From: drh Date: Fri, 21 Dec 2018 18:51:27 +0000 (+0000) Subject: In FTS3, avoid calling memcpy() with a NULL source pointer, even if the X-Git-Tag: version-3.27.0~271 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afdc9e23fcacb2df2f80915730e34b3935fd2156;p=thirdparty%2Fsqlite.git In FTS3, avoid calling memcpy() with a NULL source pointer, even if the transfer amount is zero bytes. FossilOrigin-Name: 1abb83d29a06308c96bea379311b390240347c5f81824749348d18ad75840c96 --- diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c index 2a94952c02..051222dedf 100644 --- a/ext/fts3/fts3_write.c +++ b/ext/fts3/fts3_write.c @@ -1608,6 +1608,11 @@ int sqlite3Fts3SegReaderNew( Fts3SegReader *pReader; /* Newly allocated SegReader object */ int nExtra = 0; /* Bytes to allocate segment root node */ + assert( zRoot!=0 || nRoot==0 ); +#ifdef CORRUPT_DB + assert( zRoot!=0 || CORRUPT_DB ); +#endif + if( iStartLeaf==0 ){ nExtra = nRoot + FTS3_NODE_PADDING; } @@ -1628,7 +1633,7 @@ int sqlite3Fts3SegReaderNew( pReader->aNode = (char *)&pReader[1]; pReader->rootOnly = 1; pReader->nNode = nRoot; - memcpy(pReader->aNode, zRoot, nRoot); + if( nRoot ) memcpy(pReader->aNode, zRoot, nRoot); memset(&pReader->aNode[nRoot], 0, FTS3_NODE_PADDING); }else{ pReader->iCurrentBlock = iStartLeaf-1; diff --git a/manifest b/manifest index 36b2d0d486..2fc0aa84aa 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C The\sfts4umlaut.test\smodule\srequires\sFTS5,\sso\sdo\snot\stry\sto\srun\sit\swithout\sthat\nmodule. -D 2018-12-21T18:50:43.919 +C In\sFTS3,\savoid\scalling\smemcpy()\swith\sa\sNULL\ssource\spointer,\seven\sif\sthe\s\ntransfer\samount\sis\szero\sbytes. +D 2018-12-21T18:51:27.345 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6 @@ -98,7 +98,7 @@ F ext/fts3/fts3_tokenizer.h 64c6ef6c5272c51ebe60fc607a896e84288fcbc3 F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004 F ext/fts3/fts3_unicode.c b1902e9ad47a6569fbb8ecb5ce52f20fe59b590d5c5e3bbdd56b10b03bdf632b F ext/fts3/fts3_unicode2.c e49f9e015f239bf5faf2f4fa483bbf1b08a9978f0ad1f31159d952f8b8a10d08 -F ext/fts3/fts3_write.c 02764f12943f2316ae673cad639bb5ddaaf36e0af53bf137bc11facfe51f0437 +F ext/fts3/fts3_write.c 6e50b0cfa4666c6581c24ba8a8f74b80561b52b1d28acb358efb125d6dd23370 F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9 F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100 F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73 @@ -926,6 +926,7 @@ F test/fts3expr5.test f9abfffbf5e53d48a33e12a1e8f8ba2c551c9b49 F test/fts3fault.test 9fb7d6266a38806de841f7244bac1b0fe3a1477184bbb10b172d19d2ca6ad692 F test/fts3fault2.test 6a17a11d8034b1c4eca9f3091649273d56c49ff049e2173df8060f94341e9da0 F test/fts3first.test dbdedd20914c8d539aa3206c9b34a23775644641 +F test/fts3fuzz001.test dea922cb318324baa0f5092c64c5f677a63e446924cce00a36289455f8b1fa18 F test/fts3join.test 949b4f5ae3ae9cc2423cb865d711e32476bdb205ab2be923fdf48246e4a44166 F test/fts3malloc.test b0e4c133b8d61d4f6d112d8110f8320e9e453ef6 F test/fts3matchinfo.test aa66cc50615578b30f6df9984819ae5b702511cf8a94251ec7c594096a703a4a @@ -1788,7 +1789,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 0bf4c70a6849da74797e8616a4f3730492ad02882ae67a0fe0f3b3cc3f1043b4 -R 0c6a285c47810e86aa3ecdb6e31a5afb +P dee3ae900129d39d69aff3ec6187376be100803ee6170bbf39529f37b4253260 +R 7f7438ed19979d068c35ea802f812391 U drh -Z 193cbb9cbc92544b8e22e4f7d678d44d +Z 6d50eeb8a5cafc4c1da27e1f9a7627fa diff --git a/manifest.uuid b/manifest.uuid index 2edac72d39..ac05f74023 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -dee3ae900129d39d69aff3ec6187376be100803ee6170bbf39529f37b4253260 \ No newline at end of file +1abb83d29a06308c96bea379311b390240347c5f81824749348d18ad75840c96 \ No newline at end of file diff --git a/test/fts3fuzz001.test b/test/fts3fuzz001.test new file mode 100644 index 0000000000..2f144ab4ba --- /dev/null +++ b/test/fts3fuzz001.test @@ -0,0 +1,113 @@ +# 2012-12-21 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# +# Test cases for corrupt database files. + +set testdir [file dirname $argv0] +source $testdir/tester.tcl + +ifcapable !deserialize||!fts3 { + finish_test + return +} +database_may_be_corrupt + +do_test fts3fuzz001-100 { + sqlite3 db {} + db deserialize [decode_hexdb { +| size 24576 pagesize 4096 filename c6.db +| page 1 offset 0 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. +| 16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 06 .....@ ........ +| 32: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 04 ................ +| 48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ +| 96: 00 00 00 00 0d 0e f9 00 06 0d ec 00 0f cd 0f 69 ...............i +| 112: 0f 01 0e 10 0e c6 0d ec 00 00 00 00 00 00 00 00 ................ +| 3552: 00 00 00 00 00 00 00 00 00 00 00 00 22 06 06 17 ............"... +| 3568: 11 11 01 31 74 61 62 6c 65 74 32 74 32 06 43 52 ...1tablet2t2.CR +| 3584: 45 41 54 45 20 54 41 42 4c 45 20 74 32 28 78 29 EATE TABLE t2(x) +| 3600: 81 33 04 07 17 1f 1f 01 82 35 74 61 62 6c 65 74 .3.......5tablet +| 3616: 31 5f 73 65 67 64 69 72 74 31 5f 73 65 67 64 69 1_segdirt1_segdi +| 3632: 72 04 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 r.CREATE TABLE ' +| 3648: 74 31 5f 73 65 67 64 69 72 27 28 6c 65 76 65 6c t1_segdir'(level +| 3664: 20 49 4e 54 45 47 45 52 2c 69 64 78 20 49 4e 54 INTEGER,idx INT +| 3680: 45 47 45 52 2c 73 74 61 72 74 5f 62 6c 6f 63 6b EGER,start_block +| 3696: 20 49 4e 54 45 47 45 52 2c 6c 65 61 76 65 73 5f INTEGER,leaves_ +| 3712: 65 6e 64 5f 62 6c 6f 63 6b 20 49 4e 54 45 47 45 end_block INTEGE +| 3728: 52 2c 65 6e 64 5f 62 6c 6f 63 6b 20 49 4e 54 45 R,end_block INTE +| 3744: 47 45 52 2c 72 6f 6f 74 20 42 4c 4f 42 2c 50 52 GER,root BLOB,PR +| 3760: 49 4d 41 52 59 20 4b 45 59 28 6c 65 76 65 6c 2c IMARY KEY(level, +| 3776: 20 69 64 78 29 29 31 05 06 17 45 1f 01 00 69 6e idx))1...E...in +| 3792: 64 65 78 73 71 6c 69 74 65 5f 61 75 74 6f 69 6e dexsqlite_autoin +| 3808: 64 65 78 5f 74 15 f7 36 56 76 46 97 25 f3 17 43 dex_t..6VvF.%..C +| 3824: 15 5f 73 65 67 64 69 72 05 00 00 00 08 00 00 00 ._segdir........ +| 3840: 00 66 03 07 17 23 23 01 81 13 74 61 62 6c 65 74 .f...##...tablet +| 3856: 31 5f 73 65 67 6d 65 6e 74 73 74 31 5f 73 65 67 1_segmentst1_seg +| 3872: 6d 65 6e 74 73 03 43 52 45 41 54 45 20 54 41 42 ments.CREATE TAB +| 3888: 4c 45 20 27 74 31 5f 73 65 67 6d 65 6e 74 73 27 LE 't1_segments' +| 3904: 28 62 6c 6f 63 6b 69 64 20 49 4e 54 45 47 45 52 (blockid INTEGER +| 3920: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 62 6c PRIMARY KEY, bl +| 3936: 6f 63 6b 20 42 4c 4f 42 29 62 02 07 17 21 21 01 ock BLOB)b...!!. +| 3952: 81 0f 74 61 62 6c 65 74 31 5f 63 6f 6e 74 65 6e ..tablet1_conten +| 3968: 74 74 31 5f 63 6f 6e 74 65 6e 74 02 43 52 45 41 tt1_content.CREA +| 3984: 54 45 20 54 41 42 4c 45 20 27 74 31 5f 63 6f 6e TE TABLE 't1_con +| 4000: 74 65 6e 74 27 28 64 6f 63 69 64 20 49 4e 54 45 tent'(docid INTE +| 4016: 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c GER PRIMARY KEY, +| 4032: 20 27 63 30 63 6f 6e 74 65 6e 74 27 29 31 01 06 'c0content')1.. +| 4048: 17 11 11 08 51 74 61 62 6c 65 74 31 74 31 43 52 ....Qtablet1t1CR +| 4064: 45 41 54 45 20 56 49 52 54 55 41 4c 20 54 41 42 EATE VIRTUAL TAB +| 4080: 4c 45 20 74 31 20 55 53 49 4e 47 20 66 74 73 33 LE t1 USING fts3 +| page 2 offset 4096 +| 0: 0d 00 00 00 03 0f e0 00 0f f6 0f ec 0f e0 00 00 ................ +| 4064: 0a 03 03 00 1b 61 62 61 6e 64 6f 6e 08 02 03 00 .....abandon.... +| 4080: 17 61 62 61 66 74 08 01 03 00 17 61 62 61 63 6b .abaft.....aback +| page 3 offset 8192 +| 0: 0d 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 ................ +| page 4 offset 12288 +| 0: 0d 00 00 00 01 0f d6 00 0f 00 00 00 00 00 00 00 ................ +| 4048: 00 00 00 00 00 00 28 01 07 08 08 08 08 15 46 30 ......(.......F0 +| 4064: 20 32 39 00 05 61 62 61 63 6b 03 01 02 00 03 02 29..aback...... +| 4080: 66 74 03 02 02 00 03 04 6e 64 6f 6e 03 03 02 00 ft......ndon.... +| page 5 offset 16384 +| 0: 0a 00 00 00 01 0f fb 00 0f fb 00 00 00 00 00 00 ................ +| 4080: 00 00 00 00 00 00 00 00 00 00 00 04 04 08 08 09 ................ +| page 6 offset 20480 +| 0: 0d 00 00 00 05 0f b8 00 0f f4 0f e9 0f d6 0f c7 ................ +| 16: 0f b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| 4016: 00 00 00 00 00 00 00 00 0d 05 02 23 61 75 74 6f ...........#auto +| 4032: 6d 65 72 67 65 3d 35 0d 04 02 23 6d 65 72 67 65 merge=5...#merge +| 4048: 3d 31 30 30 2c 38 11 03 02 2b 69 6e 74 65 67 72 =100,8...+integr +| 4064: 69 74 79 3d 63 68 65 63 6b 09 02 02 1b 72 65 62 ity=check....reb +| 4080: 75 69 6c 64 0a 01 02 1d 6f 70 74 69 6d 69 7a 65 uild....optimize +| end c6.db + }] + catchsql { + INSERT INTO t1(t1) SELECT x FROM t2; + } +} {1 {database disk image is malformed}} +do_test fts3fuzz001-110 { + catchsql { + INSERT INTO t1(t1) VALUES('integrity-check'); + } +} {1 {database disk image is malformed}} +do_test fts3fuzz001-120 { + catchsql { + INSERT INTO t1(t1) VALUES('optimize'); + } +} {0 {}} +do_test fts3fuzz001-121 { + catchsql { + INSERT INTO t1(t1) VALUES('integrity-check'); + } +} {1 {database disk image is malformed}} + + +finish_test