From: dan <Dan Kennedy>
Date: Wed, 5 May 2021 11:47:34 +0000 (+0000)
Subject: Fix an undefined-integer-overflow problem in fts3.c.
X-Git-Tag: version-3.36.0~118
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fd82a2a7848078aab0ac70a15b46a068ddf485d;p=thirdparty%2Fsqlite.git

Fix an undefined-integer-overflow problem in fts3.c.

FossilOrigin-Name: a0bf931bd712037e44e8d7cac3c00a6715c1b451f222bad3184d3ecab1a4c7f4
---

diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index e1c8b49c05..9c5703d3f1 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -1899,7 +1899,7 @@ static int fts3ScanInteriorNode(
   char *zBuffer = 0;              /* Buffer to load terms into */
   i64 nAlloc = 0;                 /* Size of allocated buffer */
   int isFirstTerm = 1;            /* True when processing first term on page */
-  sqlite3_int64 iChild;           /* Block id of child node to descend to */
+  u64 iChild;                     /* Block id of child node to descend to */
   int nBuffer = 0;                /* Total term size */
 
   /* Skip over the 'height' varint that occurs at the start of every 
@@ -1915,8 +1915,8 @@ static int fts3ScanInteriorNode(
   ** table, then there are always 20 bytes of zeroed padding following the
   ** nNode bytes of content (see sqlite3Fts3ReadBlock() for details).
   */
-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
+  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
+  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
   if( zCsr>zEnd ){
     return FTS_CORRUPT_VTAB;
   }
@@ -1969,20 +1969,20 @@ static int fts3ScanInteriorNode(
     */
     cmp = memcmp(zTerm, zBuffer, (nBuffer>nTerm ? nTerm : nBuffer));
     if( piFirst && (cmp<0 || (cmp==0 && nBuffer>nTerm)) ){
-      *piFirst = iChild;
+      *piFirst = (i64)iChild;
       piFirst = 0;
     }
 
     if( piLast && cmp<0 ){
-      *piLast = iChild;
+      *piLast = (i64)iChild;
       piLast = 0;
     }
 
     iChild++;
   };
 
-  if( piFirst ) *piFirst = iChild;
-  if( piLast ) *piLast = iChild;
+  if( piFirst ) *piFirst = (i64)iChild;
+  if( piLast ) *piLast = (i64)iChild;
 
  finish_scan:
   sqlite3_free(zBuffer);
diff --git a/manifest b/manifest
index aeb02f9bce..6ca5e623da 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C When\sapplying\sthe\soptimization\sthat\sdisables\sWHERE\sclause\sterms\sthat\sdrive\nindexes,\smake\ssure\snot\sto\sdo\sso\sif\sthe\sterm\sbeing\sdisabled\sis\sa\stransitive\nconstraint.\s\sFix\sfor\sthe\sproblem\sidentified\sby\n[forum:forumpost/eb8613976a|forum\spost\seb8613976a].
-D 2021-05-04T23:21:35.526
+C Fix\san\sundefined-integer-overflow\sproblem\sin\sfts3.c.
+D 2021-05-05T11:47:34.391
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -84,7 +84,7 @@ F ext/fts3/README.content b9078d0843a094d86af0d48dffbff13c906702b4c3558012e67b9c
 F ext/fts3/README.syntax a19711dc5458c20734b8e485e75fb1981ec2427a
 F ext/fts3/README.tokenizers b92bdeb8b46503f0dd301d364efc5ef59ef9fa8e2758b8e742f39fa93a2e422d
 F ext/fts3/README.txt 8c18f41574404623b76917b9da66fcb0ab38328d
-F ext/fts3/fts3.c 1d80d0a1e53ce5e7316e1379969c842079c46237369e131fd378288e64ebbf5f
+F ext/fts3/fts3.c 95f55e24550c01c2a325d09c9ea8fdff61e923a4675f8545b28bf3c470e57dfb
 F ext/fts3/fts3.h 3a10a0af180d502cecc50df77b1b22df142817fe
 F ext/fts3/fts3Int.h bde280294d56ff50ee29d03e5140f0b6953b44d1c969bb5831e8ae85e3e76715
 F ext/fts3/fts3_aux.c 1af58af8f2b00a49f4fb1c2602f8da2054ad60076f46c8ebf85c5410eccccb65
@@ -1912,7 +1912,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 625fb253eecd6c10fce5d0127d516361df0c1d1661502b396fc418dcdb4ae999
-R fc9428e1e84cc459623c4cb5fd643660
-U drh
-Z 77c8f6fc1b9f65abd817f039fe767b40
+P f1f9b5de3c59489b94963685660b3ddc45eece5535b02fec399b6ece0e38563d
+R 3eb42cf1a3ad75d68c55702010a6c049
+U dan
+Z eb102c3d91184be0441ddd1aaca152a2
diff --git a/manifest.uuid b/manifest.uuid
index ca5460c1c5..ad7aa86c4d 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f1f9b5de3c59489b94963685660b3ddc45eece5535b02fec399b6ece0e38563d
\ No newline at end of file
+a0bf931bd712037e44e8d7cac3c00a6715c1b451f222bad3184d3ecab1a4c7f4
\ No newline at end of file