From 4da2ddf50e3e29a3d9a4d61f5f3423dc2efc31f7 Mon Sep 17 00:00:00 2001
From: dan <Dan Kennedy>
Date: Tue, 19 May 2026 17:12:39 +0000
Subject: [PATCH] Avoid a potential 1 byte overread in sqlite3changegroup_add()
 when processing a corrupt changeset buffer.

FossilOrigin-Name: 4d8c3a2919dc942a0a044ec7582a688e0f93e91f4a465bb94390fbe3ad1b50b4
---
 ext/session/sessionC.test    | 11 +++++++++++
 ext/session/sqlite3session.c | 24 ++++++++++++++----------
 ext/session/test_session.c   |  5 +++--
 manifest                     | 18 +++++++++---------
 manifest.uuid                |  2 +-
 5 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/ext/session/sessionC.test b/ext/session/sessionC.test
index 79d4b6f6d8..ce54249625 100644
--- a/ext/session/sessionC.test
+++ b/ext/session/sessionC.test
@@ -273,4 +273,15 @@ do_test 7.0 {
 } {1 SQLITE_CORRUPT}
 grp delete
 
+#-------------------------------------------------------------------------
+#
+reset_db
+set CS 54014f300009ff
+
+do_test 8.0 {
+  sqlite3changegroup grp
+  list [catch { grp add [db one {SELECT unhex($CS)}] } msg] $msg
+} {1 SQLITE_CORRUPT}
+grp delete
+
 finish_test
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 63aeb58fcf..8b06138377 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -3694,17 +3694,21 @@ static int sessionChangesetBufferRecord(
     int eType;
     rc = sessionInputBuffer(pIn, nByte + 10);
     if( rc==SQLITE_OK ){
-      eType = pIn->aData[pIn->iNext + nByte++];
-      if( eType==SQLITE_TEXT || eType==SQLITE_BLOB ){
-        int n;
-        int nRem = pIn->nData - (pIn->iNext + nByte);
-        nByte += sessionVarintGetSafe(&pIn->aData[pIn->iNext+nByte], nRem, &n);
-        nByte += n;
-        rc = sessionInputBuffer(pIn, nByte);
-      }else if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
-        nByte += 8;
-      }else if( eType!=0 && eType!=SQLITE_NULL ){
+      if( pIn->iNext+nByte>=pIn->nData ){
         rc = SQLITE_CORRUPT_BKPT;
+      }else{
+        eType = pIn->aData[pIn->iNext + nByte++];
+        if( eType==SQLITE_TEXT || eType==SQLITE_BLOB ){
+          int n;
+          int nRem = pIn->nData - (pIn->iNext + nByte);
+          nByte += sessionVarintGetSafe(&pIn->aData[pIn->iNext+nByte], nRem,&n);
+          nByte += n;
+          rc = sessionInputBuffer(pIn, nByte);
+        }else if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+          nByte += 8;
+        }else if( eType!=0 && eType!=SQLITE_NULL ){
+          rc = SQLITE_CORRUPT_BKPT;
+        }
       }
     }
     if( rc==SQLITE_OK && (pIn->iNext+nByte)>pIn->nData ){
diff --git a/ext/session/test_session.c b/ext/session/test_session.c
index 73a6bd226a..bb8563aabb 100644
--- a/ext/session/test_session.c
+++ b/ext/session/test_session.c
@@ -1652,9 +1652,10 @@ static int SQLITE_TCLAPI test_changegroup_cmd(
 
     case 1: {      /* add */
       Tcl_Size nByte = 0;
-      const u8 *aByte = Tcl_GetByteArrayFromObj(objv[2], &nByte);
-      rc = sqlite3changegroup_add(p->pGrp, (int)nByte, (void*)aByte);
+      void *aByte = testGetByteArrayFromObj(objv[2], &nByte);
+      rc = sqlite3changegroup_add(p->pGrp, (int)nByte, aByte);
       if( rc!=SQLITE_OK ) rc = test_session_error(interp, rc, 0);
+      free(aByte);
       break;
     };
 
diff --git a/manifest b/manifest
index ed99d29e19..9fdfa9548f 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\san\ssqlite3FaultSim()\scall\sto\sthe\schanges\sat\s[6193e4105b6a58ea]\sto\nmake\sthem\stestable.
-D 2026-05-19T17:05:28.306
+C Avoid\sa\spotential\s1\sbyte\soverread\sin\ssqlite3changegroup_add()\swhen\sprocessing\sa\scorrupt\schangeset\sbuffer.
+D 2026-05-19T17:12:39.740
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -542,7 +542,7 @@ F ext/session/session8.test 326f3273abf9d5d2d7d559eee8f5994c4ea74a5d935562454605
 F ext/session/session9.test 0c4a8fbe7a5031f50855f020f3408e1f07fd7859f1daa1629eadcec3422072d6
 F ext/session/sessionA.test 1feeab0b8e03527f08f2f1defb442da25480138f
 F ext/session/sessionB.test c4fb7f8a688787111606e123a555f18ee04f65bb9f2a4bb2aa71d55ce4e6d02c
-F ext/session/sessionC.test de98b5e173fd86c79af0d0541534398d2ea75dc0d5d74a00103eb26151b76959
+F ext/session/sessionC.test 876d8726c1e9388a9ae3aca367d348c7ae30833aa9e877a9df7424d194f2e12e
 F ext/session/sessionD.test 470ff917dc849e2eb78142ade63aaabd729d773833cff0ff01bca0eda68a21ce
 F ext/session/sessionE.test b2010949c9d7415306f64e3c2072ddabc4b8250c98478d3c0c4d064bce83111d
 F ext/session/sessionF.test d37ed800881e742c208df443537bf29aa49fd56eac520d0f0c6df3e6320f3401
@@ -573,9 +573,9 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c a23436c2ecaddf0b0301460aa3ff2986f151eb36e7510509521467ce669e9d45
+F ext/session/sqlite3session.c 725c8328e3f46d92140db21dd16e113569a1addf03c4d00b3896682ec1049616
 F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c
-F ext/session/test_session.c 21524e86610986c8296ad08e71a1af1804b823b5830ed1189623b15ceb886c7c
+F ext/session/test_session.c 3773e750b5c751956fdbef41a998cc1ba02d59c3dede74e75866e3446a900e69
 F ext/wasm/GNUmakefile 65feef4ec48e62249f90278c4c08a3fe3c69e2461ff560b61c03cd73606e0949
 F ext/wasm/README-dist.txt f01081a850ce38a56706af6b481e3a7878e24e42b314cfcd4b129f0f8427066a
 F ext/wasm/README.md 2e87804e12c98f1d194b7a06162a88441d33bb443efcfe00dc6565a780d2f259
@@ -2205,8 +2205,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 64b49e4d431d35db0920c7fc8a89d38ce2d2d2dbf42a7caf76aaa9685d66601b
-R 5fd09034b175a95fc9136a6b2c5cb9c4
-U drh
-Z 1d89a0e4b6003dc00c2f1a5824b799b6
+P 0de3d95500b7ecd41a09d81f176c1510896e811b3e468e1cf50f752305fdb06f
+R d1be400a8bdf1d9fe855ecb1d35fe797
+U dan
+Z 4e1bb0fb8aa5576fdb78f68bf011f8fd
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 4bae2d4dec..1bef4d2b7d 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-0de3d95500b7ecd41a09d81f176c1510896e811b3e468e1cf50f752305fdb06f
+4d8c3a2919dc942a0a044ec7582a688e0f93e91f4a465bb94390fbe3ad1b50b4
-- 
2.47.3