Fix a potential 1-byte overread in sqlite3changeset_invert() when

processing a corrupt buffer.

FossilOrigin-Name: 69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467

diff --git a/ext/session/sessioninvert.test b/ext/session/sessioninvert.test
index b9921f5e642ec4ec1a433c779afd11ff571d028a..7c9b295f88784f09990fcc7676ca24d87241b97b 100755 (executable)
--- a/ext/session/sessioninvert.test
+++ b/ext/session/sessioninvert.test
@@ -181,5 +181,11 @@ do_invert_test 4.1 {
   {UPDATE t1 0 X. {i 4 t three} {{} {} t four}}
 }
 
+#-------------------------------------------------------------------------
+#
+do_test 5.0 {
+  set C [db one {SELECT unhex('54000009')}]
+  list [catch { sqlite3changeset_invert $C } msg] $msg
+} {1 SQLITE_CORRUPT}
 
 finish_test

diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index a4d77a690c8c2822f9fadffc2d7d76a20b2a45cc..3634013ac4dde538dc30946c709a767c670b1ba0 100644 (file)
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -4153,7 +4153,13 @@ static int sessionChangesetInvert(
 
     /* Test for EOF. */
     if( (rc = sessionInputBuffer(pInput, 2)) ) goto finished_invert;
-    if( pInput->iNext>=pInput->nData ) break;
+    if( pInput->iNext+1>=pInput->nData ){
+      if( pInput->iNext!=pInput->nData ){ 
+        rc = SQLITE_CORRUPT_BKPT; 
+        goto finished_invert;
+      }
+      break;
+    }
     eType = pInput->aData[pInput->iNext];
 
     switch( eType ){

diff --git a/ext/session/test_session.c b/ext/session/test_session.c
index 1b09714225e375524b53c481c6be15427ef5a72a..be516e5825baa9f502460f8536fdf7b82ee69a6d 100644 (file)
--- a/ext/session/test_session.c
+++ b/ext/session/test_session.c
@@ -1095,7 +1095,7 @@ static int SQLITE_TCLAPI test_sqlite3changeset_invert(
   memset(&sIn, 0, sizeof(sIn));
   memset(&sOut, 0, sizeof(sOut));
   sIn.nStream = test_tcl_integer(interp, SESSION_STREAM_TCL_VAR);
-  sIn.aData = Tcl_GetByteArrayFromObj(objv[1], &nn);
+  sIn.aData = testGetByteArrayFromObj(objv[1], &nn);
   sIn.nData = (int)nn;
 
   if( sIn.nStream ){
@@ -1112,6 +1112,7 @@ static int SQLITE_TCLAPI test_sqlite3changeset_invert(
     Tcl_SetObjResult(interp,Tcl_NewByteArrayObj((unsigned char*)sOut.p,sOut.n));
   }
   sqlite3_free(sOut.p);
+  free(sIn.aData);
   return rc;
 }
 

diff --git a/manifest b/manifest
index 9f2ec62721c089ad97635eff84521714595c3a82..513d067bcd132ec136dacac8803fb648e804e5a1 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\s32-bit\sinteger\soverflow\sin\ssqlite3changegroup_change_blob()\sthat\ncould\slead\sto\sa\sbuffer\soverwrite.
-D 2026-05-26T14:23:36.811
+C Fix\sa\spotential\s1-byte\soverread\sin\ssqlite3changeset_invert()\swhen\s\nprocessing\sa\scorrupt\sbuffer.
+D 2026-05-26T15:09:07.010
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -562,7 +562,7 @@ F ext/session/sessiondiff.test e89f7aedcdd89e5ebac3a455224eb553a171e9586fc3e1e6a
 F ext/session/sessionfault.test c2b43d01213b389a3f518e90775fca2120812ba51e50444c4066962263e45c11
 F ext/session/sessionfault2.test b0d6a7c1d7398a7e800d84657404909c7d385965ea8576dc79ed344c46fbf41c
 F ext/session/sessionfault3.test 9397819ec25b0960c5bc03c78613f9cb5cacc970f83e817aec1775c2a839a787
-F ext/session/sessioninvert.test 9018f6a7387ac745084b6374c5e1aa14d648b372e6e1181cfab3df632b662d26 x
+F ext/session/sessioninvert.test 7ccb7609a2c11e4e13e606df439bf3d484ba8e455d0bd3aa8d4828a940e1a242 x
 F ext/session/sessionmem.test f2a735db84a3e9e19f571033b725b0b2daf847f3f28b1da55a0c1a4e74f1de09
 F ext/session/sessionnoact.test 2cf060c12a7a23e663f0ec796561e58638c5c10a846653d37be886414b06ddc9
 F ext/session/sessionnoop.test a9366a36a95ef85f8a3687856ebef46983df399541174cb1ede2ee53b8011bc7
@@ -572,9 +572,9 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c b290fc15a18e2ac239c2d3a8617fd34a05cb39b838a45e547ded2db0a578dd95
+F ext/session/sqlite3session.c e36c91f273e4d2ce11c9e3aaba160038c9703cda1feeb79a96bb00f3de1a6d5e
 F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c
-F ext/session/test_session.c 2a02a68b522e2f3d4a64b2a4733af54b0f3e500769aeccd5bcbdd440103db069
+F ext/session/test_session.c 9435a0d2c67b6c693bbf943657eeb83198efe06f796de80a6fd563013fa20bcc
 F ext/wasm/GNUmakefile 68c750f173106d9d63f12c1edf1256c6f4bad9894b155da5db64322f4912de4b
 F ext/wasm/README-dist.txt f01081a850ce38a56706af6b481e3a7878e24e42b314cfcd4b129f0f8427066a
 F ext/wasm/README.md 2e87804e12c98f1d194b7a06162a88441d33bb443efcfe00dc6565a780d2f259
@@ -2199,9 +2199,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 90eb6c22687449441824c7da5741a31e78bb78098c170382b230e851d03212c0
-Q +8a289158e2baeee8aa5e601bde46b0482361064ede09e4108f519270efdd5f69
-R 04e59fd679d81b5d0def33e9d765e8ec
+P f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6
+Q +78eaa605cb6c14e5bd49a898b4c737957bd60c8714913cc2341f4ffe3bfe81fe
+R 6bc5782cccdca586113cb0e4025d93e7
 U drh
-Z b3fb4c1477861bb76e1a170baea48365
+Z 6fdc2347a7f0dec009e4421d82865621
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 1dfcfe426cd519794311539e9666cca4d6dbc845..bf6b01e33d69ef8a6e1e8740fd0d1265e596b351 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6
+69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467