Fix a buffer overread that could occur in fts5 within a memcmp() when doing an integr...

FossilOrigin-Name: 062597f10a6d3f8c959a38e4ab6ee1a885499dd7018662e3e6268b2ee6c63c1b

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 70f581179a8851b38cd87f7329cffab77037cb34..b8e334949153eca72a4414fb5b11f4b43b4d2fd6 100644 (file)
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -8541,9 +8541,13 @@ static void fts5IndexIntegrityCheckSegment(
         FTS5_CORRUPT_ROWID(p, iRow);
       }else{
         iOff += fts5GetVarint32(&pLeaf->p[iOff], nTerm);
-        res = fts5Memcmp(&pLeaf->p[iOff], zIdxTerm, MIN(nTerm, nIdxTerm));
-        if( res==0 ) res = nTerm - nIdxTerm;
-        if( res<0 ) FTS5_CORRUPT_ROWID(p, iRow);
+        if( iOff+nTerm>pLeaf->szLeaf ){
+          FTS5_CORRUPT_ROWID(p, iRow);
+        }else{
+          res = fts5Memcmp(&pLeaf->p[iOff], zIdxTerm, MIN(nTerm, nIdxTerm));
+          if( res==0 ) res = nTerm - nIdxTerm;
+          if( res<0 ) FTS5_CORRUPT_ROWID(p, iRow);
+        }
       }
 
       fts5IntegrityCheckPgidx(p, iRow, pLeaf);

diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test
index 3e543f2f62ae553c001869bd3f5d7d20c80c7747..00d1bc92f0f83f430587f5103ed6deeddc82ccc6 100644 (file)
--- a/ext/fts5/test/fts5corruptA.test
+++ b/ext/fts5/test/fts5corruptA.test
@@ -266,6 +266,30 @@ do_execsql_test 6.2 {
   DELETE FROM t WHERE rowid=3;
 }
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 7.0 {
+  CREATE VIRTUAL TABLE ft USING fts5(x);
+  INSERT INTO ft(ft,rank) VALUES('pgsz',64);
+  WITH s(i) AS (
+    SELECT 1 UNION ALL SELECT i+1 FROM s WHERE i<10
+  )
+  INSERT INTO ft SELECT 'a b b a c c d' FROM s;
+}
+
+set B "00000040FFFF61010402050104020501040205010402050104020501040205010402050104020501040205010402050101620104030301040303010403030104042b"
+set N "306162[string repeat 00 5000]"
+
+do_execsql_test 7.1 {
+  UPDATE ft_data SET block = unhex($B) WHERE id = 137438953473;
+  UPDATE ft_idx SET term=unhex($N) WHERE segid=1 AND pgno=2;
+}
+
+do_execsql_test 7.2 {
+  PRAGMA integrity_check
+} {
+  {fts5: corruption found reading blob 137438953473 from table "ft"}
+}
 
 sqlite3_fts5_may_be_corrupt 0
 finish_test

diff --git a/manifest b/manifest
index cfd841edeb53445096453d306e2f79cf8ef55df4..ff2b058223b4e77a3bf4c8839df4dddf9d0e1fbc 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sparsing\sof\squoted\sinstantiation\sarguments\sin\sthe\sspellfix\sextension.\n[bugs:/info/2026-06-26T10:52:36Z|Bug\s2026-06-26T10:52:36Z]
-D 2026-06-26T13:51:48.749
+C Fix\sa\sbuffer\soverread\sthat\scould\soccur\sin\sfts5\swithin\sa\smemcmp()\swhen\sdoing\san\sintegrity-check\son\scorrupted\srecords.
+D 2026-06-26T14:08:42.052
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447
 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e
 F ext/fts5/fts5_expr.c b906c59e9e842805cc3eea4e131b822e586bb01260e542f67920c61798dcb53d
 F ext/fts5/fts5_hash.c 341a08ad0153b397b819ef3d7a7959c1dc3c84a6988a431d93dece8bd62ae10e
-F ext/fts5/fts5_index.c 5a2ab65d170a4b3314a927c5861740ba9070aa5bf326717690de5dd90fbb7b54
+F ext/fts5/fts5_index.c f09017e9e8330ea90e7be0a36c43f51ad66fc0072c4e515b02955b2a703e8536
 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7
 F ext/fts5/fts5_storage.c 46b0024fdd8002fbfba162230e5cc212c8f019ba4075396860354bfaf549a546
 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c
@@ -171,7 +171,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66
 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934
 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44
 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe
-F ext/fts5/test/fts5corruptA.test 43bc56d8ec0ac87f82f6ac1700c16c902d952451f75f5c7dc02292c7b0a1d1b1
+F ext/fts5/test/fts5corruptA.test 50b48f15548a3466dbd17000956ee86c2eb7d18d5a649bc11126ec917113b807
 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774
 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4
 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 71d4cfe5a34cf8485ab2e5abe670381cd068f013233d98c44355a6bcdfcbbbb0
-R e2235756a2729d379df30d70ed71e6b8
-U drh
-Z 3de48b27f723e1a9b8146531036ebbeb
+P c2e963ad948e0c244d6b883b919ec0815c20018282e04e5649c00e70f5a1d2ed
+R ef8451a2426c0be1d76d4a1af488156c
+U dan
+Z fb5d0f926ca6c958a74e6c0e593cad9c
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 132a5aef44cdeeb95ace66f3bd2d9bfdaf8183d2..eb888555bbee4cc3d7a17c4e75beb9def987a15d 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-c2e963ad948e0c244d6b883b919ec0815c20018282e04e5649c00e70f5a1d2ed
+062597f10a6d3f8c959a38e4ab6ee1a885499dd7018662e3e6268b2ee6c63c1b