From 7b7f7d915fa8b211439af1a3758ebd30759053cf Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Wed, 19 Dec 2018 01:30:22 +0000
Subject: [PATCH] Add extra defenses against strategically corrupt databases to
 fts3/4.

FossilOrigin-Name: c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234
---
 ext/fts3/fts3.c        |  10 +--
 ext/fts3/fts3_write.c  |  23 +++++--
 manifest               |  21 +++---
 manifest.uuid          |   2 +-
 test/fts3corrupt4.test | 147 +++++++++++++++++++++++++++++++++++++++++
 test/permutations.test |   1 +
 6 files changed, 181 insertions(+), 23 deletions(-)
 create mode 100644 test/fts3corrupt4.test

diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index f5145426e0..bb22a77c7f 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -1821,7 +1821,7 @@ static int fts3ScanInteriorNode(
   const char *zCsr = zNode;       /* Cursor to iterate through node */
   const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
   char *zBuffer = 0;              /* Buffer to load terms into */
-  int nAlloc = 0;                 /* Size of allocated buffer */
+  i64 nAlloc = 0;                 /* Size of allocated buffer */
   int isFirstTerm = 1;            /* True when processing first term on page */
   sqlite3_int64 iChild;           /* Block id of child node to descend to */
 
@@ -1859,14 +1859,14 @@ static int fts3ScanInteriorNode(
     zCsr += fts3GetVarint32(zCsr, &nSuffix);
     
     assert( nPrefix>=0 && nSuffix>=0 );
-    if( &zCsr[nSuffix]>zEnd ){
+    if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
       rc = FTS_CORRUPT_VTAB;
       goto finish_scan;
     }
-    if( nPrefix+nSuffix>nAlloc ){
+    if( (i64)nPrefix+nSuffix>nAlloc ){
       char *zNew;
-      nAlloc = (nPrefix+nSuffix) * 2;
-      zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+      nAlloc = ((i64)nPrefix+nSuffix) * 2;
+      zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
       if( !zNew ){
         rc = SQLITE_NOMEM;
         goto finish_scan;
diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index daf3399a43..d521edfc8c 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -1374,15 +1374,19 @@ static int fts3SegReaderNext(
   ** safe (no risk of overread) even if the node data is corrupted. */
   pNext += fts3GetVarint32(pNext, &nPrefix);
   pNext += fts3GetVarint32(pNext, &nSuffix);
-  if( nPrefix<0 || nSuffix<=0 
-   || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] 
+  if( nSuffix<=0 
+   || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+   || nPrefix>pReader->nTermAlloc
   ){
     return FTS_CORRUPT_VTAB;
   }
 
-  if( nPrefix+nSuffix>pReader->nTermAlloc ){
-    int nNew = (nPrefix+nSuffix)*2;
-    char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+  /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+  ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+  ** overflow - hence the (i64) casts.  */
+  if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+    i64 nNew = ((i64)nPrefix+nSuffix)*2;
+    char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
     if( !zNew ){
       return SQLITE_NOMEM;
     }
@@ -1404,7 +1408,7 @@ static int fts3SegReaderNext(
   ** b-tree node. And that the final byte of the doclist is 0x00. If either 
   ** of these statements is untrue, then the data structure is corrupt.
   */
-  if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] 
+  if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
    || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
   ){
     return FTS_CORRUPT_VTAB;
@@ -3727,6 +3731,9 @@ static int nodeReaderNext(NodeReader *p){
     }
     p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
 
+    if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+      return SQLITE_CORRUPT_VTAB;
+    }
     blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
     if( rc==SQLITE_OK ){
       memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
@@ -3734,6 +3741,9 @@ static int nodeReaderNext(NodeReader *p){
       p->iOff += nSuffix;
       if( p->iChild==0 ){
         p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+        if( (p->nNode-p->iOff)<p->nDoclist ){
+          return SQLITE_CORRUPT_VTAB;
+        }
         p->aDoclist = &p->aNode[p->iOff];
         p->iOff += p->nDoclist;
       }
@@ -3741,7 +3751,6 @@ static int nodeReaderNext(NodeReader *p){
   }
 
   assert( p->iOff<=p->nNode );
-
   return rc;
 }
 
diff --git a/manifest b/manifest
index 1c26f96d54..bc1901140f 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Speed\sup\sxAccess()\scalls\smade\son\san\sRBU\sVFS\swhen\sthere\sare\slots\sof\sopen\nconnections.
-D 2018-10-25T11:55:54.434
+C Add\sextra\sdefenses\sagainst\sstrategically\scorrupt\sdatabases\sto\sfts3/4.
+D 2018-12-19T01:30:22.109
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 38f84f301cbef443b2d269f67a74b8cc536469831f70df7c3e912acc04932cc2
@@ -78,7 +78,7 @@ F ext/fts3/README.content fdc666a70d5257a64fee209f97cf89e0e6e32b51
 F ext/fts3/README.syntax a19711dc5458c20734b8e485e75fb1981ec2427a
 F ext/fts3/README.tokenizers e0a8b81383ea60d0334d274fadf305ea14a8c314
 F ext/fts3/README.txt 8c18f41574404623b76917b9da66fcb0ab38328d
-F ext/fts3/fts3.c f1c58503bc81c3dab1a70b25e146878ae40fccc716fd7c9b817995b661bc896f
+F ext/fts3/fts3.c 829e2943ac3449d074e465ee04815f472667e345afb682b42306d9c36eac4991
 F ext/fts3/fts3.h 3a10a0af180d502cecc50df77b1b22df142817fe
 F ext/fts3/fts3Int.h eb2502000148e80913b965db3e59f29251266d0a
 F ext/fts3/fts3_aux.c 9edc3655fcb287f0467d0a4b886a01c6185fe9f1
@@ -96,7 +96,7 @@ F ext/fts3/fts3_tokenizer.h 64c6ef6c5272c51ebe60fc607a896e84288fcbc3
 F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004
 F ext/fts3/fts3_unicode.c 525a3bd9a7564603c5c061b7de55403a565307758a94600e8a2f6b00d1c40d9d
 F ext/fts3/fts3_unicode2.c cc04fc672bfd42b1e650398cb0bf71f64f9aae032cfe75bbcfe75b9cf966029c
-F ext/fts3/fts3_write.c a3f7bf869622d1d0aa66661ba71d88e6f9646d69a2c335f40a0addf25974db47
+F ext/fts3/fts3_write.c b1c2129cce86ac38eacc102fa9ad6b2d64a4206587ac4ccd35bf91c2b47ab947
 F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
 F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100
 F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
@@ -871,6 +871,7 @@ F test/fts3conf.test c84bbaec81281c1788aa545ac6e78a6bd6cde2bdbbce2da261690e3659f
 F test/fts3corrupt.test 2710b77983cc7789295ddbffea52c1d3b7506dbb
 F test/fts3corrupt2.test 6d96efae2f8a6af3eeaf283aba437e6d0e5447ba
 F test/fts3corrupt3.test 56e0ee83e90b57f5f3644cb7d1b36a067b7b8b19cdf0dedce45e5e13cf752f65
+F test/fts3corrupt4.test 98022cbacbd6ddc4708f210768f5684f041f50ce330c461f2631752492611d96
 F test/fts3cov.test 9c3681325b9a850bca8dd75cc29dde73e9a87972bb75204e97d826f13c7181f9
 F test/fts3d.test d3e9c8fb75135ada06bf3bab4f9666224965d708
 F test/fts3defer.test 0be4440b73a2e651fc1e472066686d6ada4b9963
@@ -1131,7 +1132,7 @@ F test/parser1.test 391b9bf9a229547a129c61ac345ed1a6f5eb1854
 F test/pcache.test c8acbedd3b6fd0f9a7ca887a83b11d24a007972b
 F test/pcache2.test af7f3deb1a819f77a6d0d81534e97d1cf62cd442
 F test/percentile.test 4243af26b8f3f4555abe166f723715a1f74c77ff
-F test/permutations.test 8ada8c1dee071e0fc275bc8bc2db7de537d625cad949d2200664b99a0a89eac5
+F test/permutations.test 528c92fbcbda44a723c354cbd2301ffd5586398be5ade7b360af3f035791cf3c
 F test/pragma.test 7c8cfc328a1717a95663cf8edb06c52ddfeaf97bb0aee69ae7457132e8d39e7d
 F test/pragma2.test e5d5c176360c321344249354c0c16aec46214c9f
 F test/pragma3.test 14c12bc5352b1e100e0b6b44f371053a81ccf8ed
@@ -1701,8 +1702,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 5dd61e1cbd11b375942baf72ed50ae9e55a09801e1a8c1cb679eaa9eaba4145c
-Q +310b4b65b8c8ee080760c7efb4c7e20244c6063a5dba37a4f40490105aafd29f
-R 76ba64dea027f295acd4898f64344b37
-U dan
-Z 978245b3b443068ce741d911e865b64d
+P fda8fdb0cbc3acf420613f5df4125898354184db52b8606dde55042688815ac7
+Q +d44318f59044162e229a444582692e9788f17b5c404b4eb702f4c2114b22fefe
+R 488d6e94726d244faeba1d64ed1fc085
+U drh
+Z 266bd2a7168efdc92d1d623f39a1920f
diff --git a/manifest.uuid b/manifest.uuid
index f585315a3f..dcb852d573 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-fda8fdb0cbc3acf420613f5df4125898354184db52b8606dde55042688815ac7
\ No newline at end of file
+c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234
\ No newline at end of file
diff --git a/test/fts3corrupt4.test b/test/fts3corrupt4.test
new file mode 100644
index 0000000000..52c3d8caf4
--- /dev/null
+++ b/test/fts3corrupt4.test
@@ -0,0 +1,147 @@
+# 2006 September 9
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice, here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#*************************************************************************
+# This file implements regression tests for SQLite library.  The
+# focus of this script is testing the FTS3 module.
+#
+# $Id: fts3aa.test,v 1.1 2007/08/20 17:38:42 shess Exp $
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix fts3corrupt4
+
+# If SQLITE_ENABLE_FTS3 is defined, omit this file.
+ifcapable !fts3 {
+  finish_test
+  return
+}
+
+do_execsql_test 1.0 {
+  BEGIN;
+    CREATE VIRTUAL TABLE ft USING fts3;
+    INSERT INTO ft VALUES('aback');
+    INSERT INTO ft VALUES('abaft');
+    INSERT INTO ft VALUES('abandon');
+  COMMIT;
+}
+
+proc blob {a} { binary decode hex $a }
+db func blob blob
+
+do_execsql_test 1.1 {
+  SELECT quote(root) FROM ft_segdir;
+} {X'0005616261636B03010200030266740302020003046E646F6E03030200'}
+
+do_execsql_test 1.2 {
+  UPDATE ft_segdir SET root = blob(
+    '0005616261636B03010200 FFFFFFFF0702 66740302020003046E646F6E03030200'
+  );
+}
+
+do_catchsql_test 1.3 {
+  SELECT * FROM ft WHERE ft MATCH 'abandon';
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 2.0.0 {
+  CREATE VIRTUAL TABLE ft USING fts3;
+  INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 2.0.1 {
+  for {set i 0} {$i < 12} {incr i} {
+    execsql {
+      BEGIN;
+        INSERT INTO ft VALUES('abc' || $i);
+        INSERT INTO ft VALUES('abc' || $i || 'x' );
+        INSERT INTO ft VALUES('abc' || $i || 'xx' );
+      COMMIT
+    }
+  }
+  execsql {
+    SELECT count(*) FROM ft_segdir;
+    SELECT count(*) FROM ft_segments;
+  }
+} {12 0}
+
+do_execsql_test 2.1 {
+  INSERT INTO ft(ft) VALUES('merge=1,4');
+  SELECT count(*) FROM ft_segdir;
+  SELECT count(*) FROM ft_segments;
+} {12 3}
+
+do_execsql_test 2.2 {
+  SELECT quote(block) FROM ft_segments WHERE blockid=2
+} {X'00056162633130031F0200'}
+
+db func blob blob
+do_execsql_test 2.3.1 {
+  UPDATE ft_segments SET block = 
+    blob('00056162633130031F0200 FFFFFFFF07FF55 66740302020003046E646F6E03030200')
+    WHERE blockid=2;
+} {}
+do_catchsql_test 2.3.2 {
+  INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.4.1 {
+  UPDATE ft_segments SET block = 
+    blob('00056162633130031F0200 02FFFFFFFF07 66740302020003046E646F6E03030200')
+    WHERE blockid=2;
+} {}
+do_catchsql_test 2.4.2 {
+  INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.5.1 {
+  UPDATE ft_segments SET block = 
+    blob('00056162633130031F0200 0202 6674 FFFFFF070302020003046E646F6E030200')
+    WHERE blockid=2;
+} {}
+do_catchsql_test 2.5.2 {
+  INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0.0 {
+  CREATE VIRTUAL TABLE ft USING fts3;
+  INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 3.0.1 {
+  execsql BEGIN
+  for {set i 0} {$i < 20} {incr i} {
+    execsql { INSERT INTO ft VALUES('abc' || $i) }
+  }
+  execsql {
+    COMMIT;
+    SELECT count(*) FROM ft_segdir;
+    SELECT count(*) FROM ft_segments;
+  }
+} {1 5}
+
+do_execsql_test 3.1 {
+  SELECT quote(root) FROM ft_segdir
+} {X'0101056162633132040136030132030136'}
+
+db func blob blob
+do_execsql_test 3.2 {
+  UPDATE ft_segdir 
+  SET root = blob('0101056162633132FFFFFFFF070236030132030136');
+}
+
+do_catchsql_test 3.1 {
+  SELECT * FROM ft WHERE ft MATCH 'abc20'
+} {1 {database disk image is malformed}}
+
+finish_test
+
+
diff --git a/test/permutations.test b/test/permutations.test
index c1d28d4e09..149539a47f 100644
--- a/test/permutations.test
+++ b/test/permutations.test
@@ -255,6 +255,7 @@ test_suite "fts3" -prefix "" -description {
   fts3am.test fts3an.test fts3ao.test fts3atoken.test
   fts3auto.test fts3aux1.test fts3aux2.test fts3b.test
   fts3comp1.test fts3conf.test fts3corrupt2.test fts3corrupt.test
+  fts3corrupt4.test
   fts3cov.test fts3c.test fts3defer2.test fts3defer3.test
   fts3defer.test fts3drop.test fts3d.test fts3e.test
   fts3expr2.test fts3expr3.test fts3expr4.test fts3expr5.test
-- 
2.47.2