Fix a signed-integer overflow in fts5 that might occur when dealing with strategicly...

FossilOrigin-Name: fc6442ee54795fbeb746539193716238aa653d80170523bc327ae3ce0d945ebf

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 468bd2e10c8e07b6edb6e75e90670ffdad27dcad..c78b782e3de458f8254399b461b442629944c692 100644 (file)
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -8017,11 +8017,14 @@ static void fts5IndexTombstoneRebuild(
     nSlot = MINSLOT;
   }else if( pSeg->nPgTombstone==1 ){
     /* Case 2. */
-    int nElem = (int)fts5GetU32(&pData1->p[4]);
+    u32 nElem = fts5GetU32(&pData1->p[4]);
     assert( pData1 && iPg1==0 );
-    nOut = 1;
-    nSlot = MAX(nElem*4, MINSLOT);
-    if( nSlot>nSlotPerPage ) nOut = 0; 
+    if( nElem>((u32)nSlotPerPage/4) ){
+      nOut = 0;
+    }else{
+      nOut = 1;
+      nSlot = MAX(nElem*4, MINSLOT);
+    }
   }
   if( nOut==0 ){
     /* Case 3. */

diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test
index f44e9a94577c2c68cc74fc9ba6af2d8923742cb3..3e543f2f62ae553c001869bd3f5d7d20c80c7747 100644 (file)
--- a/ext/fts5/test/fts5corruptA.test
+++ b/ext/fts5/test/fts5corruptA.test
@@ -239,6 +239,34 @@ foreach leaf $lLeaf {
   } {}
 }
 
+#-------------------------------------------------------------------------
+reset_db
+
+do_execsql_test 6.0 {
+  CREATE VIRTUAL TABLE t USING fts5(x, content='', contentless_delete=1);
+  INSERT INTO t(rowid,x) 
+    VALUES(1,'a b'), (2,'c d'), (3,'e f'), (4,'g h'), (5,'i j');
+  INSERT INTO t(t) VALUES('optimize');
+  DELETE FROM t WHERE rowid=2;
+}
+
+do_test 6.1 {
+  db eval {
+    SELECT rowid AS rid, hex(block) AS blk 
+    FROM t_data WHERE rowid>1_000_000_000_000
+  } {}
+
+  set blk [string replace $blk 8 15 20000000]
+  execsql {
+    UPDATE t_data SET block = unhex($blk) WHERE rowid=$rid
+  }
+} {}
+
+do_execsql_test 6.2 {
+  DELETE FROM t WHERE rowid=3;
+}
+
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test
 

diff --git a/manifest b/manifest
index 04aa4d14ceb46003b9ae064fa3b3d79cdc26db59..2778e29be6e6184ac19e2664b87565ffa1786493 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Detect\san\sOOM\scondition\sin\sthe\srealpath()\sfunction\sof\sthe\sfileio.c\sextension\nand\scause\sthat\sfunction\sto\sreturn\sNULL.\s\sTo\sDo:\s\swe\sshould\sgo\sback\sin\sand\nfix\srealpath()\sto\sraise\san\sSQLITE_NOMEM\serror\son\sOOM\srather\sthan\sreturning\nNULL.\s\sBut\swe\swill\sdelay\sthat,\sin\sas\smuch\sas\sOOMs\sare\sall\sbut\simpossible\non\smodern\sOSes.\n[bug:/info/2026-06-10T07:46:32Z|Bug\s2026-06-10T07:46:32Z].
-D 2026-06-10T10:40:29.851
+C Fix\sa\ssigned-integer\soverflow\sin\sfts5\sthat\smight\soccur\swhen\sdealing\swith\sstrategicly\scorrupted\srecords.\sBug\s[bugs:/info/2026-06-10T03:56:42Z\s|\s2026-06-10T03:56:42Z].
+D 2026-06-10T16:51:20.171
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447
 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e
 F ext/fts5/fts5_expr.c 20e41452e4f83899a3a1bc66d018701186a0bbbc3a1a524f8cae447e0b150f05
 F ext/fts5/fts5_hash.c 341a08ad0153b397b819ef3d7a7959c1dc3c84a6988a431d93dece8bd62ae10e
-F ext/fts5/fts5_index.c eabe4a6392cabb78bb0901b00b2eede6423a282823babe3d215366997bae5bc7
+F ext/fts5/fts5_index.c 71c787178f92a3e8dd0d3d96381ea06d93fede34f43ddbeb35ddf69b5f23171a
 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7
 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2
 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c
@@ -171,7 +171,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66
 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934
 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44
 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe
-F ext/fts5/test/fts5corruptA.test 469571adb09d10c7a68d84b73ab7b4ea9e7f119d9b754a85b802e33976b62ea7
+F ext/fts5/test/fts5corruptA.test 43bc56d8ec0ac87f82f6ac1700c16c902d952451f75f5c7dc02292c7b0a1d1b1
 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774
 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4
 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4
@@ -2209,8 +2209,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 8531c0c3b61771592b055b0c22e903b8301a4161c7bcb7f9fc54d730b080d095
-R e5883d962c09aada766147417d09223f
-U drh
-Z a34b1cb702dc031fc82fc684719a074c
+P 8b961dc3d27c5aa62a5dc7c2e44f8b505817e184f8499f3bb903e06b5aec1b72
+R 1f6a43a747295a1933a4aa3b45b558bb
+U dan
+Z d194393ed734fcf872689abff265089a
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 672d015f6391262afcec685911be95af6aac0ef0..1d32beea586c43198aead1dc3ff76bfc07848a97 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-8b961dc3d27c5aa62a5dc7c2e44f8b505817e184f8499f3bb903e06b5aec1b72
+fc6442ee54795fbeb746539193716238aa653d80170523bc327ae3ce0d945ebf