Fix a buffer overread in the session module that could occur when processing a corrup...

FossilOrigin-Name: 869a51ae84dfaaf824c872e4b3024f35eea7fa67bb584759a2d42ebf8404ef6e

diff --git a/ext/session/sessionC.test b/ext/session/sessionC.test
index ce54249625d0ea5d97b8e694fe91cd2472cde0ae..dcfb5a51747955252e52efab5d13f64ae42e783a 100644 (file)
--- a/ext/session/sessionC.test
+++ b/ext/session/sessionC.test
@@ -284,4 +284,16 @@ do_test 8.0 {
 } {1 SQLITE_CORRUPT}
 grp delete
 
+#-------------------------------------------------------------------------
+#
+reset_db
+set CS 540101740017000003ffffffff
+
+do_test 9.0 {
+  set C [db one {SELECT unhex($CS)}]
+  list [catch { sqlite3changeset_concat $C $C } msg] $msg
+} {1 SQLITE_CORRUPT}
+
 finish_test
+
+

diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 1f2cabed1cb672a1b0c4cfacb64b3b71b0f5cefa..5db50fe1d3e616fc5cfc573b4fb61b8f6343eb81 100644 (file)
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -346,7 +346,9 @@ static int sessionVarintLen(int iVal){
 ** bytes read.
 */
 static int sessionVarintGet(const u8 *aBuf, int *piVal){
-  return getVarint32(aBuf, *piVal);
+  int ret = getVarint32(aBuf, *piVal);
+  *piVal = (*piVal & 0x7FFFFFFF);
+  return ret;
 }
 
 /*
@@ -361,7 +363,7 @@ static int sessionVarintGetSafe(const u8 *aBuf, int nBuf, int *piVal){
     memcpy(aCopy, aBuf, nBuf);
     aRead = aCopy;
   }
-  return getVarint32(aRead, *piVal);
+  return sessionVarintGet(aRead, piVal);
 }
 
 /* Load an unaligned and unsigned 32-bit integer */

diff --git a/manifest b/manifest
index 7a4255640c292197e60b2f0ed05d93f187e31c55..985b5a1b891ce6c6ae327fc74ff95ee0bfe4dc78 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Performance\soptimization\sto\sthe\ssqlite3ExprCollSeqMatch()\sroutine.
-D 2026-05-21T14:48:43.158
+C Fix\sa\sbuffer\soverread\sin\sthe\ssession\smodule\sthat\scould\soccur\swhen\sprocessing\sa\scorrupt\schangeset.
+D 2026-05-21T14:58:36.935
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -542,7 +542,7 @@ F ext/session/session8.test 326f3273abf9d5d2d7d559eee8f5994c4ea74a5d935562454605
 F ext/session/session9.test ce2b898aa4caf0e492b57c29cb707224e0a33479e4f019785a81828273143ba5
 F ext/session/sessionA.test 1feeab0b8e03527f08f2f1defb442da25480138f
 F ext/session/sessionB.test c4fb7f8a688787111606e123a555f18ee04f65bb9f2a4bb2aa71d55ce4e6d02c
-F ext/session/sessionC.test 876d8726c1e9388a9ae3aca367d348c7ae30833aa9e877a9df7424d194f2e12e
+F ext/session/sessionC.test 7c9b5e90194b3b7ad8bcbc6fcbac77d2c572ec3566a30fce1e82f4d64fb9aa3f
 F ext/session/sessionD.test 470ff917dc849e2eb78142ade63aaabd729d773833cff0ff01bca0eda68a21ce
 F ext/session/sessionE.test b2010949c9d7415306f64e3c2072ddabc4b8250c98478d3c0c4d064bce83111d
 F ext/session/sessionF.test d37ed800881e742c208df443537bf29aa49fd56eac520d0f0c6df3e6320f3401
@@ -573,7 +573,7 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c aa0e9491a70647487daadb04bd59c998922112ee4f3c449814c7e3a26a9d43db
+F ext/session/sqlite3session.c 7e0823eadf9005e98e06cfa6724cf3354a20e27e70fbaceae686441f399e9f08
 F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c
 F ext/session/test_session.c 3773e750b5c751956fdbef41a998cc1ba02d59c3dede74e75866e3446a900e69
 F ext/wasm/GNUmakefile 65feef4ec48e62249f90278c4c08a3fe3c69e2461ff560b61c03cd73606e0949
@@ -2205,8 +2205,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 68c5fd5fa0f986b782519472398b068ba7c295c56a0e0199b8e0509d0d1685fb
-R 87643aeff447c121e679837bf119a591
-U drh
-Z be79c12f35d7863c4b03de65556dd9ce
+P 035f1d2f284a081e6aef01cc773a3784458ec8e6297f3fbf4063670a9e65278c
+R 1e2b795dd24a1dc54fabb62c538c6eaa
+U dan
+Z e2539ec2b0b2717cf345cab8558dd8c0
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 0555fd6ba2ac44af9bb574db9665bf04524c6d26..f4b403f593b5e06b3d2e397af9dd67d254bca887 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-035f1d2f284a081e6aef01cc773a3784458ec8e6297f3fbf4063670a9e65278c
+869a51ae84dfaaf824c872e4b3024f35eea7fa67bb584759a2d42ebf8404ef6e