From: dan <dan@noemail.net>
Date: Tue, 30 Jun 2020 15:32:12 +0000 (+0000)
Subject: Avoid a potential buffer overread in fts3 when processing corrupt records.
X-Git-Tag: version-3.33.0~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f488bc11473d1d869e1670e8c279a914e4d790e3;p=thirdparty%2Fsqlite.git

Avoid a potential buffer overread in fts3 when processing corrupt records.

FossilOrigin-Name: 4d0cfb1236884349168f8e2ec5e18c0232965148af78615e0d5c9b0e13a35422
---

diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index b8e2bac0bb..9b8f1833f9 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -2855,6 +2855,19 @@ int sqlite3Fts3MsrIncrRestart(Fts3MultiSegReader *pCsr){
   return SQLITE_OK;
 }
 
+static int fts3GrowSegReaderBuffer(Fts3MultiSegReader *pCsr, int nReq){
+  if( nReq>pCsr->nBuffer ){
+    char *aNew;
+    pCsr->nBuffer = nReq*2;
+    aNew = sqlite3_realloc(pCsr->aBuffer, pCsr->nBuffer);
+    if( !aNew ){
+      return SQLITE_NOMEM;
+    }
+    pCsr->aBuffer = aNew;
+  }
+  return SQLITE_OK;
+}
+
 
 int sqlite3Fts3SegReaderStep(
   Fts3Table *p,                   /* Virtual table handle */
@@ -2989,15 +3002,9 @@ int sqlite3Fts3SegReaderStep(
           }
 
           nByte = sqlite3Fts3VarintLen(iDelta) + (isRequirePos?nList+1:0);
-          if( nDoclist+nByte>pCsr->nBuffer ){
-            char *aNew;
-            pCsr->nBuffer = (nDoclist+nByte)*2;
-            aNew = sqlite3_realloc(pCsr->aBuffer, pCsr->nBuffer);
-            if( !aNew ){
-              return SQLITE_NOMEM;
-            }
-            pCsr->aBuffer = aNew;
-          }
+
+          rc = fts3GrowSegReaderBuffer(pCsr, nByte+nDoclist);
+          if( rc ) return rc;
 
           if( isFirst ){
             char *a = &pCsr->aBuffer[nDoclist];
@@ -3022,6 +3029,9 @@ int sqlite3Fts3SegReaderStep(
         fts3SegReaderSort(apSegment, nMerge, j, xCmp);
       }
       if( nDoclist>0 ){
+        rc = fts3GrowSegReaderBuffer(pCsr, nDoclist+FTS3_NODE_PADDING);
+        if( rc ) return rc;
+        memset(&pCsr->aBuffer[nDoclist], 0, FTS3_NODE_PADDING);
         pCsr->aDoclist = pCsr->aBuffer;
         pCsr->nDoclist = nDoclist;
         rc = SQLITE_ROW;
diff --git a/manifest b/manifest
index 233794772f..bbd5377002 100644
--- a/manifest
+++ b/manifest
@@ -1,11 +1,11 @@
 B 7a876209a678a34c198b54ceef9e3c041f128a14dc73357f6a57cadadaa6cf7b
-C Fix\sgenerated\scolumns\sso\sthat\sthey\splay\swell\swith\supsert.\nSee\sthe\s[https://sqlite.org/forum/forumpost/73b9a8ccfb|forum\spost]\nby\s"iffycan"\sfor\sdetails.
-D 2020-06-29T20:26:50.764
+C Avoid\sa\spotential\sbuffer\soverread\sin\sfts3\swhen\sprocessing\scorrupt\srecords.
+D 2020-06-30T15:32:12.803
 F Makefile.in 19374a5db06c3199ec1bab71ab74a103d8abf21053c05e9389255dc58083f806
 F Makefile.msc 48f5a3fc32672c09ad73795749f6253e406a31526935fbbffd8f021108d54574
 F autoconf/Makefile.am a8d1d24affe52ebf8d7ddcf91aa973fa0316618ab95bb68c87cabf8faf527dc8
 F ext/fts3/fts3.c 5ffabd0d13210fb9cfe1c08184201282722adfeea49cd9e8e2ae29d1fefd7fcb
-F ext/fts3/fts3_write.c 78a447d9f2610b90eb39489721d5dc547098fab3a8b06f834ad809f9832ce93d
+F ext/fts3/fts3_write.c d1258a4ec15465304421ba6c1f0937bf9c0bd71af85fae49a8d7b68c2af97d4f
 F ext/lsm1/lsm_unix.c 11e0a5c19d754a4e1d93dfad06de8cc201f10f886b8e61a4c599ed34e334fc24
 F ext/misc/decimal.c c1897f624893d1c12e3c879d97ca7d1c4a36cae10d32afe632779de78c4aaa4f
 F ext/misc/ieee754.c bb6bd8e9eeeda5a7ac82839fcab5c0b8156b0532165387cc5458a97f60047b5d
@@ -23,7 +23,7 @@ F src/vdbe.c b9ff68008f3d9d1f38525414bdcf8f62a73f458079245c17a63b2b4763d645fd
 F src/vdbeapi.c c1a9004ac554d8d48794d2ce5f80397f8e419fd28643a543cc1e004c7713c3ef
 F test/busy2.test 5a449cd1bd7616c6ce709484d3e2a419a151b75e87ec5d2c7cb26e05a15dbd7b
 F test/decimal.test 12739a01bdba4c4d79f95b323e6b67b9fad1ab6ffb56116bd2b9c81a5b19e1d9
-F test/fts3corrupt4.test 99a3017da1f43c8dbecd1b053029ade08dfa51b94ca043abffe5d32f21cc5736
+F test/fts3corrupt4.test 35e88f7708868a67598f1f6d3666774f6c7b34c91e3b74bd2965030fc70fb928
 F test/fuzzdata8.db 0ae860b36b79fd41cafddc9e6602358b2d5c331cf200283221e659f86e196c0c
 F test/gencol1.test b05e6c5edb9b10d48efb634ed07342441bddc89d225043e17095c36e567521a0
 F test/ieee754.test b0945d12be7d255f3dfa18e2511b17ca37e0edd2b803231c52d05b86c04ab26e
@@ -33,7 +33,7 @@ F tool/mksqlite3c.tcl f4ef476510eca4124c874a72029f1e01bc54a896b1724e8f9eef0d8bfa
 F tool/mksqlite3h.tcl 1f5e4a1dbbbc43c83cc6e74fe32c6c620502240b66c7c0f33a51378e78fc4edf
 F tool/showlocks.c 9cc5e66d4ebbf2d194f39db2527ece92077e86ae627ddd233ee48e16e8142564
 F tool/speed-check.sh 615cbdf50f1409ef3bbf9f682e396df80f49d97ed93ed3e61c8e91fae6afde58
-P e96c2ac9ab1a1c51b1498f4b91fb71d2987c30579d072b2f0297da9eb945cb97
-R 96bcb1826c4246c8d36fb141c8549902
-U drh
-Z b43dd84950d0a9b9c5a2d6f60c766f77
+P fa9d93cf32fac4b86044acf5d1b9ea2f36e964ed7142cf1d270986c9ef3fb766
+R a10b2894fa1e1593313267b4646751fb
+U dan
+Z 4819251182f23b37b4c3bd6355043693
diff --git a/manifest.uuid b/manifest.uuid
index c291d18b71..4ea70db558 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-fa9d93cf32fac4b86044acf5d1b9ea2f36e964ed7142cf1d270986c9ef3fb766
\ No newline at end of file
+4d0cfb1236884349168f8e2ec5e18c0232965148af78615e0d5c9b0e13a35422
\ No newline at end of file
diff --git a/test/fts3corrupt4.test b/test/fts3corrupt4.test
index 0670063a5a..bbc84c7fb2 100644
--- a/test/fts3corrupt4.test
+++ b/test/fts3corrupt4.test
@@ -6150,4 +6150,17 @@ do_execsql_test 43.2 {
 
 set sqlite_fts3_enable_parentheses $saved
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 44.1 {
+  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
+  INSERT INTO t0_content VALUES(0,NULL,NULL,NULL,NULL);
+  INSERT INTO t0_segdir VALUES(0,0,0,0,'0 42',X'00013103010200010332333405010201ba00000461616161050101020200000462626262050101030200');
+}
+
+do_execsql_test 44.2 {
+  SELECT matchinfo(t0, t0) IS NULL FROM t0 WHERE t0 MATCH '1*'
+} {0}
+
+
 finish_test