Fix an OOB read on the unused spellfix1 extension. The OOB read is

author drh <>

Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)

committer drh <>

Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)
author drh <>
Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)
committer drh <>
Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)
diff --git a/ext/misc/spellfix.c b/ext/misc/spellfix.c

index a132742a2c64dc8e59c902b6d91aab4f66b66740..f9d9e529edae9365abecf5fddffc9ed872cbda5e 100644 (file)
--- a/ext/misc/spellfix.c
+++ b/ext/misc/spellfix.c
@@ -2604,7 +2604,7 @@ static int spellfix1FilterForMatch(
      goto filter_exit;
    }
    nPattern = (int)strlen(zPattern);
-  if( zPattern[nPattern-1]=='*' ) nPattern--;
+  if( nPattern>0 && zPattern[nPattern-1]=='*' ) nPattern--;
    zSql = sqlite3_mprintf(
       "SELECT id, word, rank, coalesce(k1,word)"
       "  FROM \"%w\".\"%w_vocab\""
diff --git a/manifest b/manifest

index bf6e986becd4765819f8384123b9af8b7e2388a2..8b95ee4eb3028e42147bc754b1c522060ac0c3f5 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\sa\suse-after-free\sproblem\sthat\scould\soccur\sif\sATTACH\sstatements\sare\sexecuted\swhile\sa\sbackup\soperation\sis\sactive.\sBug\s[bugs:/info/2026-06-23T15:46:48Z\s|\s2026-06-23T15:46:48Z].
-D 2026-06-23T19:14:44.276
+C Fix\san\sOOB\sread\son\sthe\sunused\sspellfix1\sextension.\s\sThe\sOOB\sread\sis\none\sbyte\sprior\sto\sthe\sstart\sof\san\sallocation,\swhich\sis\salmost\salways\nharmless.\s\s[bugs:/info/2026-06-23T18:48:40Z|Bug\s2026-06-23T18:48:40Z].
+D 2026-06-23T19:28:14.079
  F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -399,7 +399,7 @@ F ext/misc/series.c ba66183ae4da6875e5cdafc065322118fd7f455a568ea2f22b45eff85f63
  F ext/misc/sha1.c eed0ad67ad7c69798278183a74523d95623d4864821a3f4dd82b234568e307c1
  F ext/misc/shathree.c fd22d70620f86a0467acfdd3acd8435d5cb54eb1e2d9ff36ae44e389826993df
  F ext/misc/showauth.c 732578f0fe4ce42d577e1c86dc89dd14a006ab52
-F ext/misc/spellfix.c e9e951f9712b6c302e4ee84f5db5a7b18daab87aa229867c66f34684d2dfbb40
+F ext/misc/spellfix.c a262267b16f04d30a2896cc1ba644570cbdb55446951f97d026f4e062bd20291
  F ext/misc/sqlar.c 97c100b010159c08a7a9acd8eb1ea510a5522e64741aaafcd7b6c629de682edc
  F ext/misc/sqlite3_stdio.c b43a0f530c6f0fb3d41d9af8c0b40f3f71198a1db55ab8ffffbef5c8cc329d22
  F ext/misc/sqlite3_stdio.h 27a4ecea47e61bc9574ccdf2806f468afe23af2f95028c9b689bfa08ab1ce99f
@@ -1676,7 +1676,7 @@ F test/speed4p.test 377a0c48e5a92e0b11c1c5ebb1bc9d83a7312c922bc0cb05970ef5d6a96d
  F test/speedtest.md ea0c85ebe0ecff8b45ba6cdb26e694871f469009a5a29dcfe634b055f05ab241
  F test/speedtest.tcl b06f6321ef90bb68f18f7b0e430e25203d9da79b80f8926986a0d5f21ac485fb x
  F test/speedtest1.c f9f30f35431bfc1d3ee9acc561624e0c0b4614071044bc302169dd27206a0fca
-F test/spellfix.test 7f7770ee8bc738fb0dab182d9bb4ee998e3982e534bdffd1a176c08bafec50f1
+F test/spellfix.test 8d674c2d4776792cdd982c5a8bbbfd433c23bc98f00127cae83437f5d693e018
  F test/spellfix2.test dfc8f519a3fc204cb2dfa8b4f29821ae90f6f8c3
  F test/spellfix3.test 0f9efaaa502a0e0a09848028518a6fb096c8ad33
  F test/spellfix4.test 7c56a09de68b95051ef0627fe235e514efbba2aa816dc2a9c5c670d98877e632
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
  F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
  F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
  F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P a145307e4d0b621c5493cecc7c826e8422cbd8dbc8cd9a042b8ec9e05d389eb6
-R 5cce1f25ef25a01d3c60d592539d65e2
-U dan
-Z 8fa96fd823d734ff31d1a771a22e98a7
+P 9454592878b5732d37d61f4541bd6f0c1f893c20fc833ce4c600f9470e62d6f2
+R c4dcd21be9bd80fde4836ab157b00559
+U drh
+Z 5dee1f13812d90870793924b636f4dda
  # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid

index 809244710fccb0b3e2ef3e3e73d2828c07a08129..b939088055f5ea89fda8765ab6f3b29d4b7b0da6 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9454592878b5732d37d61f4541bd6f0c1f893c20fc833ce4c600f9470e62d6f2
+e58d5efc7b3387566661475e1a9afb6b94388a835cfb178999603135d57280fa
diff --git a/test/spellfix.test b/test/spellfix.test

index 82c578239d29cbd57e47b4a537f7fe66aed05a0d..dfcee1ac9a89beb31009b61dd8567e4e12a2fab1 100644 (file)
--- a/test/spellfix.test
+++ b/test/spellfix.test
@@ -415,4 +415,14 @@ do_execsql_test 8.1 {
      'substr(printf(''%.*c'',2000000,''A''),1,if(abs(random())%2=0,1000001,1))')))>0
      FROM cnt;
  } {1}
+
+# Bug 2026-06-23T18:48:40Z
+#
+do_execsql_test 8.2 {
+  DROP TABLE IF EXISTS t1;
+  CREATE VIRTUAL TABLE t1 USING spellfix1;
+  INSERT INTO t1(word) VALUES('hello'),('world');
+  SELECT word FROM t1 WHERE word MATCH '';
+} {hello world}
+
  finish_test
author	drh <>
	Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)
committer	drh <>
	Tue, 23 Jun 2026 19:28:14 +0000 (19:28 +0000)
ext/misc/spellfix.c		patch \| blob \| blame \| history
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
test/spellfix.test		patch \| blob \| blame \| history