From: dan Date: Wed, 3 Jun 2026 14:58:13 +0000 (+0000) Subject: Fix another buffer overread in fts5 that could occur when processing corrupt records... X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=51b2c3863b31437b4f88b50133262f610ad0c575;p=thirdparty%2Fsqlite.git Fix another buffer overread in fts5 that could occur when processing corrupt records. Bug [bugs:/info/2026-06-03T03:54:40Z | 2026-06-03T03:54:40Z]. FossilOrigin-Name: b5337c87cc314e6830615e4efe2d4723fa7cedf87ce404f60d6e520aeab77cbc --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 2503ce6225..787003ca38 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -5301,6 +5301,11 @@ static void fts5DoSecureDelete( }else{ iStart = fts5GetU16(&aPg[0]); } + if( iStart>nPg ){ + FTS5_CORRUPT_IDX(p); + sqlite3_free(aIdx); + return; + } iSOP = iStart + fts5GetVarint(&aPg[iStart], &iDelta); assert_nc( iSOP<=pSeg->iLeafOffset ); diff --git a/ext/fts5/test/fts5corrupt7.test b/ext/fts5/test/fts5corrupt7.test index 23061a1cb5..84a586928f 100644 --- a/ext/fts5/test/fts5corrupt7.test +++ b/ext/fts5/test/fts5corrupt7.test @@ -125,4 +125,40 @@ do_catchsql_test 2.3 { DELETE FROM t1 WHERE rowid = 1 } {/.*fts5: corrupt.*/} +#------------------------------------------------------------------------- +reset_db +do_execsql_test 3.0 { + PRAGMA page_size=4096; + PRAGMA journal_mode=DELETE; + CREATE VIRTUAL TABLE t USING fts5(x, detail=none); + + WITH s(i) AS ( + VALUES(1) UNION ALL SELECT i+1 FROM s WHERE i<5000 + ) + INSERT INTO t(rowid, x) SELECT i, 'vulnerabilitytest' FROM s; + + INSERT INTO t(t) VALUES('optimize'); + INSERT INTO t(t, rank) VALUES('secure-delete', 1); +} {delete} + +do_test 3.1 { + db eval { SELECT rowid AS rowid, block FROM t_data ORDER BY rowid } { + if {$rowid>=10 && [string length $block]>=4} { + binary scan $block Su first_rowid_off + set pgno [expr ($rowid & 0x7FFFFFFF)] + if {$pgno>=2 && $first_rowid_off>0} break + } + } + + set bad [binary format a*a* "\xFF\xFF" [string range $block 2 end]] + db eval { + UPDATE t_data SET block = $bad WHERE rowid=$rowid + } +} {} + +do_catchsql_test 3.2 { + DELETE FROM t WHERE rowid=4500; +} {1 {fts5: corruption in table "t"}} + + finish_test diff --git a/manifest b/manifest index 04d2e9a18f..f2b41e7b15 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sanother\spotential\sbuffer\soverrun\sthat\scould\soccur\sin\sfts5\swhen\sprocessing\scorrupt\srecords. -D 2026-06-03T13:49:33.981 +C Fix\sanother\sbuffer\soverread\sin\sfts5\sthat\scould\soccur\swhen\sprocessing\scorrupt\srecords.\sBug\s[bugs:/info/2026-06-03T03:54:40Z\s|\s2026-06-03T03:54:40Z]. +D 2026-06-03T14:58:13.706 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c 71d48e8cf0358deace4949276647d317ff7665db6db09f40b81e2e7fe6664c7c F ext/fts5/fts5_hash.c d5871df92ce3fa210a650cf419ee916b87c29977e86084d06612edf772bff6f5 -F ext/fts5/fts5_index.c 2e76c7a54a091dd97a832b9b8a4b1c70d26e511fab48eceb2bc42596b8bd78cf +F ext/fts5/fts5_index.c bd7fbe5c0dfe435324dcaa0821abbce974b4267053de860a4816398014193695 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -167,7 +167,7 @@ F ext/fts5/test/fts5corrupt3.test 121a8a7622dfe1be1bc55cbe70eddd6a3416f76a837dc8 F ext/fts5/test/fts5corrupt4.test dc08d19f5b8943e95a7778a7d8da592042504faf18dd93f68f7d7a0d7d7dd733 F ext/fts5/test/fts5corrupt5.test b9085599389721b38f080f501660c931cd608f8ecbc93c23644344f74ef7aa21 F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66c40e871a37ed9eed06 -F ext/fts5/test/fts5corrupt7.test 814aab492d7a09abb5bfdd81cc66fc206d7f3868f9a3bae91876e02efc466fb3 +F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe F ext/fts5/test/fts5corruptA.test c854c6d1fa7068d8dc32bce610a703e92b6b934c8c8f252df4c5f81e8ba07b50 @@ -2207,8 +2207,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 1fb5e9169ace6bea2bdf9013f39002c1ce5dc9ce51d6007bec22d91f456c15f0 -R d9527843381a40353ef12c2a0218d617 +P 6ee44b199512b8cac604bf062f893a9047af4b5bfc881bb7cb69ae42d0a0adb4 +R ad112a7ebba6eb6137c9d02b0ef5465b U dan -Z 4c9563bf6ac5c9c0a0d3eac2b8130ffd +Z f61aa1a4db5847cd1975bdf673c6d93c # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 929bd1c750..07caceaaab 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -6ee44b199512b8cac604bf062f893a9047af4b5bfc881bb7cb69ae42d0a0adb4 +b5337c87cc314e6830615e4efe2d4723fa7cedf87ce404f60d6e520aeab77cbc