From: dan <dan@noemail.net>
Date: Wed, 4 Dec 2019 03:46:50 +0000 (+0000)
Subject: Fix a buffer overread that could occur in fts3 with corrupt %_stat records.
X-Git-Tag: version-3.31.0~268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8aa706e748e0392e0b1a432f2f750bce1e457e54;p=thirdparty%2Fsqlite.git

Fix a buffer overread that could occur in fts3 with corrupt %_stat records.

FossilOrigin-Name: e01fdbf9f700e1bd9dd5283c65547d10d26ce4f4506d3cfef9e1087aecdc2305
---

diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index 15f520d366..a6b45aef2e 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -4850,13 +4850,17 @@ static int fts3IncrmergeHintPop(Blob *pHint, i64 *piAbsLevel, int *pnInput){
   const int nHint = pHint->n;
   int i;
 
-  i = pHint->n-2;
+  i = pHint->n-1;
+  if( (pHint->a[i] & 0x80) ) return FTS_CORRUPT_VTAB;
   while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
+  if( i==0 ) return FTS_CORRUPT_VTAB;
+  i--;
   while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
 
   pHint->n = i;
   i += sqlite3Fts3GetVarint(&pHint->a[i], piAbsLevel);
   i += fts3GetVarint32(&pHint->a[i], pnInput);
+  assert( i<=nHint );
   if( i!=nHint ) return FTS_CORRUPT_VTAB;
 
   return SQLITE_OK;
diff --git a/manifest b/manifest
index f6e37558fe..b997f3b4d1 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\san\sincorrect\sNEVER()\smacro.
-D 2019-12-04T03:31:29.198
+C Fix\sa\sbuffer\soverread\sthat\scould\soccur\sin\sfts3\swith\scorrupt\s%_stat\srecords.
+D 2019-12-04T03:46:50.817
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -99,7 +99,7 @@ F ext/fts3/fts3_tokenizer.h 64c6ef6c5272c51ebe60fc607a896e84288fcbc3
 F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004
 F ext/fts3/fts3_unicode.c 4b9af6151c29b35ed09574937083cece7c31e911f69615e168a39677569b684d
 F ext/fts3/fts3_unicode2.c 416eb7e1e81142703520d284b768ca2751d40e31fa912cae24ba74860532bf0f
-F ext/fts3/fts3_write.c 5b9c8870a8d2e95cceff55d6aef2a0b201a789453e66772cc3e4c9d9c3c4c415
+F ext/fts3/fts3_write.c fa971df91b7c9c317ccb76e73de425de372f854cbed16be2d98f42f61be6c0fb
 F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
 F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100
 F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
@@ -938,7 +938,7 @@ F test/fts3conf.test c84bbaec81281c1788aa545ac6e78a6bd6cde2bdbbce2da261690e3659f
 F test/fts3corrupt.test ce7f7b5eaeee5f1804584d061b978d85e64abf2af9adaa7577589fac6f7eae01
 F test/fts3corrupt2.test bf55c3fa0b0dc8ea1c0fe5543623bd27714585da6a129038fd6999fe3b0d25f3
 F test/fts3corrupt3.test 0d5b69a0998b4adf868cc301fc78f3d0707745f1d984ce044c205cdb764b491f
-F test/fts3corrupt4.test 6dbf948f977abe0244b9f1b06f316e40ae976978296362fd4012dfcf071925b9
+F test/fts3corrupt4.test bc90c0f6ee73df4c6bd20f1b32fefdfc00b44cc577d67ebca43b157fc3efd422
 F test/fts3corrupt5.test 0549f85ec4bd22e992f645f13c59b99d652f2f5e643dac75568bfd23a6db7ed5
 F test/fts3cov.test 7eacdbefd756cfa4dc2241974e3db2834e9b372ca215880e00032222f32194cf
 F test/fts3d.test 2bd8c97bcb9975f2334147173b4872505b6a41359a4f9068960a36afe07a679f
@@ -1851,7 +1851,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 92893b7980cbb0c6e26bc0b21390a717193205c9897fea5f26476462928897f9
-R 71a000a584998c5cbed7b42e5b235047
-U drh
-Z fc2b6df0750a16e80970f4dfbfa5ac6e
+P 96b6a76da09a94182414ec1a56da91728c37329d2b55f889e433054ca21605ce
+R 021dc4e288313b735f102a5cfdb82a99
+U dan
+Z 294099ece301ad8081d293396da7a9e9
diff --git a/manifest.uuid b/manifest.uuid
index 9a4141014d..3a9d400d28 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-96b6a76da09a94182414ec1a56da91728c37329d2b55f889e433054ca21605ce
\ No newline at end of file
+e01fdbf9f700e1bd9dd5283c65547d10d26ce4f4506d3cfef9e1087aecdc2305
\ No newline at end of file
diff --git a/test/fts3corrupt4.test b/test/fts3corrupt4.test
index 97faf67b29..2334907f83 100644
--- a/test/fts3corrupt4.test
+++ b/test/fts3corrupt4.test
@@ -5767,5 +5767,17 @@ do_catchsql_test 32.2 {
   UPDATE t1 SET b=((- '' )) WHERE a MATCH '0*t';
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+#
+reset_db
+do_catchsql_test 32.0 {
+  CREATE VIRTUAL TABLE f USING fts3(a,b,tokenize=icu);
+  CREATE TABLE 'f_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
+  CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
+  INSERT INTO f VALUES (1, '1234');
+  INSERT INTO f_stat VALUES (1,x'0000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003bc502fffffffffb8b2afbfb6565f0740100650000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003b8b00c5c5c5c5c5bfc5');
+  INSERT INTO f(f) VALUES ('merge=198,49');
+} {1 {database disk image is malformed}}
+
 
 finish_test