From: dan <Dan Kennedy>
Date: Mon, 15 Jun 2026 13:39:20 +0000 (+0000)
Subject: Avoid a possible buffer overrun in 32-bit builds of fts5 that could occur when proces... 
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=667d1b15c1028796bb70858c8c2e4756f3d1ca31;p=thirdparty%2Fsqlite.git

Avoid a possible buffer overrun in 32-bit builds of fts5 that could occur when processing corrupt records. Bug [bugs:/info/2026-06-14T12:21:15Z | 2026-06-14T12:21:15Z].

FossilOrigin-Name: 0fa3345fe4464804f6846c2598774b9e700df39570e81e020de21e06e2ff044d
---

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index f1e12139ec..70f581179a 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1166,7 +1166,7 @@ static int fts5StructureDecode(
         i += fts5GetVarint32(&pData[i], nTotal);
         if( nTotal<pLvl->nMerge ) rc = FTS5_CORRUPT;
         pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(&rc, 
-            nTotal * sizeof(Fts5StructureSegment)
+            (i64)nTotal * sizeof(Fts5StructureSegment)
         );
         nSegment -= nTotal;
       }
diff --git a/ext/fts5/test/fts5corrupt5.test b/ext/fts5/test/fts5corrupt5.test
index 65529c861a..23468b4c15 100644
--- a/ext/fts5/test/fts5corrupt5.test
+++ b/ext/fts5/test/fts5corrupt5.test
@@ -2134,6 +2134,83 @@ do_catchsql_test 13.1 {
   SELECT * FROM t('a:hello')
 } {0 {{hello world} {foo bar}}}
 
+#-------------------------------------------------------------------------
+reset_db
+
+#-------------------------------------------------------------------------
+reset_db
+do_test 14.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+.open --hexdb
+| size 24576 pagesize 4096 filename vuln_001.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 03 00 00 00 06   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03   ................
+|     96: 00 2e 76 89 0d 00 00 00 06 0e 0a 00 0f c7 0f 74   ..v............t
+|    112: 0f 0c 0e b8 0e 5f 0e 0a 00 00 00 00 00 00 00 00   ....._..........
+|   3584: 00 00 00 00 00 00 00 00 00 00 53 06 06 17 1d 1d   ..........S.....
+|   3600: 01 7b 74 61 62 6c 65 74 5f 63 6f 6e 66 69 67 74   ..tablet_configt
+|   3616: 5f 63 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54   _config.CREATE T
+|   3632: 41 42 4c 45 20 27 74 5f 63 6f 6e 66 69 67 27 28   ABLE 't_config'(
+|   3648: 6b 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76   k PRIMARY KEY, v
+|   3664: 29 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 57   ) WITHOUT ROWIDW
+|   3680: 05 06 17 1f 1f 01 7f 74 61 62 6c 65 74 5f 64 6f   .......tablet_do
+|   3696: 63 73 69 7a 65 74 5f 64 6f 63 73 69 7a 65 05 43   csizet_docsize.C
+|   3712: 52 45 41 54 45 20 54 41 42 4c 45 20 27 74 5f 64   REATE TABLE 't_d
+|   3728: 6f 63 73 69 7a 65 27 28 69 64 20 49 4e 54 45 47   ocsize'(id INTEG
+|   3744: 45 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20   ER PRIMARY KEY, 
+|   3760: 73 7a 20 42 4c 4f 42 29 52 04 06 17 1f 1f 01 75   sz BLOB)R......u
+|   3776: 74 61 62 6c 65 74 5f 63 6f 6e 74 65 6e 74 74 5f   tablet_contentt_
+|   3792: 63 6f 6e 74 65 6e 74 04 43 52 45 41 54 45 20 54   content.CREATE T
+|   3808: 41 42 4c 45 20 27 74 5f 63 6f 6e 74 65 6e 74 27   ABLE 't_content'
+|   3824: 28 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d   (id INTEGER PRIM
+|   3840: 41 52 59 20 4b 45 59 2c 20 63 30 29 66 03 07 17   ARY KEY, c0)f...
+|   3856: 17 17 01 81 2b 74 61 62 6c 65 74 5f 69 64 78 74   ....+tablet_idxt
+|   3872: 5f 69 64 78 03 43 52 45 41 54 45 20 54 41 42 4c   _idx.CREATE TABL
+|   3888: 45 20 27 74 5f 69 64 78 27 28 73 65 67 69 64 2c   E 't_idx'(segid,
+|   3904: 20 74 65 72 6d 2c 20 70 67 6e 6f 2c 20 50 52 49    term, pgno, PRI
+|   3920: 4d 41 52 59 20 4b 45 59 28 73 65 67 69 64 2c 20   MARY KEY(segid, 
+|   3936: 74 65 72 6d 29 29 20 57 49 54 48 4f 55 54 20 52   term)) WITHOUT R
+|   3952: 4f 57 49 44 51 02 06 17 19 19 01 7f 74 61 62 6c   OWIDQ.......tabl
+|   3968: 65 74 5f 64 61 74 61 74 5f 64 61 74 61 02 43 52   et_datat_data.CR
+|   3984: 45 41 54 45 20 54 41 42 4c 45 20 27 74 5f 64 61   EATE TABLE 't_da
+|   4000: 74 61 27 28 69 64 20 49 4e 54 45 47 45 52 20 50   ta'(id INTEGER P
+|   4016: 52 49 4d 41 52 59 20 4b 45 59 2c 20 62 6c 6f 63   RIMARY KEY, bloc
+|   4032: 6b 20 42 4c 4f 42 29 37 01 06 17 0f 0f 08 61 74   k BLOB)7......at
+|   4048: 61 62 6c 65 74 74 43 52 45 41 54 45 20 56 49 52   ablettCREATE VIR
+|   4064: 54 55 41 4c 20 54 41 42 4c 45 20 74 20 55 53 49   TUAL TABLE t USI
+|   4080: 4e 47 20 66 74 73 35 28 63 6f 6e 74 65 6e 74 29   NG fts5(content)
+| page 2 offset 4096
+|      0: 0d 0f ef 00 03 0f ac 00 0f e8 0f ac 0f c4 00 00   ................
+|   4000: 00 00 00 00 00 00 00 00 00 00 00 00 16 0a 03 00   ................
+|   4016: 32 01 00 00 00 01 01 01 00 d5 aa d5 2b 01 01 01   2...........+...
+|   4032: 83 74 01 01 1d 84 80 80 80 80 01 03 00 40 00 00   .t...........@..
+|   4048: 00 18 06 30 68 65 6c 6c 6f 01 02 02 01 05 77 6f   ...0hello.....wo
+|   4064: 72 6c 64 01 02 03 04 0a 05 01 03 00 10 01 02 00   rld.............
+|   4080: 00 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+| page 3 offset 8192
+|      0: 0a 00 00 00 01 0f fa 00 0f fa 00 00 00 00 00 00   ................
+|   4080: 00 00 00 00 00 00 00 00 00 00 05 04 09 0c 01 02   ................
+| page 4 offset 12288
+|      0: 0d 00 00 00 01 0f f0 00 0f f0 00 00 00 00 00 00   ................
+|   4080: 0e 01 03 00 23 68 65 6c 6c 6f 20 77 6f 72 6c 64   ....#hello world
+| page 5 offset 16384
+|      0: 0d 00 00 00 01 0f fa 00 0f fa 00 00 00 00 00 00   ................
+|   4080: 00 00 00 00 00 00 00 00 00 00 04 01 03 00 0e 02   ................
+| page 6 offset 20480
+|      0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00   ................
+|   4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04   ........version.
+| end vuln_001.db
+}]} {}
+
+do_catchsql_test 14.1 {
+  SELECT * FROM t('hello');
+} {1 {out of memory}}
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test
 
diff --git a/manifest b/manifest
index c0155fc3ad..f044cb076d 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Revert\sthe\snative\simpl\sof\skvvfs's\sxOpen()\s(as\sdistinct\sfrom\sthe\sJS\simpl\swhich\sthe\swasm\sbuild\suses)\sto\sthe\shistorical\sdb\sname\srestrictions\sof\s'local'\sor\s'session',\sfailing\swith\sSQLITE_CANTOPEN\sif\spassed\sanother\sname.\s[ec866b04d088e53b]\soverhauled\ssupport\sfor\skvvfs\sdb\snames\sin\sJS\sbut\sit\sturns\sout\sthat\sthe\snative\simpl\sstill\srelies\son\sthose\snames\sin\sorder\sto\smatch\sjournals\sto\sdatabases.\sCorrect\sa\srelated\stoo-lenient\sassert()\sin\sthe\sWASM\spieces.
-D 2026-06-15T12:36:24.537
+C Avoid\sa\spossible\sbuffer\soverrun\sin\s32-bit\sbuilds\sof\sfts5\sthat\scould\soccur\swhen\sprocessing\scorrupt\srecords.\sBug\s[bugs:/info/2026-06-14T12:21:15Z\s|\s2026-06-14T12:21:15Z].
+D 2026-06-15T13:39:20.318
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447
 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e
 F ext/fts5/fts5_expr.c b906c59e9e842805cc3eea4e131b822e586bb01260e542f67920c61798dcb53d
 F ext/fts5/fts5_hash.c 341a08ad0153b397b819ef3d7a7959c1dc3c84a6988a431d93dece8bd62ae10e
-F ext/fts5/fts5_index.c 96ccae2fa74b419b1ce56ae10523d681f74dba3c7b86fff6948cfa05c49e1e75
+F ext/fts5/fts5_index.c 5a2ab65d170a4b3314a927c5861740ba9070aa5bf326717690de5dd90fbb7b54
 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7
 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2
 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c
@@ -166,7 +166,7 @@ F ext/fts5/test/fts5corrupt.test 237fce1c3261bb3a5bec333b0f0dbf5b105ec32627ef14c
 F ext/fts5/test/fts5corrupt2.test 4a03a158c2cb617c9f76d26b35c1ef2534124bc0bbddcea38dfd5b170ebea27b
 F ext/fts5/test/fts5corrupt3.test 121a8a7622dfe1be1bc55cbe70eddd6a3416f76a837dc8c06a11a32e781595a4
 F ext/fts5/test/fts5corrupt4.test dc08d19f5b8943e95a7778a7d8da592042504faf18dd93f68f7d7a0d7d7dd733
-F ext/fts5/test/fts5corrupt5.test b9085599389721b38f080f501660c931cd608f8ecbc93c23644344f74ef7aa21
+F ext/fts5/test/fts5corrupt5.test 541dcee99eee8736f6b252d996a1262a778aa9fbe6344c781f9ea2becfae0bf5
 F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66c40e871a37ed9eed06
 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934
 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 323d87541a63f0b2c64271c78ad6ebd5d04220da59aebfdfbc07caa691af816a
-R f42c8adf8e75609083de92370db3c963
-U stephan
-Z 7055a57e0e6a416c4124b1a56414c547
+P 4b3ec30c63e3824163a2e6cacceb9630301b61f3ffd2b80f8a7b234f09bc251b
+R 4268b2401575f05c1ef13d2885a2b3fd
+U dan
+Z 5f5badb8d3a0930043dc56d118952b6a
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 2dcfc285ed..f7e70d7153 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4b3ec30c63e3824163a2e6cacceb9630301b61f3ffd2b80f8a7b234f09bc251b
+0fa3345fe4464804f6846c2598774b9e700df39570e81e020de21e06e2ff044d