From: drh Date: Tue, 13 Nov 2018 20:21:52 +0000 (+0000) Subject: Fix a potential buffer overread in the dbstat virtual table when processing X-Git-Tag: version-3.26.0~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9dc5f7726b867a7d2bc505a9ed5ad83865f0660;p=thirdparty%2Fsqlite.git Fix a potential buffer overread in the dbstat virtual table when processing a corrupt database file. FossilOrigin-Name: a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5 --- diff --git a/manifest b/manifest index cf13926f03..d563673cee 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Turn\son\sASAN\sfor\sthe\sdbfuzz2\sutility.\s\sFix\sa\sbuffer\soverread\sassociated\nwith\ssqlite3_deserialize(). -D 2018-11-13T19:51:41.357 +C Fix\sa\spotential\sbuffer\soverread\sin\sthe\sdbstat\svirtual\stable\swhen\sprocessing\na\scorrupt\sdatabase\sfile. +D 2018-11-13T20:21:52.241 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in b730006b54c990461d864c5387f2e6f13aadb0236804555fb010ed6865a5f058 @@ -456,7 +456,7 @@ F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e F src/ctime.c 109e58d00f62e8e71ee1eb5944ac18b90171c928ab2e082e058056e1137cc20b F src/date.c ebe1dc7c8a347117bb02570f1a931c62dd78f4a2b1b516f4837d45b7d6426957 F src/dbpage.c cfa87c8a9e3b5267a72faa3a592a497cd3810146c056c53a3472caf763c8556b -F src/dbstat.c 9ad3f2d9d19a915d414870b9405b19493eed41975f3ad0d13f70fdd0831853b4 +F src/dbstat.c d54c2449d03f7d8a2e11a18f50364520ae1e364457fddb5e4dd79450bad428a0 F src/delete.c cec65c0e74be7492cafba1b77580732b0b1a41a4dbc4ac70909ac44b65b2a20b F src/expr.c 9aacc0b72348ba90010b672dcbbbe2fa56e1182043bc917a3a147b2bc57a5497 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007 @@ -1778,7 +1778,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P f9755f81b1c0fd29f242dce78a2fba570fa2714d76e93b8563f426a040352513 -R 98a6d1adc30b12dd5c82022baece83c9 +P 4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d +R a67b2811aa07e1e1e0992fd02687f209 U drh -Z 74a6937661c8cfdeda0ca01cd02a14d0 +Z 582daefcbaa8d9f654e4fc231aaea0cb diff --git a/manifest.uuid b/manifest.uuid index 9d2e0dae3d..d71ad82a94 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d \ No newline at end of file +a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5 \ No newline at end of file diff --git a/src/dbstat.c b/src/dbstat.c index a2c6fe0894..e49ace11f3 100644 --- a/src/dbstat.c +++ b/src/dbstat.c @@ -397,6 +397,7 @@ static int statDecodePage(Btree *pBt, StatPage *p){ if( nPayload>(u32)nLocal ){ int j; int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4); + if( iOff+nLocal>nUsable ) goto statPageIsCorrupt; pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4); pCell->nOvfl = nOvfl; pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl);