From: drh Date: Thu, 1 Aug 2013 20:26:04 +0000 (+0000) Subject: Fix a potential buffer overread in sqlite3VdbeRecordCompare() when a X-Git-Tag: version-3.8.0~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5601cac4d1526ebbe7ffcff999c8573d53a549f;p=thirdparty%2Fsqlite.git Fix a potential buffer overread in sqlite3VdbeRecordCompare() when a serial_type specifies a field that starts in bounds but is much too large for the allocated buffer. Mostly harmless. The overread is unlikely to go more than one or two bytes past the end of the buffer. FossilOrigin-Name: e436b2f4e5c5e6b2f70e65332c0c7d618e2ef20a --- diff --git a/manifest b/manifest index 304c8f59e1..d16a98516a 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Make\ssure\ssigned\sinteger\soverflow\sdoes\snot\scause\sa\ssegfault\swhile\sattempting\nto\sread\sa\scorrupt\sdatabase\swhere\sthe\sheader\ssize\svarint\son\sa\srecord\sis\slarger\nthan\sthe\smaximum\s32-bit\ssigned\sinteger. -D 2013-08-01T19:17:39.891 +C Fix\sa\spotential\sbuffer\soverread\sin\ssqlite3VdbeRecordCompare()\swhen\sa\nserial_type\sspecifies\sa\sfield\sthat\sstarts\sin\sbounds\sbut\sis\smuch\stoo\slarge\nfor\sthe\sallocated\sbuffer.\s\sMostly\sharmless.\s\sThe\soverread\sis\sunlikely\sto\ngo\smore\sthan\sone\sor\stwo\sbytes\spast\sthe\send\sof\sthe\sbuffer. +D 2013-08-01T20:26:04.768 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -281,7 +281,7 @@ F src/vdbe.c d6048a720c197db2f0e7d618e918bd2e2eff0322 F src/vdbe.h f380af2a7fab32ba8a8b05bf042497636afec66d F src/vdbeInt.h e9b7c6b165a31a4715c5aa97223d20d265515231 F src/vdbeapi.c 4d13580bd058b39623e8fcfc233b7df4b8191e8b -F src/vdbeaux.c ca0c9d4b5104a3b4e4cf3c557d661938f15e68ac +F src/vdbeaux.c 902bc99e72ab3cc5ad38cd344fb0757249839c36 F src/vdbeblob.c 5dc79627775bd9a9b494dd956e26297946417d69 F src/vdbemem.c 833005f1cbbf447289f1973dba2a0c2228c7b8ab F src/vdbesort.c 3937e06b2a0e354500e17dc206ef4c35770a5017 @@ -395,7 +395,7 @@ F test/corruptC.test 62a767fe64acb1975f58cc6171192839c783edbb F test/corruptD.test 3b09903a2e2fe07ecafe775fea94177f8a4bb34f F test/corruptE.test d3a3d7e864a95978195741744dda4abfd8286018 F test/corruptF.test 1c7b6f77cf3f237fb7fbb5b61d6c921fd4c7b993 -F test/corruptG.test 01d94538a0666808dae1b4010f24c25becee13af +F test/corruptG.test 3804cb1b1b66ca82dc809dc80e3957dc7e0111e8 F test/count.test 454e1ce985c94d13efeac405ce54439f49336163 F test/coveridxscan.test cdb47d01acc4a634a34fd25abe85189e0d0f1e62 F test/crash.test fb9dc4a02dcba30d4aa5c2c226f98b220b2b959f @@ -1104,7 +1104,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381 F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac -P 65816718b59b286c11d939235a23c7325f25594b -R 40beea5b8511a37f010f0f7e67aa8773 +P c3baca99f4580652afb2c3f73036ab83796a1557 +R fcb797895b127e11a00659cd0bcac3ee U drh -Z a89405d573d1d6b7d75b24ed5c21bc2d +Z f701ece092c0412f4414d12aeebc6620 diff --git a/manifest.uuid b/manifest.uuid index f815192c25..08fb1854e2 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -c3baca99f4580652afb2c3f73036ab83796a1557 \ No newline at end of file +e436b2f4e5c5e6b2f70e65332c0c7d618e2ef20a \ No newline at end of file diff --git a/src/vdbeaux.c b/src/vdbeaux.c index 0bc5b44261..5469ce81e8 100644 --- a/src/vdbeaux.c +++ b/src/vdbeaux.c @@ -3024,7 +3024,7 @@ int sqlite3VdbeRecordCompare( /* Read the serial types for the next element in each key. */ idx1 += getVarint32( aKey1+idx1, serial_type1 ); - if( d1>=(u32)nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break; + if( d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1 ) break; /* Extract the values to be compared. */ diff --git a/test/corruptG.test b/test/corruptG.test index 7b95321453..da36cfac4b 100644 --- a/test/corruptG.test +++ b/test/corruptG.test @@ -27,7 +27,7 @@ do_not_use_codec do_execsql_test 1.1 { PRAGMA page_size=512; CREATE TABLE t1(a,b,c); - INSERT INTO t1(rowid,a,b,c) VALUES(2,'abc','xyz','123'); + INSERT INTO t1(rowid,a,b,c) VALUES(52,'abc','xyz','123'); CREATE INDEX t1abc ON t1(a,b,c); } @@ -53,4 +53,18 @@ do_test 1.4 { } } {1 {database disk image is malformed}} +# Corrupt the same file in a slightly different way. Make the record header +# sane, but corrupt one of the serial_type value to indicate a huge payload +# such that the payload begins in allocated space but overflows the buffer. +# +db close +hexio_write test.db [expr {3*512-15}] 0611ffff7f01 +sqlite3 db test.db + +do_test 2.1 { + catchsql { + SELECT rowid FROM t1 WHERE a='bc' and b='xyz123456789'; + } +} {0 {}} + finish_test