Fix a potential integer overflow when decoding a corrupt kvvfs block. Bug report...

FossilOrigin-Name: c36fc5df62c7eb8fca6a43cb0b3154a030b39a4cfade8fb04496120d4d339b97

diff --git a/manifest b/manifest
index bcc04a9b0b20d4b90eb429a9d28e243770910a6b..40e3ac87d2ca82ffd6fe1b1c820de0c67b60d961 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\san\sincorrect\sassert()\sin\scheck-in\s[984c9b181801c1de]
-D 2026-06-20T21:54:18.923
+C Fix\sa\spotential\sinteger\soverflow\swhen\sdecoding\sa\scorrupt\skvvfs\sblock.\sBug\sreport\s[bugs:76acc88b57|2026-06-20T18:35:54Z].
+D 2026-06-21T08:13:22.016
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -720,7 +720,7 @@ F src/notify.c 57c2d1a2805d6dee32acd5d250d928ab94e02d76369ae057dee7d445fd64e878
 F src/os.c 9566966dd14376099fe8f715e744ab4fef204f55bd89126c5ddd06eb37df9457
 F src/os.h 1ff5ae51d339d0e30d8a9d814f4b8f8e448169304d83a7ed9db66a65732f3e63
 F src/os_common.h 6c0eb8dd40ef3e12fe585a13e709710267a258e2c8dd1c40b1948a1d14582e06
-F src/os_kv.c 8807692a584a5496e764df704e41e061e4a17eb578740fd26b155611aab5081e
+F src/os_kv.c e541742fb5d62848bf8d05ec2c95abeeb9334f57d1c60aa1c680c9c37e5ca5b8
 F src/os_setup.h 8efc64eda6a6c2f221387eefc2e7e45fd5a3d5c8337a7a83519ba4fbd2957ae2
 F src/os_unix.c 83759942d1ea8d59daed50901c123016f845fada74caf3496b8a2537c9a08838
 F src/os_win.c 68b1c31693a5aeeb8126f618c95f7b53fb39e254836f9a95fbf2733461a7e01d
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P a396d7c54c5f251daaaac1e68321c2a54d3b6969599027c29b7ca7abe7fb8c4e
-R aaf0285a839431a4bb032764f55f992b
-U drh
-Z df5755c904f5557e7a754bd1dc52f8c1
+P 1d41c93b3636de63cc4b9ee49f73319429944f2255ab56d7556595f56434c17c
+R 744ebe01cf64c18272de128b6ad64fb5
+U stephan
+Z cd188760798b6554f026c5e4f2d0719d
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 6481f2f8e423aaad17eea26562ea7d9bffe5ada9..6008c3f9e80487da5f96503a605f54727d0c9de2 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-1d41c93b3636de63cc4b9ee49f73319429944f2255ab56d7556595f56434c17c
+c36fc5df62c7eb8fca6a43cb0b3154a030b39a4cfade8fb04496120d4d339b97

diff --git a/src/os_kv.c b/src/os_kv.c
index 7707ebb76db169d3ea04902469bc353235544ac3..6574d7e490d4a0d76c226392936b5399248ded1d 100644 (file)
--- a/src/os_kv.c
+++ b/src/os_kv.c
@@ -468,16 +468,17 @@ int kvvfsDecode(const char *a, char *aOut, int nOut){
   while( 1 ){
     c = kvvfsHexValue[aIn[i]];
     if( c<0 ){
-      int n = 0;
-      int mult = 1;
+      sqlite3_int64 n = 0;
+      sqlite3_int64 mult = 1;
       c = aIn[i];
       if( c==0 ) break;
       while( c>='a' && c<='z' ){
         n += (c - 'a')*mult;
+        if( n>nOut ) return -1 /* oversized/malformed input */;
         mult *= 26;
         c = aIn[++i];
       }
-      if( j+n>nOut ) return -1;
+      if( j+n>nOut ) return -1 /* oversized/malformed input */;
       memset(&aOut[j], 0, n);
       j += n;
       if( c==0 || mult==1 ) break; /* progress stalled if mult==1 */