From: dan Date: Thu, 24 Jan 2019 15:16:17 +0000 (+0000) Subject: Fix a potential problem with "INSERT INTO ... SELECT * FROM" (or VACUUM) statements... X-Git-Tag: version-3.27.0~90 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0c4c949966415a7f31d3862213527fd2d8ab0e7;p=thirdparty%2Fsqlite.git Fix a potential problem with "INSERT INTO ... SELECT * FROM" (or VACUUM) statements on a corrupted database. FossilOrigin-Name: db4b4c2c1e9f1adacfb1b2fedb717a4d8bb0a299c3b11835404a99fcd67bf24b --- diff --git a/manifest b/manifest index 5e2dcbc59c..f8c4c1a3d2 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Change\sa\sinteger\svariable\sin\ssqlite3VdbeRecordUnpack()\sto\sunsigned\sin\sorder\nto\savoid\sany\spossibility\sof\san\sinteger\soverflow. -D 2019-01-24T14:16:20.388 +C Fix\sa\spotential\sproblem\swith\s"INSERT\sINTO\s...\sSELECT\s*\sFROM"\s(or\sVACUUM)\sstatements\son\sa\scorrupted\sdatabase. +D 2019-01-24T15:16:17.305 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in 0e7c107ebcaff26681bc5bcf017557db85aa828d6f7fd652d748b7a78072c298 @@ -455,7 +455,7 @@ F src/auth.c 0fac71038875693a937e506bceb492c5f136dd7b1249fbd4ae70b4e8da14f9df F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6 -F src/btree.c 58574154361f57da015436f53d9107dde74387b3b939c7a7ef6a7998b5dfb1af +F src/btree.c 21eb929285901255cf0af2f8e2e9ee41c77e0620e031ddad3d065cfaf95583fd F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2 F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96 F src/build.c f07c0b154c23737d1699ee63bba31c8ca8b323e2446b957bc6bfec81a62295fc @@ -757,7 +757,7 @@ F test/corruptH.test 79801d97ec5c2f9f3c87739aa1ec2eb786f96454 F test/corruptI.test a17bbf54fdde78d43cf3cc34b0057719fd4a173a3d824285b67dc5257c064c7b F test/corruptJ.test 4d5ccc4bf959464229a836d60142831ef76a5aa4 F test/corruptK.test 5ef338c560ca4dfb7360828da16f1829be4deba3b378cafdc7a1cdaf027eb5c4 -F test/corruptL.test 8b2a8cf20fbd0b225cc3dea431e2c945878148a9df998d8f4134588be359057f +F test/corruptL.test 05e4e193bdd56896bae94d1d1f73a29ff41c9c2bafe32bd390d547c5bfa38f34 F test/cost.test 51f4fcaae6e78ad5a57096831259ed6c760e2ac6876836e91c00030fad385b34 F test/count.test cb2e0f934c6eb33670044520748d2ecccd46259c F test/countofview.test e3d4cd6900e4e4f074968ab24b8b87d3671cd624961bef40fd3a6b8f574343cf @@ -782,7 +782,7 @@ F test/dataversion1.test 6e5e86ac681f0782e766ebcb56c019ae001522d114e0e111e5ebf68 F test/date.test 9b73bbeb1b82d9c1f44dec5cf563bf7da58d2373 F test/date2.test 74c234bece1b016e94dd4ef9c8cc7a199a8806c0e2291cab7ba64bace6350b10 F test/dbfuzz.c 73047c920d6210e5912c87cdffd9a1c281d4252e -F test/dbfuzz001.test 5659cbbc01e38678c119c8a58071cac59d0d6c71837a385f3d1838012f12e1e1 +F test/dbfuzz001.test 9617fb870f7d655c27994749955efee5d93a641c082dce4c59059796ff81145e F test/dbfuzz2-seed1.db e6225c6f3d7b63f9c5b6867146a5f329d997ab105bee64644dc2b3a2f2aebaee F test/dbfuzz2.c ffd2d85cab49936959b8ee6073498bcb827d5670c7286e4b40b06e433b32a94a F test/dbpage.test 650234ba683b9d82b899c6c51439819787e7609f17a0cc40e0080a7b6443bc38 @@ -1802,7 +1802,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 65ad6c55f1ba9bc2f75afffa3adaf19f145fad7ac9a00ccce6372e9a2cc4341b -R 044fae2f8d5b50f222adeecb83c19999 -U drh -Z a7a11efee3ef8017d4f6272584568b02 +P 1b536f6fd8d58800042f130842f0586aaa357841ee0d1b690a9815c865d50826 +R fc284f1d3ce3f15ef50f8cba68163dd7 +U dan +Z 7614ae7f2756b52b23d2b92aadbeffdc diff --git a/manifest.uuid b/manifest.uuid index 72ab28b76f..ea068faa4d 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -1b536f6fd8d58800042f130842f0586aaa357841ee0d1b690a9815c865d50826 \ No newline at end of file +db4b4c2c1e9f1adacfb1b2fedb717a4d8bb0a299c3b11835404a99fcd67bf24b \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index b68bca12a9..401f02eeba 100644 --- a/src/btree.c +++ b/src/btree.c @@ -804,11 +804,12 @@ static int btreeMoveto( UnpackedRecord *pIdxKey; /* Unpacked index key */ if( pKey ){ + KeyInfo *pKeyInfo = pCur->pKeyInfo; assert( nKey==(i64)(int)nKey ); - pIdxKey = sqlite3VdbeAllocUnpackedRecord(pCur->pKeyInfo); + pIdxKey = sqlite3VdbeAllocUnpackedRecord(pKeyInfo); if( pIdxKey==0 ) return SQLITE_NOMEM_BKPT; - sqlite3VdbeRecordUnpack(pCur->pKeyInfo, (int)nKey, pKey, pIdxKey); - if( pIdxKey->nField==0 ){ + sqlite3VdbeRecordUnpack(pKeyInfo, (int)nKey, pKey, pIdxKey); + if( pIdxKey->nField==0 || pIdxKey->nField>pKeyInfo->nAllField ){ rc = SQLITE_CORRUPT_BKPT; goto moveto_done; } diff --git a/test/corruptL.test b/test/corruptL.test index c90562e564..ee16b9c1df 100644 --- a/test/corruptL.test +++ b/test/corruptL.test @@ -230,4 +230,150 @@ do_catchsql_test 2.2 { SELECT b,c FROM t1 ORDER BY a; } {1 {database disk image is malformed}} +#------------------------------------------------------------------------- +reset_db +do_execsql_test 3.0 { + CREATE TABLE t1(a, b, c, d INTEGER PRIMARY KEY); + CREATE TABLE t2(a, b, c, d INTEGER PRIMARY KEY); + + INSERT INTO t1(a, b, c, d) VALUES (1, 2, 3, 100), (4, 5, 6, 101); + INSERT INTO t2(a, b, c, d) VALUES (1, 100, 3, 1000), (4, 101, 6, 1001); + + CREATE INDEX t1a ON t1(a); + CREATE INDEX t2a ON t2(a, b, c); + + PRAGMA writable_schema = 1; + UPDATE sqlite_master SET sql = 'CREATE INDEX t2a ON t2(a)' WHERE name='t2a'; +} + +db close +sqlite3 db test.db + +do_catchsql_test 3.1 { + INSERT INTO t1 SELECT * FROM t2; +} {1 {database disk image is malformed}} + +#------------------------------------------------------------------------- +reset_db +do_test 4.0 { + sqlite3 db {} + db deserialize [decode_hexdb { +| size 4096 pagesize 512 filename crash-6b48ba69806134.db +| page 1 offset 0 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. +| 16: 02 00 01 01 00 40 20 20 00 ff ff ff ff 00 00 07 .....@ ........ +| 32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04 ................ +| 48: 00 00 00 00 00 00 00 05 00 eb 00 01 00 00 00 00 ................ +| 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c ................ +| 96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0 ..,P............ +| 112: 05 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00 .V...*.......... +| 128: 00 ff 00 00 ff ff ff e1 00 00 00 00 00 00 00 00 ................ +| 144: 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................ +| 160: 00 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 ................ +| 176: 00 00 f9 ff ff ff ff ff ff ff 00 00 00 00 00 fb ................ +| 208: 00 00 00 00 00 00 00 00 1e 00 00 00 fe 00 00 00 ................ +| 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ca 00 ................ +| 256: 00 00 00 00 ef ff 22 07 06 17 11 11 01 31 74 61 .............1ta +| 272: 62 6c 65 74 38 38 74 04 43 52 45 41 54 45 20 54 blet88t.CREATE T +| 288: 41 42 4c 45 20 74 34 28 87 29 2a 06 06 17 13 11 ABLE t4(.)*..... +| 304: 01 3f 69 4f 64 65 78 74 33 78 74 33 05 43 52 45 .?iOdext3xt3.CRE +| 320: 41 54 45 20 49 6e 44 45 58 20 74 33 78 20 4f 4e ATE InDEX t3x ON +| 336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e t3(x).......Ein +| 352: 64 65 2e 74 32 63 64 74 3d 05 43 52 45 41 54 45 de.t2cdt=.CREATE +| 368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74 INDEX t2cd ON t +| 384: 32 28 0a 0c 44 29 28 05 06 17 11 11 01 3d 74 61 2(..D)(......=ta +| 400: 62 6c 65 d4 33 74 33 04 43 52 45 41 54 45 20 54 ble.3t3.CREATE T +| 416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29 ABLE t3(c,x,e,f) +| 432: 28 02 06 17 11 11 01 3d 74 61 62 6c 65 74 32 74 (......=tablet2t +| 448: 32 03 43 52 45 41 54 45 20 54 41 42 4c 45 20 74 2.CREATE TABLE t +| 464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11 2(c,d,e,f)$..... +| 480: 01 35 74 60 62 6c 65 74 31 74 31 02 43 52 45 41 .5t`blet1t1.CREA +| 496: 54 45 20 54 41 42 4c 45 20 74 30 28 61 2c 62 29 TE TABLE t0(a,b) +| page 2 offset 512 +| 0: 0d 00 ff 11 04 01 cf 00 01 fa 01 f3 01 de 01 cf ................ +| 32: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 13 ................ +| 48: 00 00 00 00 00 00 00 00 00 00 00 01 00 20 00 00 ............. .. +| 64: 00 00 00 00 00 00 f8 ff ff ff 00 00 00 00 00 00 ................ +| 160: 01 64 00 00 00 00 00 80 ff ff ff 00 00 00 00 00 .d.............. +| 176: 00 00 00 00 00 00 00 00 1f 00 00 00 00 00 00 03 ................ +| 192: 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 ..@............. +| 288: 00 00 00 00 00 00 ff ff ff e9 00 00 00 00 00 00 ................ +| 336: 01 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 ................ +| 368: 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... +| 384: 00 de ff 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| 464: 00 00 00 00 00 13 76 65 6e 65 69 67 68 74 13 03 ......veneight.. +| 480: 03 40 07 07 14 00 54 45 20 49 4e 44 45 58 20 74 .@....TE INDEX t +| 496: 32 63 64 20 4f 4e 20 74 32 28 0a 0c 44 09 01 02 2cd ON t2(..D... +| page 3 offset 1024 +| 0: 0d 00 00 00 48 01 54 00 01 f7 01 ec 01 c5 01 aa ....H.T......... +| 16: 30 34 28 87 29 2a 06 06 17 13 11 01 3f 69 4f 64 04(.)*......?iOd +| 32: 65 79 74 33 78 74 33 6d 6d 6d 6d 6d 6d 7d 6d 6d eyt3xt3mmmmmm.mm +| 48: 6d 41 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d mAmmmmmmmmmmmmmm +| 64: 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 66 6d 6d 6d 6d mmmmmmmmmmmfmmmm +| 80: 6d 4e 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d mNmmmmmmmmmmmmmm +| 96: 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d mmmmmmmmmmmmmmmm +| 112: 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d mmmmmmmmmmmmmmmm +| 128: 6d 6d 6d 6d 6d 00 00 00 00 00 00 00 00 00 00 00 mmmmm........... +| 160: 80 00 00 00 00 00 00 03 00 00 00 ff e4 00 00 00 ................ +| 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 c5 00 00 ................ +| 240: 14 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 ................ +| 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f ec ................ +| 304: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74 ...........eight +| 320: 65 69 67 68 74 73 65 00 00 00 00 00 00 00 00 00 eightse......... +| 336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74 ...........eight +| 352: 65 69 67 68 74 73 65 01 65 6e 00 00 00 10 25 07 eightse.en....%. +| 368: 07 6e 25 07 07 07 40 18 00 00 00 00 00 00 40 18 .n%...@.......@. +| 384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14 ......@.......@. +| 400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03 ................ +| 416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17 ................ +| 432: 17 10 65 76 65 6e 65 69 67 68 74 65 69 67 68 74 ..eveneighteight +| 448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00 seven%......@... +| 464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00 ....@.......@... +| 480: 00 00 00 00 40 14 00 00 00 00 e8 f6 09 02 00 00 ....@........... +| 496: 00 00 00 00 00 00 00 00 00 00 64 00 00 00 00 02 ..........d..... +| page 4 offset 1536 +| 0: 0d 00 00 00 00 02 00 00 00 00 00 00 00 00 00 fa ................ +| 16: 1f a1 07 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ +| 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 73 69 6d .............sim +| 48: 70 6c 65 00 00 00 00 00 00 00 00 00 00 00 00 00 ple............. +| 80: 00 00 00 00 00 10 00 00 00 00 00 00 01 00 00 00 ................ +| 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ................ +| 112: ff 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 ............J... +| 144: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ +| 176: e5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| 208: 00 00 00 00 00 00 00 00 00 00 36 36 00 00 00 00 ..........66.... +| 240: 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 ...l............ +| 256: 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| 320: 00 00 00 00 00 00 00 00 01 00 00 02 00 80 00 00 ................ +| 336: 00 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 ............eigh +| 352: 74 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e teightsevenseven +| 368: 25 07 05 07 07 07 07 40 18 00 00 00 00 00 00 40 %......@.......@ +| 384: 18 00 20 00 00 00 40 00 14 00 00 00 00 00 00 40 .. ...@........@ +| 400: 14 00 00 00 00 00 1c 09 06 05 01 01 01 01 04 04 ................ +| 416: 03 03 07 05 05 01 01 00 00 00 00 00 00 00 00 00 ................ +| 448: 74 73 65 76 65 6e 00 80 ff ff 00 00 00 00 00 aa tseven.......... +| 464: 00 9e 00 00 00 00 00 00 00 00 00 00 00 70 6f 72 .............por +| 480: 74 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 ter............. +| 496: 00 00 00 00 00 00 29 00 00 00 00 00 00 00 00 00 ......)......... +| page 5 offset 2048 +| 0: 0a 00 00 00 08 01 96 00 01 fa 01 c5 01 f2 01 bc ................ +| 16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00 ................ +| 112: 00 00 00 09 00 00 00 00 01 00 00 00 00 00 00 00 ................ +| 160: 74 72 69 67 62 ff ff ff ff fc 00 00 00 00 00 00 trigb........... +| 240: 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00 00 ................ +| 256: e5 ff ff ff 00 00 54 00 00 00 00 00 00 00 00 00 ......T......... +| 304: 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 ................ +| 400: 00 00 00 00 00 09 00 00 00 00 01 00 00 00 00 00 ................ +| 448: 00 00 74 72 69 67 62 ff ff ff ff fc 00 00 07 05 ..trigb......... +| 464: 05 01 01 09 09 02 02 19 04 05 17 17 17 17 10 65 ...............e +| 480: 76 65 6e 65 69 67 68 74 65 40 18 00 00 00 00 01 veneighte@...... +| 496: 02 03 07 04 01 01 01 03 04 02 05 04 09 01 ff fd ................ +| end crash-6b48ba69806134.db +}]} {} + +do_catchsql_test 4.1 { + INSERT INTO t3 SELECT * FROM t2; +} {1 {database disk image is malformed}} + + finish_test diff --git a/test/dbfuzz001.test b/test/dbfuzz001.test index 70c7997684..0a36867e66 100644 --- a/test/dbfuzz001.test +++ b/test/dbfuzz001.test @@ -347,9 +347,14 @@ do_test dbfuzz001-110 { | 496: 04 03 03 02 01 04 03 02 02 01 02 03 01 02 01 02 ................ | end x/c02.db }] - execsql { - DELETE FROM t3 WHERE x IN (SELECT x FROM t4); - } } {} +do_catchsql_test dbfuzz001-120 { + PRAGMA integrity_check; +} {1 {database disk image is malformed}} + +do_catchsql_test dbfuzz001-130 { + DELETE FROM t3 WHERE x IN (SELECT x FROM t4); +} {1 {database disk image is malformed}} + finish_test