-C Fix\san\sassert()\sin\sbtree\sroutine\sfreeSpace()\sthat\smay\sbe\sfalse\sif\sthe\sdatabase\sis\scorrupt.
-D 2015-05-25T15:03:49.960
+C Fix\sa\scase\swhere\sdatabase\scorruption\smay\scause\sSQLite\sto\swrite\spast\sthe\send\sof\sa\sbuffer.
+D 2015-05-25T17:07:29.779
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
F Makefile.in 0a6ae26396ec696221021780dffbb894ff3cead7
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3
F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d
F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79
-F src/btree.c 9114263de91fa983a7ae6bbd75bb044552e4a7fb
+F src/btree.c 030535334184d12260df4bfcefed672f4d83dcf8
F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1
F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4
F src/build.c d5d9090788118178190c5724c19f93953b8c7a4e
F test/corruptF.test be9fde98e4c93648f1ba52b74e5318edc8f59fe4
F test/corruptG.test 1ab3bf97ee7bdba70e0ff3ba2320657df55d1804
F test/corruptH.test 5dd4fa98c6c1ed33b178f9e8a48c4fdd3cfc9067
-F test/corruptI.test 08048e8f2743e1d4c0f8862699b72b8eb947d79b
+F test/corruptI.test bd6986db57424a4d61bfc9f67e9dc1c2ae4f2cfb
F test/corruptJ.test 9e29e7a81ee3b6ac50f77ea7a9e2f3fa03f32d91
F test/cost.test 19d314526616ce4473eb4e4e450fcb94499ce318
F test/count.test cb2e0f934c6eb33670044520748d2ecccd46259c
F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P f1e942a1dda496a509741e9cc2a17e8b4dac63a3
-R 47c82c340b3278702bcb6251bfdf065a
+P 00a473c56188cd60a74559effb114140e3fe8a8d
+R dc376bcfcb68a6e7c538fd875c1e9af7
U dan
-Z 0ae4902a860647347b6e1ad08b782288
+Z 5eaace98730adbf7603d90b10f2ffa48
-00a473c56188cd60a74559effb114140e3fe8a8d
\ No newline at end of file
+97806a78142b15f89878e25ee70dc5b0524d6793
\ No newline at end of file
** However, that integer is too large to be stored in a 2-byte unsigned
** integer, so a value of 0 is used in its place. */
top = get2byteNotZero(&data[hdr+5]);
- if( gap>top ) return SQLITE_CORRUPT_BKPT;
+ if( gap>top || top>pPage->pBt->usableSize ) return SQLITE_CORRUPT_BKPT;
/* If there is enough space between gap and top for one more cell pointer
** array entry offset, and if the freelist is not empty, then search the
execsql { DELETE FROM t1 WHERE a=0 }
} {}
+
+#-------------------------------------------------------------------------
+# Database properties:
+#
+# * Incremental vacuum mode.
+# * Database root table has a single leaf page.
+# * Free list consists of a single trunk page.
+#
+# The db is then corrupted by adding the root table leaf page as a free-list
+# leaf page (so that it is referenced twice).
+#
+# Then, a new table is created. The new root page is the current free-list
+# trunk. This means that the root table leaf page is made into the new
+# free list trunk, which corrupts its header. Then, when the new entry is
+# inserted into the root table, things would get chaotic.
+#
+reset_db
+do_test 5.0 {
+ execsql {
+ PRAGMA page_size = 512;
+ PRAGMA auto_vacuum = 2;
+ }
+ for {set i 3} {1} {incr i} {
+ execsql "CREATE TABLE t${i}(x)"
+ if {[db one {PRAGMA page_count}]>$i} break
+ }
+ set nPage [db one {PRAGMA page_count}]
+ execsql {
+ CREATE TABLE t100(x);
+ DROP TABLE t100;
+ }
+} {}
+
+do_execsql_test 5.1 {
+ PRAGMA page_count
+} [expr $nPage+1]
+
+do_test 5.2 {
+ # The last page of the db is now the only leaf of the sqlite_master table.
+ # Corrupt the db by adding it to the free-list as well (the second last
+ # page of the db is the free-list trunk).
+ db close
+ hexio_write test.db [expr 512*($nPage-1)] [
+ format "%.8X%.8X%.8X" 0 1 [expr $nPage+1]
+ ]
+} {12}
+
+do_test 5.3 {
+ sqlite3 db test.db
+ catchsql { CREATE TABLE tx(x); }
+} {1 {database disk image is malformed}}
+
+
finish_test
projects / thirdparty / sqlite.git / commitdiff
