From: drh <drh@noemail.net>
Date: Thu, 1 Aug 2013 19:17:39 +0000 (+0000)
Subject: Make sure signed integer overflow does not cause a segfault while attempting
X-Git-Tag: version-3.8.0~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df003d61cec51dfef29c58a13d9bd6927f698b32;p=thirdparty%2Fsqlite.git

Make sure signed integer overflow does not cause a segfault while attempting
to read a corrupt database where the header size varint on a record is larger
than the maximum 32-bit signed integer.

FossilOrigin-Name: c3baca99f4580652afb2c3f73036ab83796a1557
---

diff --git a/manifest b/manifest
index b1ac07e658..304c8f59e1 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\stest\scase\sfor\sthe\sproblem\sfixed\sby\s[127a5b776d].
-D 2013-08-01T17:43:35.105
+C Make\ssure\ssigned\sinteger\soverflow\sdoes\snot\scause\sa\ssegfault\swhile\sattempting\nto\sread\sa\scorrupt\sdatabase\swhere\sthe\sheader\ssize\svarint\son\sa\srecord\sis\slarger\nthan\sthe\smaximum\s32-bit\ssigned\sinteger.
+D 2013-08-01T19:17:39.891
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -281,7 +281,7 @@ F src/vdbe.c d6048a720c197db2f0e7d618e918bd2e2eff0322
 F src/vdbe.h f380af2a7fab32ba8a8b05bf042497636afec66d
 F src/vdbeInt.h e9b7c6b165a31a4715c5aa97223d20d265515231
 F src/vdbeapi.c 4d13580bd058b39623e8fcfc233b7df4b8191e8b
-F src/vdbeaux.c c01594ecf5a78ef41a721f3465152bb91883a942
+F src/vdbeaux.c ca0c9d4b5104a3b4e4cf3c557d661938f15e68ac
 F src/vdbeblob.c 5dc79627775bd9a9b494dd956e26297946417d69
 F src/vdbemem.c 833005f1cbbf447289f1973dba2a0c2228c7b8ab
 F src/vdbesort.c 3937e06b2a0e354500e17dc206ef4c35770a5017
@@ -395,6 +395,7 @@ F test/corruptC.test 62a767fe64acb1975f58cc6171192839c783edbb
 F test/corruptD.test 3b09903a2e2fe07ecafe775fea94177f8a4bb34f
 F test/corruptE.test d3a3d7e864a95978195741744dda4abfd8286018
 F test/corruptF.test 1c7b6f77cf3f237fb7fbb5b61d6c921fd4c7b993
+F test/corruptG.test 01d94538a0666808dae1b4010f24c25becee13af
 F test/count.test 454e1ce985c94d13efeac405ce54439f49336163
 F test/coveridxscan.test cdb47d01acc4a634a34fd25abe85189e0d0f1e62
 F test/crash.test fb9dc4a02dcba30d4aa5c2c226f98b220b2b959f
@@ -1103,7 +1104,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
 F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac
-P 127a5b776d16e1e23c5b3d454f6aaea67f1ded3a
-R 55095a68bf1e6bed6cc6b3606b16b8da
-U dan
-Z 4a8fdbd96b68de3d602c8482b890b1d9
+P 65816718b59b286c11d939235a23c7325f25594b
+R 40beea5b8511a37f010f0f7e67aa8773
+U drh
+Z a89405d573d1d6b7d75b24ed5c21bc2d
diff --git a/manifest.uuid b/manifest.uuid
index 43b445a140..f815192c25 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-65816718b59b286c11d939235a23c7325f25594b
\ No newline at end of file
+c3baca99f4580652afb2c3f73036ab83796a1557
\ No newline at end of file
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index f54685cb71..0bc5b44261 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -2990,7 +2990,7 @@ int sqlite3VdbeRecordCompare(
   int nKey1, const void *pKey1, /* Left key */
   UnpackedRecord *pPKey2        /* Right key */
 ){
-  int d1;            /* Offset into aKey[] of next data element */
+  u32 d1;            /* Offset into aKey[] of next data element */
   u32 idx1;          /* Offset into aKey[] of next header element */
   u32 szHdr1;        /* Number of bytes in header */
   int i = 0;
@@ -3024,7 +3024,7 @@ int sqlite3VdbeRecordCompare(
 
     /* Read the serial types for the next element in each key. */
     idx1 += getVarint32( aKey1+idx1, serial_type1 );
-    if( d1>=nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break;
+    if( d1>=(u32)nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break;
 
     /* Extract the values to be compared.
     */
diff --git a/test/corruptG.test b/test/corruptG.test
new file mode 100644
index 0000000000..7b95321453
--- /dev/null
+++ b/test/corruptG.test
@@ -0,0 +1,56 @@
+# 2013-08-01
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice, here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix corruptG
+
+# Do not use a codec for tests in this file, as the database file is
+# manipulated directly using tcl scripts (using the [hexio_write] command).
+#
+do_not_use_codec
+
+# Create a simple database with a single entry.  Then corrupt the
+# header-size varint on the index payload so that it maps into a
+# negative number.  Try to use the database.
+#
+
+do_execsql_test 1.1 {
+  PRAGMA page_size=512;
+  CREATE TABLE t1(a,b,c);
+  INSERT INTO t1(rowid,a,b,c) VALUES(2,'abc','xyz','123');
+  CREATE INDEX t1abc ON t1(a,b,c);
+}
+
+# Corrupt the file
+db close
+hexio_write test.db [expr {3*512 - 15}] 888080807f
+sqlite3 db test.db
+
+# Try to use the file.
+do_test 1.2 {
+  catchsql {
+    SELECT c FROM t1 WHERE a>'abc';
+  }
+} {0 {}}
+do_test 1.3 {
+  catchsql {
+     PRAGMA integrity_check
+  }
+} {0 ok}
+do_test 1.4 {
+  catchsql {
+    SELECT c FROM t1 ORDER BY a;
+  }
+} {1 {database disk image is malformed}}
+
+finish_test