From 720d3afa7eb0c09fcd20c3dc74c7f047c01f7dbe Mon Sep 17 00:00:00 2001 From: drh <> Date: Thu, 28 May 2026 10:14:25 +0000 Subject: [PATCH] Fix potential integer overflow in btree overflow page cache computation, reported by Project Fortify. Test cases in TH3. FossilOrigin-Name: dfa674d6e6bffdb930dbefa767831db7862c322b6d3c7a6322f0fa0f087aaaf9 --- manifest | 14 +++++++------- manifest.uuid | 2 +- src/btree.c | 4 +++- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/manifest b/manifest index 69ce4de208..8f82d17074 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Patch\stest/indexexpr1.test\sto\swork\swhen\sbuilt\swith\sSQLITE_DQS=0.\sAddresses\s[forum:2026-05-26T18:08:20Z|forum\spost\s2026-05-26T18:08:20Z]. -D 2026-05-26T19:25:36.487 +C Fix\spotential\sinteger\soverflow\sin\sbtree\soverflow\spage\scache\scomputation,\nreported\sby\sProject\sFortify.\s\sTest\scases\sin\sTH3. +D 2026-05-28T10:14:25.247 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -678,7 +678,7 @@ F src/auth.c b5ece4e1edccad082c0332fa0087df225473bae0feea9269f824312201377185 F src/backup.c 6ebe22ccbedfcb92423833992130e8d65824be4e6599c3a03f540ab38fc7d13c F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399 F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea -F src/btree.c 8aa7c903ef0181ff92c8365545ae75a1d648f57151b60c03c11b0a51da979edb +F src/btree.c 2f74489af68281d143f5c4e9ef8ba280cee86fce67a64b3eff9344bbabc5dadf F src/btree.h e823c46d87f63d904d735a24b76146d19f51f04445ea561f71cc3382fd1307f0 F src/btreeInt.h 9c0f9ea5c9b5f4dcaea18111d43efe95f2ac276cd86d770dce10fd99ccc93886 F src/build.c 866e584cdf40fbc83f530af9fd4d0991582a6fdbd8a9911b7cdbbea5f26a4a9e @@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P e78198e6aec57c28e33a5b1c5ae9943115a35d2fbfa04c8428318567f17eefbe -R a628ab30284205241205a853323276ec -U stephan -Z c98417d5ae241afbaee0903a7ef064d4 +P b470a5d69e70d3440467e7792231f8556111d2c1126cf62879bbfd214ac0a9e0 +R f93211bf011e728b05fb024ce9234ada +U drh +Z 01ed8bae8d232f4e5f402b3795da7d4b # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 9f810aa70f..9536c9a6aa 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -b470a5d69e70d3440467e7792231f8556111d2c1126cf62879bbfd214ac0a9e0 +dfa674d6e6bffdb930dbefa767831db7862c322b6d3c7a6322f0fa0f087aaaf9 diff --git a/src/btree.c b/src/btree.c index fd2c384479..88a8ede43a 100644 --- a/src/btree.c +++ b/src/btree.c @@ -5195,7 +5195,9 @@ static int accessPayload( ** means "not yet known" (the cache is lazily populated). */ if( (pCur->curFlags & BTCF_ValidOvfl)==0 ){ - int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize; + i64 nOvfl = pCur->info.nPayload; + testcase( nOvfl - pCur->info.nLocal + ovflSize - 1 > 0xffffffffU ); + nOvfl = (nOvfl - pCur->info.nLocal + ovflSize-1)/ovflSize; if( pCur->aOverflow==0 || nOvfl*(int)sizeof(Pgno) > sqlite3MallocSize(pCur->aOverflow) ){ -- 2.47.3