of usable data */
+  u8 *aDataEnd;        /* One byte past the end of the entire page - not just
+                       ** the usable space, the entire page.  Used to prevent
+                       ** corruption-induced of buffer overflow. */
   u8 *aCellIdx;        /* The cell index area */
   u8 *aDataOfst;       /* Same as aData for leaves.  aData+4 for interior */
   DbPage *pDbPage;     /* Pager page handle */