From: dan Date: Mon, 25 May 2015 20:04:15 +0000 (+0000) Subject: Fix a case of a corrupt database causing SQLite to read from up to 4 bytes before... X-Git-Tag: version-3.8.11~221 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3e8ef1d0ec664d6db518c297f792dba5cf3a2bf;p=thirdparty%2Fsqlite.git Fix a case of a corrupt database causing SQLite to read from up to 4 bytes before the start of a memory allocation. FossilOrigin-Name: 7d2c4f7b6695806ab8ce0c6f49d8bc1d77a4320b --- diff --git a/manifest b/manifest index bf3cc78749..bf53b3065f 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Have\sthe\sb-tree\slayer\sreturn\sSQLITE_CORRUPT\sto\sany\sattempt\sto\sopen\sa\scursor\swith\sa\sroot\spage\snumber\sless\sthan\s1. -D 2015-05-25T19:24:36.961 +C Fix\sa\scase\sof\sa\scorrupt\sdatabase\scausing\sSQLite\sto\sread\sfrom\sup\sto\s4\sbytes\sbefore\sthe\sstart\sof\sa\smemory\sallocation. +D 2015-05-25T20:04:15.531 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 0a6ae26396ec696221021780dffbb894ff3cead7 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -192,7 +192,7 @@ F src/auth.c b56c78ebe40a2110fd361379f7e8162d23f92240 F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3 F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79 -F src/btree.c a5beb7f19f9bacbad2bd5ebf8e34e327de7a6656 +F src/btree.c a7d627f89e8382cea8645cc2eec6927b203fdb31 F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1 F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4 F src/build.c d5d9090788118178190c5724c19f93953b8c7a4e @@ -1278,7 +1278,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P 8fa0937a2f3476dd280259e252d6f422c33d38ee -R 1745897e1e5c334cb77f7423f9fe4000 +P aa18c8e9d1676b1caa53bc5f5c1dc5f201089b88 +R 2543e1ce5d351c3852d827d2b79794af U dan -Z 702c8f83eb7e3fb57102175733730dbd +Z bdd86a9186a2d4ac711797171541a410 diff --git a/manifest.uuid b/manifest.uuid index 988034ee1f..878c55a588 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -aa18c8e9d1676b1caa53bc5f5c1dc5f201089b88 \ No newline at end of file +7d2c4f7b6695806ab8ce0c6f49d8bc1d77a4320b \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index 1e27a9cde4..d6c86be547 100644 --- a/src/btree.c +++ b/src/btree.c @@ -7777,6 +7777,7 @@ int sqlite3BtreeDelete(BtCursor *pCur){ unsigned char *pTmp; pCell = findCell(pLeaf, pLeaf->nCell-1); + if( pCell<&pLeaf->aData[4] ) return SQLITE_CORRUPT_BKPT; nCell = cellSizePtr(pLeaf, pCell); assert( MX_CELL_SIZE(pBt) >= nCell ); pTmp = pBt->pTmpSpace;