From: dan <Dan Kennedy>
Date: Wed, 1 Apr 2026 17:43:22 +0000 (+0000)
Subject: Fix a potential 4-byte overread in the sessions module when processing a corrupt... 
X-Git-Tag: major-release~16
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=62f315020463e5713ac4bee8cb7b8048ab565799;p=thirdparty%2Fsqlite.git

Fix a potential 4-byte overread in the sessions module when processing a corrupt changeset.

FossilOrigin-Name: c1c7e024c34da8eb0258ce552f3f81921280ccf0f1fea59374f381c0c7b43b74
---

diff --git a/ext/session/sessionC.test b/ext/session/sessionC.test
index 1997ba5e80..57a05bd454 100644
--- a/ext/session/sessionC.test
+++ b/ext/session/sessionC.test
@@ -195,13 +195,27 @@ do_test 3.3 {
 #-------------------------------------------------------------------------
 #
 reset_db
-set C [binary format c* 0x54 0x01 0x01 0x00 0x12 0x00 0x05]
+set C [binary format c* {0x54 0x01 0x01 0x00 0x12 0x00 0x05}]
 
 do_test 4.0 {
   sqlite3changegroup grp
   list [catch { grp add $C } msg] $msg
-} {1 SQLITE_CORRUPT}
+} {0 {}}
 grp delete
 
+#-------------------------------------------------------------------------
+#
+reset_db
+set C [binary format c* {0x54 0xda 0xda 0xda 0xda 0xda}]
+
+do_execsql_test 4.0 {
+  CREATE TABLE t1(a PRIMARY KEY, b, c, d);
+}
+
+breakpoint
+do_test 4.1 {
+  list [catch { sqlite3changeset_apply db $C noop xFilter } msg] $msg
+} {1 SQLITE_CORRUPT}
+
 finish_test
 
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 07db041cfc..7350dbb919 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -354,9 +354,9 @@ static int sessionVarintGet(const u8 *aBuf, int *piVal){
 ** Return the number of bytes read.
 */
 static int sessionVarintGetSafe(const u8 *aBuf, int nBuf, int *piVal){
-  u8 aCopy[5];
+  u8 aCopy[9];
   const u8 *aRead = aBuf;
-  if( nBuf<5 ){
+  if( nBuf<sizeof(aCopy) ){
     memcpy(aCopy, aBuf, nBuf);
     aRead = aCopy;
   }
diff --git a/manifest b/manifest
index dee8022439..5bbe1a69cd 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Always\suse\ssqlite3_malloc64()\sin\sextensions,\swhere\spossible.
-D 2026-04-01T16:56:48.155
+C Fix\sa\spotential\s4-byte\soverread\sin\sthe\ssessions\smodule\swhen\sprocessing\sa\scorrupt\schangeset.
+D 2026-04-01T17:43:22.311
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -540,7 +540,7 @@ F ext/session/session8.test 326f3273abf9d5d2d7d559eee8f5994c4ea74a5d935562454605
 F ext/session/session9.test 0c4a8fbe7a5031f50855f020f3408e1f07fd7859f1daa1629eadcec3422072d6
 F ext/session/sessionA.test 1feeab0b8e03527f08f2f1defb442da25480138f
 F ext/session/sessionB.test c4fb7f8a688787111606e123a555f18ee04f65bb9f2a4bb2aa71d55ce4e6d02c
-F ext/session/sessionC.test c3fade0a460d898fa42e9077b88e45c0d24ead3150268e145c8e19aeafc24ba1
+F ext/session/sessionC.test dc06e2e8c48982fb0dea948c86bd0ef6766eb3894f0167749d13f30fd10af844
 F ext/session/sessionD.test 470ff917dc849e2eb78142ade63aaabd729d773833cff0ff01bca0eda68a21ce
 F ext/session/sessionE.test b2010949c9d7415306f64e3c2072ddabc4b8250c98478d3c0c4d064bce83111d
 F ext/session/sessionF.test d37ed800881e742c208df443537bf29aa49fd56eac520d0f0c6df3e6320f3401
@@ -571,7 +571,7 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c f9c10ae4516f53c5cf67ea2067d898ed6d2c98f3d4f496ab8f9b783198e294c6
+F ext/session/sqlite3session.c 165a880952fdc1e6397cb05e7d337ff5174596078c1fb0abd4f9933141c565e3
 F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c
 F ext/session/test_session.c beefbb051a2baa2636f463ad1c50558294a418f955219be9423de54dff946f0f
 F ext/wasm/GNUmakefile 68c750f173106d9d63f12c1edf1256c6f4bad9894b155da5db64322f4912de4b
@@ -2197,8 +2197,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 91ead3c62dd7b1db3fdfd318e3c35a42fb33e8fa2e347b682eecbff2f4e8677b
-R 6ba98470db6b05f2faea33c928a02358
-U drh
-Z 794fc55ed4b29b8614c8a579512409b7
+P 6194f3b5314ef98b5d73060450de8e3497272494b47e6f96992453418894ded1
+R 4ad096384f9f8cacd7e16ef1bb17dd21
+U dan
+Z 55c63e5fbaf3fe2821f0bfdd0d47e9c0
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 7761c3627b..32872b1fc5 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-6194f3b5314ef98b5d73060450de8e3497272494b47e6f96992453418894ded1
+c1c7e024c34da8eb0258ce552f3f81921280ccf0f1fea59374f381c0c7b43b74