From: dan Date: Wed, 27 May 2015 14:21:05 +0000 (+0000) Subject: A different approach to preventing buffer overreads when comparing a vector of values... X-Git-Tag: version-3.8.11~204^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Favoid-buffer-overread;p=thirdparty%2Fsqlite.git A different approach to preventing buffer overreads when comparing a vector of values with a corrupt index record that spans at least one overflow page. FossilOrigin-Name: 7e9e1b6123bc455dd7d1c894b6154ccd27acec18 --- diff --git a/manifest b/manifest index 7d61d9fee0..de1ca7c5d7 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Avoid\sa\sbuffer\soverread\swhen\scomparing\sagainst\sa\scorrupt\srecord\sthat\sspans\sat\sleast\sone\soverflow\spage. -D 2015-05-26T20:31:20.007 +C A\sdifferent\sapproach\sto\spreventing\sbuffer\soverreads\swhen\scomparing\sa\svector\sof\svalues\swith\sa\scorrupt\sindex\srecord\sthat\sspans\sat\sleast\sone\soverflow\spage. +D 2015-05-27T14:21:05.738 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 3feb7cbdad8898fe7a8a24355b4a753029c3ec3b F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -192,7 +192,7 @@ F src/auth.c b56c78ebe40a2110fd361379f7e8162d23f92240 F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3 F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79 -F src/btree.c 51cafeb18184dcb46285120d5574da6e19c58362 +F src/btree.c 9c72a5a277ade34bc0f7137bfbad878f8f9011d7 F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1 F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4 F src/build.c 9552e7490b0310a8c73fcf3a0c36e7624789d8df @@ -1279,7 +1279,10 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P b4a45d3b78fede2433ac18f20b1ab7bddee77059 -R f36cc3a04ab23b9a0c27493daaf0c4c0 +P 62a5b3633a086694ef0e579a0a82322cb1ae3d60 +R 38a24026d1368e2f6d8990260ef6671e +T *branch * avoid-buffer-overread +T *sym-avoid-buffer-overread * +T -sym-trunk * U dan -Z 4ff3966eaffa78ba4bc7061be84a775f +Z 60a303fb04c489d11c0663122f3a72f3 diff --git a/manifest.uuid b/manifest.uuid index 110675c7e0..b5b09e0543 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -62a5b3633a086694ef0e579a0a82322cb1ae3d60 \ No newline at end of file +7e9e1b6123bc455dd7d1c894b6154ccd27acec18 \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index bb3f92aaa3..9ab55a961c 100644 --- a/src/btree.c +++ b/src/btree.c @@ -4951,22 +4951,28 @@ int sqlite3BtreeMovetoUnpacked( /* The record flows over onto one or more overflow pages. In ** this case the whole cell needs to be parsed, a buffer allocated ** and accessPayload() used to retrieve the record into the - ** buffer before VdbeRecordCompare() can be called. An extra - ** byte of zeroed padding is allocated at the end of the buffer, - ** as this stops the record-compare routines from reading past - ** the end of the buffer if the record is corrupt. */ + ** buffer before VdbeRecordCompare() can be called. + ** + ** If the record is corrupt, the xRecordCompare routine may read + ** up to two varints past the end of the buffer. An extra 18 + ** bytes of padding is allocated at the end of the buffer in + ** case this happens. */ void *pCellKey; u8 * const pCellBody = pCell - pPage->childPtrSize; btreeParseCellPtr(pPage, pCellBody, &pCur->info); nCell = (int)pCur->info.nKey; - pCellKey = sqlite3Malloc( nCell+1 ); + testcase( nCell<0 ); + if( nCell<2 ){ + rc = SQLITE_CORRUPT_BKPT; + goto moveto_finish; + } + pCellKey = sqlite3Malloc( nCell+18 ); if( pCellKey==0 ){ rc = SQLITE_NOMEM; goto moveto_finish; } pCur->aiIdx[pCur->iPage] = (u16)idx; rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2); - ((unsigned char *)pCellKey)[nCell] = 0; if( rc ){ sqlite3_free(pCellKey); goto moveto_finish;