From: dan Date: Fri, 26 Jun 2026 14:08:42 +0000 (+0000) Subject: Fix a buffer overread that could occur in fts5 within a memcmp() when doing an integr... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73975a8f31f1ad6e2c93e4716108ed13944a3fdc;p=thirdparty%2Fsqlite.git Fix a buffer overread that could occur in fts5 within a memcmp() when doing an integrity-check on corrupted records. FossilOrigin-Name: 062597f10a6d3f8c959a38e4ab6ee1a885499dd7018662e3e6268b2ee6c63c1b --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 70f581179a..b8e3349491 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -8541,9 +8541,13 @@ static void fts5IndexIntegrityCheckSegment( FTS5_CORRUPT_ROWID(p, iRow); }else{ iOff += fts5GetVarint32(&pLeaf->p[iOff], nTerm); - res = fts5Memcmp(&pLeaf->p[iOff], zIdxTerm, MIN(nTerm, nIdxTerm)); - if( res==0 ) res = nTerm - nIdxTerm; - if( res<0 ) FTS5_CORRUPT_ROWID(p, iRow); + if( iOff+nTerm>pLeaf->szLeaf ){ + FTS5_CORRUPT_ROWID(p, iRow); + }else{ + res = fts5Memcmp(&pLeaf->p[iOff], zIdxTerm, MIN(nTerm, nIdxTerm)); + if( res==0 ) res = nTerm - nIdxTerm; + if( res<0 ) FTS5_CORRUPT_ROWID(p, iRow); + } } fts5IntegrityCheckPgidx(p, iRow, pLeaf); diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test index 3e543f2f62..00d1bc92f0 100644 --- a/ext/fts5/test/fts5corruptA.test +++ b/ext/fts5/test/fts5corruptA.test @@ -266,6 +266,30 @@ do_execsql_test 6.2 { DELETE FROM t WHERE rowid=3; } +#------------------------------------------------------------------------- +reset_db +do_execsql_test 7.0 { + CREATE VIRTUAL TABLE ft USING fts5(x); + INSERT INTO ft(ft,rank) VALUES('pgsz',64); + WITH s(i) AS ( + SELECT 1 UNION ALL SELECT i+1 FROM s WHERE i<10 + ) + INSERT INTO ft SELECT 'a b b a c c d' FROM s; +} + +set B "00000040FFFF61010402050104020501040205010402050104020501040205010402050104020501040205010402050101620104030301040303010403030104042b" +set N "306162[string repeat 00 5000]" + +do_execsql_test 7.1 { + UPDATE ft_data SET block = unhex($B) WHERE id = 137438953473; + UPDATE ft_idx SET term=unhex($N) WHERE segid=1 AND pgno=2; +} + +do_execsql_test 7.2 { + PRAGMA integrity_check +} { + {fts5: corruption found reading blob 137438953473 from table "ft"} +} sqlite3_fts5_may_be_corrupt 0 finish_test diff --git a/manifest b/manifest index cfd841edeb..ff2b058223 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sparsing\sof\squoted\sinstantiation\sarguments\sin\sthe\sspellfix\sextension.\n[bugs:/info/2026-06-26T10:52:36Z|Bug\s2026-06-26T10:52:36Z] -D 2026-06-26T13:51:48.749 +C Fix\sa\sbuffer\soverread\sthat\scould\soccur\sin\sfts5\swithin\sa\smemcmp()\swhen\sdoing\san\sintegrity-check\son\scorrupted\srecords. +D 2026-06-26T14:08:42.052 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c b906c59e9e842805cc3eea4e131b822e586bb01260e542f67920c61798dcb53d F ext/fts5/fts5_hash.c 341a08ad0153b397b819ef3d7a7959c1dc3c84a6988a431d93dece8bd62ae10e -F ext/fts5/fts5_index.c 5a2ab65d170a4b3314a927c5861740ba9070aa5bf326717690de5dd90fbb7b54 +F ext/fts5/fts5_index.c f09017e9e8330ea90e7be0a36c43f51ad66fc0072c4e515b02955b2a703e8536 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 46b0024fdd8002fbfba162230e5cc212c8f019ba4075396860354bfaf549a546 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -171,7 +171,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe -F ext/fts5/test/fts5corruptA.test 43bc56d8ec0ac87f82f6ac1700c16c902d952451f75f5c7dc02292c7b0a1d1b1 +F ext/fts5/test/fts5corruptA.test 50b48f15548a3466dbd17000956ee86c2eb7d18d5a649bc11126ec917113b807 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4 @@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 71d4cfe5a34cf8485ab2e5abe670381cd068f013233d98c44355a6bcdfcbbbb0 -R e2235756a2729d379df30d70ed71e6b8 -U drh -Z 3de48b27f723e1a9b8146531036ebbeb +P c2e963ad948e0c244d6b883b919ec0815c20018282e04e5649c00e70f5a1d2ed +R ef8451a2426c0be1d76d4a1af488156c +U dan +Z fb5d0f926ca6c958a74e6c0e593cad9c # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 132a5aef44..eb888555bb 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -c2e963ad948e0c244d6b883b919ec0815c20018282e04e5649c00e70f5a1d2ed +062597f10a6d3f8c959a38e4ab6ee1a885499dd7018662e3e6268b2ee6c63c1b