From: drh <>
Date: Fri, 9 Jan 2026 00:41:35 +0000 (+0000)
Subject: Fix potential OOB read on the undocumented test function rtreenode() that
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b93124b6b1c77bdd9e776d422130296b67d2d83;p=thirdparty%2Fsqlite.git

Fix potential OOB read on the undocumented test function rtreenode() that
is part of the RTREE extension, as described in
[forum:/forumpost/2026-01-08T23:32:19Z|forum post 2026-01-08T23:32:19Z].
The problem is almost certainly harmless since any memory allocation will
be a multiple of 8 bytes, and once the input buffer size gets rounded up to
the next multiple of 8 bytes, the access will still be within bounds.
Nevertheless, it still needs to be fixed.

FossilOrigin-Name: 9adab8b2bef4130abd358d53384cb5f4dd691b808336bb7102793b0165b1c516
---

diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index 8b913ef2df..b3d29283e5 100644
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -3775,7 +3775,7 @@ static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
   if( node.zData==0 ) return;
   nData = sqlite3_value_bytes(apArg[1]);
   if( nData<4 ) return;
-  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+  if( nData<4+NCELL(&node)*tree.nBytesPerCell ) return;
 
   pOut = sqlite3_str_new(0);
   for(ii=0; ii<NCELL(&node); ii++){
diff --git a/ext/rtree/rtreeB.test b/ext/rtree/rtreeB.test
index 6fc31042ca..ec1b0d5aa2 100644
--- a/ext/rtree/rtreeB.test
+++ b/ext/rtree/rtreeB.test
@@ -47,4 +47,14 @@ ifcapable rtree_int_only {
 
 do_rtree_integrity_test rtreeB-1.2 t1
 
+# https://sqlite.org/forum/forumpost/2026-01-08T23:32:19Z
+#
+db null NULL
+do_execsql_test rtreeB-2.1 {
+  SELECT rtreenode(1,x'00000001'||randomblob(15)) IS NULL;
+} {1}
+do_execsql_test rtreeB-2.2 {
+  SELECT rtreenode(1,x'00000001'||randomblob(16)) IS NOT NULL;
+} {1}
+
 finish_test
diff --git a/manifest b/manifest
index 2f26070c89..aabdd08607 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Enhance\sVACUUM\sINTO\sso\sthat\sif\sa\sURI\sfilename\sis\sused\sas\sthe\starget\sand\sthat\nfilename\sas\sa\sreserve=N\squery\sparameter\swith\sN\sbetween\s0\sand\s255,\sthen\sthe\nreserve\samount\sfor\sthe\sgenerated\sdatabase\scopy\sis\sset\sto\sN.\s\sThis\ssimplifies\nmaking\sa\scopy\sof\sa\sdatabase\sfile\swith\sa\sreduced\sor\sreset\sreserve.
-D 2026-01-08T20:29:02.555
+C Fix\spotential\sOOB\sread\son\sthe\sundocumented\stest\sfunction\srtreenode()\sthat\nis\spart\sof\sthe\sRTREE\sextension,\sas\sdescribed\sin\n[forum:/forumpost/2026-01-08T23:32:19Z|forum\spost\s2026-01-08T23:32:19Z].\nThe\sproblem\sis\salmost\scertainly\sharmless\ssince\sany\smemory\sallocation\swill\nbe\sa\smultiple\sof\s8\sbytes,\sand\sonce\sthe\sinput\sbuffer\ssize\sgets\srounded\sup\sto\nthe\snext\smultiple\sof\s8\sbytes,\sthe\saccess\swill\sstill\sbe\swithin\sbounds.\nNevertheless,\sit\sstill\sneeds\sto\sbe\sfixed.
+D 2026-01-09T00:41:35.433
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -498,7 +498,7 @@ F ext/repair/test/checkindex01.test b530f141413b587c9eb78ff734de6bb79bc3515c3350
 F ext/repair/test/test.tcl 686d76d888dffd021f64260abf29a55c57b2cedfa7fc69150b42b1d6119aac3c
 F ext/rtree/README 734aa36238bcd2dee91db5dba107d5fcbdb02396612811377a8ad50f1272b1c1
 F ext/rtree/geopoly.c f0573d5109fdc658a180db0db6eec86ab2a1cf5ce58ec66cbf3356167ea757eb
-F ext/rtree/rtree.c 95401e6812a399b5ef2e5de1249ab7e2844601cb4153ca2c3f14122ff3625569
+F ext/rtree/rtree.c 9331997a76b88a9bc04e156bdfd6e2fe35c0aa93bc338ebc6aa0ae470fe4a852
 F ext/rtree/rtree.h 4a690463901cb5e6127cf05eb8e642f127012fd5003830dbc974eca5802d9412
 F ext/rtree/rtree1.test e0608db762b2aadca0ecb6f97396cf66244490adc3ba88f2a292b27be3e1da3e
 F ext/rtree/rtree2.test 9d9deddbb16fd0c30c36e6b4fdc3ee3132d765567f0f9432ee71e1303d32603d
@@ -510,7 +510,7 @@ F ext/rtree/rtree7.test c8fb2e555b128dd0f0bdb520c61380014f497f8a23c40f2e820acc9f
 F ext/rtree/rtree8.test 4da84c7f328bbdca15052fa13da6e8b8d426433347bf75fc85574c2f5a411a02
 F ext/rtree/rtree9.test fd3c9384ef8aabbc127b3878764070398f136eebc551cd20484b570f2cc1956a
 F ext/rtree/rtreeA.test 14e67fccc5b41efbad7ea99d21d11aaa66d2067da7d5b296ee86e4de64391d82
-F ext/rtree/rtreeB.test 4cec297f8e5c588654bbf3c6ed0903f10612be8a2878055dd25faf8c71758bc9
+F ext/rtree/rtreeB.test ab93136c45cf25af78d22665c2a6d75068eef6bf3a710356e4ba8d5f37bed364
 F ext/rtree/rtreeC.test 2978b194d09b13e106bdb0e1c5b408b9d42eb338c1082bf43c87ef43bd626147
 F ext/rtree/rtreeD.test fe46aa7f012e137bd58294409b16c0d43976c3bb92c8f710481e577c4a1100dc
 F ext/rtree/rtreeE.test e65d3fc625da1800b412fc8785817327d43ccfec5f5973912d8c9e471928caa9
@@ -2191,9 +2191,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh d924598cf2f55a4ecbc2aeb055c10bd5f48114793e7ba25f9585435da29e7e98
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 66018b85a92db2f3b6b15f7c5c0d54bac890f8e50a1839c08857507c39ec4af7 48e59a27330932cf29bcbd01080757b82ea4a03f5a9e1fa7da076dbfcb7f60e3
-R 769ccb38976accc892a020695dc4c704
-T +closed 48e59a27330932cf29bcbd01080757b82ea4a03f5a9e1fa7da076dbfcb7f60e3
+P a482f9836597de55a9b58fddd3ca2963b8c67ecefef1e34a8c079a2d76f287d0
+R 2acc1347ba4359d56b1e6daba8bfb45b
 U drh
-Z efa8c02833da7c41355307f8dd505d0e
+Z 6786aa491f24a1d22a1ab6972e1d4db2
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 47079aba69..b00b4835ef 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-a482f9836597de55a9b58fddd3ca2963b8c67ecefef1e34a8c079a2d76f287d0
+9adab8b2bef4130abd358d53384cb5f4dd691b808336bb7102793b0165b1c516