From: dan Date: Wed, 10 Jun 2026 16:51:20 +0000 (+0000) Subject: Fix a signed-integer overflow in fts5 that might occur when dealing with strategicly... X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=2bd7ac67163ca61f17e1cc54abf9a04ea08dcc83;p=thirdparty%2Fsqlite.git Fix a signed-integer overflow in fts5 that might occur when dealing with strategicly corrupted records. Bug [bugs:/info/2026-06-10T03:56:42Z | 2026-06-10T03:56:42Z]. FossilOrigin-Name: fc6442ee54795fbeb746539193716238aa653d80170523bc327ae3ce0d945ebf --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 468bd2e10c..c78b782e3d 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -8017,11 +8017,14 @@ static void fts5IndexTombstoneRebuild( nSlot = MINSLOT; }else if( pSeg->nPgTombstone==1 ){ /* Case 2. */ - int nElem = (int)fts5GetU32(&pData1->p[4]); + u32 nElem = fts5GetU32(&pData1->p[4]); assert( pData1 && iPg1==0 ); - nOut = 1; - nSlot = MAX(nElem*4, MINSLOT); - if( nSlot>nSlotPerPage ) nOut = 0; + if( nElem>((u32)nSlotPerPage/4) ){ + nOut = 0; + }else{ + nOut = 1; + nSlot = MAX(nElem*4, MINSLOT); + } } if( nOut==0 ){ /* Case 3. */ diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test index f44e9a9457..3e543f2f62 100644 --- a/ext/fts5/test/fts5corruptA.test +++ b/ext/fts5/test/fts5corruptA.test @@ -239,6 +239,34 @@ foreach leaf $lLeaf { } {} } +#------------------------------------------------------------------------- +reset_db + +do_execsql_test 6.0 { + CREATE VIRTUAL TABLE t USING fts5(x, content='', contentless_delete=1); + INSERT INTO t(rowid,x) + VALUES(1,'a b'), (2,'c d'), (3,'e f'), (4,'g h'), (5,'i j'); + INSERT INTO t(t) VALUES('optimize'); + DELETE FROM t WHERE rowid=2; +} + +do_test 6.1 { + db eval { + SELECT rowid AS rid, hex(block) AS blk + FROM t_data WHERE rowid>1_000_000_000_000 + } {} + + set blk [string replace $blk 8 15 20000000] + execsql { + UPDATE t_data SET block = unhex($blk) WHERE rowid=$rid + } +} {} + +do_execsql_test 6.2 { + DELETE FROM t WHERE rowid=3; +} + + sqlite3_fts5_may_be_corrupt 0 finish_test diff --git a/manifest b/manifest index 04aa4d14ce..2778e29be6 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Detect\san\sOOM\scondition\sin\sthe\srealpath()\sfunction\sof\sthe\sfileio.c\sextension\nand\scause\sthat\sfunction\sto\sreturn\sNULL.\s\sTo\sDo:\s\swe\sshould\sgo\sback\sin\sand\nfix\srealpath()\sto\sraise\san\sSQLITE_NOMEM\serror\son\sOOM\srather\sthan\sreturning\nNULL.\s\sBut\swe\swill\sdelay\sthat,\sin\sas\smuch\sas\sOOMs\sare\sall\sbut\simpossible\non\smodern\sOSes.\n[bug:/info/2026-06-10T07:46:32Z|Bug\s2026-06-10T07:46:32Z]. -D 2026-06-10T10:40:29.851 +C Fix\sa\ssigned-integer\soverflow\sin\sfts5\sthat\smight\soccur\swhen\sdealing\swith\sstrategicly\scorrupted\srecords.\sBug\s[bugs:/info/2026-06-10T03:56:42Z\s|\s2026-06-10T03:56:42Z]. +D 2026-06-10T16:51:20.171 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c 20e41452e4f83899a3a1bc66d018701186a0bbbc3a1a524f8cae447e0b150f05 F ext/fts5/fts5_hash.c 341a08ad0153b397b819ef3d7a7959c1dc3c84a6988a431d93dece8bd62ae10e -F ext/fts5/fts5_index.c eabe4a6392cabb78bb0901b00b2eede6423a282823babe3d215366997bae5bc7 +F ext/fts5/fts5_index.c 71c787178f92a3e8dd0d3d96381ea06d93fede34f43ddbeb35ddf69b5f23171a F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -171,7 +171,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66 F ext/fts5/test/fts5corrupt7.test 9664c15360e8b649ad76f457a0bbf5a7271b8eff1a8ee141ea039bc63240c934 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe -F ext/fts5/test/fts5corruptA.test 469571adb09d10c7a68d84b73ab7b4ea9e7f119d9b754a85b802e33976b62ea7 +F ext/fts5/test/fts5corruptA.test 43bc56d8ec0ac87f82f6ac1700c16c902d952451f75f5c7dc02292c7b0a1d1b1 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4 @@ -2209,8 +2209,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 8531c0c3b61771592b055b0c22e903b8301a4161c7bcb7f9fc54d730b080d095 -R e5883d962c09aada766147417d09223f -U drh -Z a34b1cb702dc031fc82fc684719a074c +P 8b961dc3d27c5aa62a5dc7c2e44f8b505817e184f8499f3bb903e06b5aec1b72 +R 1f6a43a747295a1933a4aa3b45b558bb +U dan +Z d194393ed734fcf872689abff265089a # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 672d015f63..1d32beea58 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -8b961dc3d27c5aa62a5dc7c2e44f8b505817e184f8499f3bb903e06b5aec1b72 +fc6442ee54795fbeb746539193716238aa653d80170523bc327ae3ce0d945ebf