Fix a potential buffer overread in fts5 that could occur when handling corrupt records.

FossilOrigin-Name: 70021c3291b38192832c99fa4d8155249dd39f5b26334595c71f5cee66d13ebb

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 374a00e8877afa7cb341500c7e77abdef3c7ae4e..ffb356a0d3837e5517037bf94647e37f0518557c 100644 (file)
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -3706,7 +3706,7 @@ static void fts5IndexExtractColset(
       /* Advance pointer p until it points to pEnd or an 0x01 byte that is
       ** not part of a varint */
       while( p<pEnd && *p!=0x01 ){
-        while( *p++ & 0x80 );
+        while( p<pEnd && (*p++ & 0x80) );
       }
 
       if( pColset->aiCol[i]==iCurrent ){

diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test
index 925b2f936046ba1b6afe0313f8c2cbf57678e2d3..dc6a2df40bc6ef13233d3358ec0d71f3f880d00b 100644 (file)
--- a/ext/fts5/test/fts5corruptA.test
+++ b/ext/fts5/test/fts5corruptA.test
@@ -96,6 +96,33 @@ do_catchsql_test 2.2 {
   SELECT rowid FROM t1('cccccccccccccccccccccccccccccccccccccccccccccccc');
 } {1 {fts5: corruption on page 1, segment 1, table "t1"}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0 {
+  CREATE VIRTUAL TABLE t1 USING fts5(a, b, c);
+  INSERT INTO t1 VALUES(
+      'hello',
+      'alpha bravo charlie delta echo foxtrot golf hotel india juliet kilo lima mike november oscar papa quebec romeo sierra tango uniform victor whiskey xray yankee zulu',
+      'ant bear cat dog elephant fox gorilla hippo iguana jaguar kangaroo lion monkey newt octopus panda quail rabbit snake turtle unicorn vulture walrus xerus yak zebra'
+  );
+
+  UPDATE t1_data SET block = unhex(
+      -- Preserve bytes 0-168: header through hello's nSz field
+      hex(substr(block, 1, 169))
+      -- Inject 448 bytes of 0xFF: corrupted poslist + subsequent term data
+      || replace(hex(zeroblob(448)), '00', 'FF')
+      -- Preserve 16 bytes of page index needed for hello lookup
+      || hex(substr(block, 618, 16))
+      -- Corrupt remaining 37 footer bytes (not needed for hello lookup)
+      || replace(hex(zeroblob(37)), '00', 'FF')
+      )
+  WHERE id = 137438953473;
+}
+
+do_test 3.1 {
+  execsql { SELECT * FROM t1 WHERE t1 MATCH '{a b}: hello' }
+  set {} {}
+} {}
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test
-

diff --git a/manifest b/manifest
index e7ddb14395feb6f46e24f51ba5d38874a54edbbe..3a38d04dc4708d620d519c54026f5df29094a4e0 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Silently\signore\snested\sporter\stokenizers\sin\sFTS5.\s\sHaving\snested\sporter\ntokenizers\sis\spointless,\sbut\sit\sdoes\suse\sstack\sspace\sunnecessarily.\n[bugs:/forumpost/a7766198f1|Bug\sreport\sa7766198f1].
-D 2026-05-19T19:33:49.913
+C Fix\sa\spotential\sbuffer\soverread\sin\sfts5\sthat\scould\soccur\swhen\shandling\scorrupt\srecords.
+D 2026-05-19T20:27:54.708
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -113,7 +113,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447
 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e
 F ext/fts5/fts5_expr.c 71d48e8cf0358deace4949276647d317ff7665db6db09f40b81e2e7fe6664c7c
 F ext/fts5/fts5_hash.c d5871df92ce3fa210a650cf419ee916b87c29977e86084d06612edf772bff6f5
-F ext/fts5/fts5_index.c ef212de7aed4872fbf3c414f501b8586a4870f282e79e5f5c083e8fc816c1eea
+F ext/fts5/fts5_index.c 4ac3d9e9f83280d9b7bf29c0948c3a1ed17533ecaab3fbf0ad95218c3409b42e
 F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7
 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2
 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c
@@ -169,7 +169,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66
 F ext/fts5/test/fts5corrupt7.test 814aab492d7a09abb5bfdd81cc66fc206d7f3868f9a3bae91876e02efc466fb3
 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44
 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe
-F ext/fts5/test/fts5corruptA.test 592787ad5f4e10177861e1efa231819a9d77038f8c605c81c7e41b63c2436f15
+F ext/fts5/test/fts5corruptA.test 7b31551444569420903d34ae50a55a1227d16969264f0b50de2dc812bc0b3414
 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774
 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4
 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4
@@ -2205,8 +2205,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P c20cb75ca07d0553d7a847c65a40efb2e5c587579ec32b02121a8963c70db12f
-R a0856429c8b463de3af8d046e5aa8425
-U drh
-Z 074530ae03de0bc55aa18e545a3a8127
+P 0bdeedf56c9d7209d1ea8f950d0ef03c78cbf677528d9d30c5f4ec48c4e1a571
+R ff653f1bd0df57be89423e3ea714f832
+U dan
+Z 1d38bbb8dfe18d91c29fbafebf7a7b6a
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index d092a2abe5ef8a115cbf1b27eb0f3499300cb159..703040a9e1a16d68a420cf637ec266e6fb029141 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-0bdeedf56c9d7209d1ea8f950d0ef03c78cbf677528d9d30c5f4ec48c4e1a571
+70021c3291b38192832c99fa4d8155249dd39f5b26334595c71f5cee66d13ebb