From: drh <drh@noemail.net>
Date: Sat, 7 Feb 2015 15:16:35 +0000 (+0000)
Subject: Fix potential 32-bit integer overflow problems on the offset and length
X-Git-Tag: version-3.8.9~137
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d10d18da5f65a36ed76c09289e33ed13432d0ca3;p=thirdparty%2Fsqlite.git

Fix potential 32-bit integer overflow problems on the offset and length
parameters to sqlite3_blob_read() and sqlite3_blob_write().  For
sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if
the interface fails with SQLITE_MISUSE.

FossilOrigin-Name: 5df02f50f8348dfde4fc15126abc7b7ef7803e69
---

diff --git a/manifest b/manifest
index b31e5b6454..033c8ecf04 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Change\sthe\sname\sof\s".info"\sto\s".dbinfo"\sand\sadd\san\soptional\ssecond\sargument\nwhich\sis\sthe\sATTACH-ed\sDB\sabout\swhich\sinformation\sis\sprovided.\s\sProvide\n".indexes"\sas\san\salternative\sname\sto\sthe\slegacy\s".indices"\scommand.
-D 2015-02-06T14:51:13.355
+C Fix\spotential\s32-bit\sinteger\soverflow\sproblems\son\sthe\soffset\sand\slength\nparameters\sto\ssqlite3_blob_read()\sand\ssqlite3_blob_write().\s\sFor\nsqlite3_blob_open(),\smake\ssure\sthe\s*ppBlob\sreturn\sparameter\sis\szeroed\sif\nthe\sinterface\sfails\swith\sSQLITE_MISUSE.
+D 2015-02-07T15:16:35.893
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 6b9e7677829aa94b9f30949656e27312aefb9a46
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -298,7 +298,7 @@ F src/vdbe.h 6fc69d9c5e146302c56e163cb4b31d1ee64a18c3
 F src/vdbeInt.h 9bb69ff2447c34b6ccc58b34ec35b615f86ead78
 F src/vdbeapi.c 4bc511a46b9839392ae0e90844a71dc96d9dbd71
 F src/vdbeaux.c 97911edb61074b871ec4aa2d6bb779071643dee5
-F src/vdbeblob.c 4af4bfb71f6df7778397b4a0ebc1879793276778
+F src/vdbeblob.c 4f2e8e075d238392df98c5e03a64342465b03f90
 F src/vdbemem.c 31d8eabb0cd78bfeab4e5124c7363c3e9e54db9f
 F src/vdbesort.c 6d64c5448b64851b99931ede980addc3af70d5e2
 F src/vdbetrace.c 7e4222955e07dd707a2f360c0eb73452be1cb010
@@ -638,7 +638,7 @@ F test/in3.test 3cbf58c87f4052cee3a58b37b6389777505aa0c0
 F test/in4.test d2b38cba404bc4320f4fe1b595b3d163f212c068
 F test/in5.test 1de657472fa9ac2924be25c2c959ac5ca1aae554
 F test/incrblob.test e81846d214f3637622620fbde7cd526781cfe328
-F test/incrblob2.test bf4d549aa4a466d7fbe3e3a3693d3861263d5600
+F test/incrblob2.test 0d8821730a84f90af78a9dd547fe7a2480a06240
 F test/incrblob3.test d8d036fde015d4a159cd3cbae9d29003b37227a4
 F test/incrblob4.test f26502a5697893e5acea268c910f16478c2f0fab
 F test/incrblob_err.test af1f12ba60d220c9752073ff2bda2ad59e88960d
@@ -1239,7 +1239,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 0a3100a7f264ffce6078c35e341f2f0af6c09fbb
-R a582dddcff23f4b3aa0ab625ed7ba566
+P 0f65a7e2e09f801b66897479d501607caeae4abf
+R a72e608518946b8cddba99b1913bccc8
 U drh
-Z 91c27780af6a4d5e0c7b8a8aa90c189d
+Z 826c67b7d3493617a37693ae1605b2c3
diff --git a/manifest.uuid b/manifest.uuid
index 408d77792f..c363eec9d9 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-0f65a7e2e09f801b66897479d501607caeae4abf
\ No newline at end of file
+5df02f50f8348dfde4fc15126abc7b7ef7803e69
\ No newline at end of file
diff --git a/src/vdbeblob.c b/src/vdbeblob.c
index cf1eb59054..ea01f5ce80 100644
--- a/src/vdbeblob.c
+++ b/src/vdbeblob.c
@@ -154,12 +154,17 @@ int sqlite3_blob_open(
   Incrblob *pBlob = 0;
 
 #ifdef SQLITE_ENABLE_API_ARMOR
-  if( !sqlite3SafetyCheckOk(db) || ppBlob==0 || zTable==0 ){
+  if( ppBlob==0 ){
     return SQLITE_MISUSE_BKPT;
   }
 #endif
-  flags = !!flags;                /* flags = (flags ? 1 : 0); */
   *ppBlob = 0;
+#ifdef SQLITE_ENABLE_API_ARMOR
+  if( !sqlite3SafetyCheckOk(db) || zTable==0 ){
+    return SQLITE_MISUSE_BKPT;
+  }
+#endif
+  flags = !!flags;                /* flags = (flags ? 1 : 0); */
 
   sqlite3_mutex_enter(db->mutex);
 
@@ -373,7 +378,7 @@ static int blobReadWrite(
   sqlite3_mutex_enter(db->mutex);
   v = (Vdbe*)p->pStmt;
 
-  if( n<0 || iOffset<0 || (iOffset+n)>p->nByte ){
+  if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
     /* Request is out of range. Return a transient error. */
     rc = SQLITE_ERROR;
   }else if( v==0 ){
diff --git a/test/incrblob2.test b/test/incrblob2.test
index a8f40f09dc..1a235f7d22 100644
--- a/test/incrblob2.test
+++ b/test/incrblob2.test
@@ -324,12 +324,34 @@ do_test incrblob2-6.2 {
   sqlite3_blob_read $rdHandle 0 2
 } {AB}
 
+do_test incrblob2-6.2b {
+  set rc [catch {
+    # Prior to 2015-02-07, the following caused a segfault due to
+    # integer overflow.
+    sqlite3_blob_read $rdHandle 2147483647 2147483647
+  } errmsg]
+  lappend rc $errmsg
+} {1 SQLITE_ERROR}
+
 do_test incrblob2-6.3 {
   set wrHandle [db incrblob t1 data 1]
   sqlite3_blob_write $wrHandle 0 ZZZZZZZZZZ
   sqlite3_blob_read $rdHandle 2 4
 } {ZZZZ}
 
+do_test incrblob2-6.3b {
+  set rc [catch {
+    # Prior to 2015-02-07, the following caused a segfault due to
+    # integer overflow.
+    sqlite3_blob_write $wrHandle 2147483647 YYYYYYYYYYYYYYYYYY
+  } errmsg]
+  lappend rc $errmsg
+} {1 SQLITE_ERROR}
+do_test incrblob2-6.3c {
+  sqlite3_blob_read $rdHandle 2 4
+} {ZZZZ}
+
+
 do_test incrblob2-6.4 {
   close $wrHandle
   close $rdHandle