From: drh <>
Date: Tue, 23 Jun 2026 10:51:24 +0000 (+0000)
Subject: Fix an OOB read in the next_char() function of the
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=987675a440267ee809713c02ffd8f59f0027af23;p=thirdparty%2Fsqlite.git

Fix an OOB read in the next_char() function of the
"spellfix" extension.  The spellfix extension is not a deliverable.
[bugs:/info/2026-06-23T05:41:00Z|Bug 2026-06-23T05:41:00Z]

FossilOrigin-Name: 6ede22e13f8e85c1a341c9a80a3be2f2677baee897c659af4ca43a04698e29a5
---

diff --git a/ext/misc/nextchar.c b/ext/misc/nextchar.c
index 60fa3db94d..176e4b695a 100644
--- a/ext/misc/nextchar.c
+++ b/ext/misc/nextchar.c
@@ -181,6 +181,10 @@ static void findNextChars(nextCharContext *p){
     }else{
       const unsigned char *zOut = sqlite3_column_text(p->pStmt, 0);
       unsigned cNext;
+      if( sqlite3_column_bytes(p->pStmt,0)<=p->nPrefix ){
+        sqlite3_reset(p->pStmt);
+        continue;
+      }
       n = readUtf8(zOut+p->nPrefix, &cNext);
       sqlite3_reset(p->pStmt);
       nextCharAppend(p, cNext);
diff --git a/manifest b/manifest
index 8cc4165edd..0d0176b060 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sdequoting\serror\son\sthe\sinstantiation\sparameters\sof\sthe\nnon-deliverable\sextension\svirtual\stable\s"fuzzer.\n[bugs:/info/2026-06-23T05:51:36Z|Bug\s2026-06-23T05:51:36Z].
-D 2026-06-23T10:23:08.214
+C Fix\san\sOOB\sread\sin\sthe\snext_char()\sfunction\sof\sthe\n"spellfix"\sextension.\s\sThe\sspellfix\sextension\sis\snot\sa\sdeliverable.\n[bugs:/info/2026-06-23T05:41:00Z|Bug\s2026-06-23T05:41:00Z]
+D 2026-06-23T10:51:24.377
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -384,7 +384,7 @@ F ext/misc/ieee754.c 2901d08a586d00a1d3c0fd89e03c57ee9e2b5f013b0daab9e49c7a48a9d
 F ext/misc/memstat.c 03ab52d2d841eb3f55118105c1964d5225f152b23bd708844c648b48d14ccbcf
 F ext/misc/memtrace.c 7c0d115d2ef716ad0ba632c91e05bd119cb16c1aedf3bec9f06196ead2d5537b
 F ext/misc/mmapwarm.c a81af4aaec00f24f308e2f4c19bf1d88f3ac3ce848c36daa7a4cd38145c4080d
-F ext/misc/nextchar.c 7877914c2a80c2f181dd04c3dbef550dfb54c93495dc03da2403b5dd58f34edd
+F ext/misc/nextchar.c bb5bc64780c9ef4aa903b510249d0d37ec05a2f8faa5420bca71a6552cc1bd59
 F ext/misc/noop.c f1a21cc9b7a4e667e5c8458d80ba680b8bd4315a003f256006046879f679c5a0
 F ext/misc/normalize.c fbb144a861809686ff2b5b6eee8bb2e1207f9bf13ce7376e5273c700a1eafbd5
 F ext/misc/pcachetrace.c f4227ce03fb16aa8d6f321b72dd051097419d7a028a9853af048bee7645cb405
@@ -1676,7 +1676,7 @@ F test/speed4p.test 377a0c48e5a92e0b11c1c5ebb1bc9d83a7312c922bc0cb05970ef5d6a96d
 F test/speedtest.md ea0c85ebe0ecff8b45ba6cdb26e694871f469009a5a29dcfe634b055f05ab241
 F test/speedtest.tcl b06f6321ef90bb68f18f7b0e430e25203d9da79b80f8926986a0d5f21ac485fb x
 F test/speedtest1.c f9f30f35431bfc1d3ee9acc561624e0c0b4614071044bc302169dd27206a0fca
-F test/spellfix.test 951a6405d49d1a23d6b78027d3877b4a33eeb8221dcab5704b499755bb4f552e
+F test/spellfix.test 7f7770ee8bc738fb0dab182d9bb4ee998e3982e534bdffd1a176c08bafec50f1
 F test/spellfix2.test dfc8f519a3fc204cb2dfa8b4f29821ae90f6f8c3
 F test/spellfix3.test 0f9efaaa502a0e0a09848028518a6fb096c8ad33
 F test/spellfix4.test 7c56a09de68b95051ef0627fe235e514efbba2aa816dc2a9c5c670d98877e632
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 21b2692c8363f2c0629beef4860400a1d27f499a3f27745c23391bcfa09da898
-R 11edd10072d153a9016536fd807ecadd
+P 410045796b4486fc2d301e661bf9fce3ca3a1ba61c72fe5d6c5d59a330443dd5
+R 5510a938005b223242a14b3abf4cf953
 U drh
-Z 1fcbd6486c2940aa82bdd8816c026f4f
+Z c8b4a9ace02483cb111546d22badf1d6
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 68c9b49a4b..dbd6740b00 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-410045796b4486fc2d301e661bf9fce3ca3a1ba61c72fe5d6c5d59a330443dd5
+6ede22e13f8e85c1a341c9a80a3be2f2677baee897c659af4ca43a04698e29a5
diff --git a/test/spellfix.test b/test/spellfix.test
index 68bcfd5adb..82c578239d 100644
--- a/test/spellfix.test
+++ b/test/spellfix.test
@@ -402,4 +402,17 @@ foreach {tn conflict err bRollback res} {
   catchsql ROLLBACK
 }
 
+# Bug 2026-06-23T05:41:00Z
+#
+do_execsql_test 8.1 {
+  DROP TABLE IF EXISTS t1;
+  CREATE TABLE d(w);
+  INSERT INTO d VALUES(1);
+  WITH RECURSIVE cnt(n) AS (VALUES(1) UNION ALL SELECT n+1 FROM cnt WHERE n<100)
+  SELECT sum(length(next_char(
+    printf('%.*c',1000000,'A'),
+    'd',
+    'substr(printf(''%.*c'',2000000,''A''),1,if(abs(random())%2=0,1000001,1))')))>0
+    FROM cnt;
+} {1}
 finish_test