From: drh <> Date: Tue, 19 May 2026 15:24:00 +0000 (+0000) Subject: Early detection of attempts to overwrite an in-use cache page due X-Git-Tag: release~44 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=0d56a90b3d48de8d77c78ba076b89c22fca0c23e;p=thirdparty%2Fsqlite.git Early detection of attempts to overwrite an in-use cache page due to database corruption. FossilOrigin-Name: c37b0d93bf750ddad0b271c5f133320f754e5af73c0b68a3d19f9276e196d667 --- diff --git a/manifest b/manifest index be6f965d01..b2edcd62a0 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Limit\sthe\ssize\sof\sinput\sstrings\sto\sthe\s(disused)\sspellfix\sextension\nto\savoid\sexcessive\sruntime\sand\sinteger\soverflows. -D 2026-05-19T10:33:53.258 +C Early\sdetection\sof\sattempts\sto\soverwrite\san\sin-use\scache\spage\sdue\nto\sdatabase\scorruption. +D 2026-05-19T15:24:00.697 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -675,7 +675,7 @@ F src/auth.c ebec42df26b34a62b6750d30d9c2c03554a1c522020182476f7729a439fef04f F src/backup.c 5c97e8023aab1ce14a42387eb3ae00ba5a0644569e3476f38661fa6f824c3523 F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399 F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea -F src/btree.c fb350c445316c1cc0529703c0b76450770a1de0ab0440641a56b19f05d6fefbe +F src/btree.c 4b074c6d2ca43e683d64297c915be620e2be84b2f22c1da21045249ed1490f03 F src/btree.h e823c46d87f63d904d735a24b76146d19f51f04445ea561f71cc3382fd1307f0 F src/btreeInt.h 9c0f9ea5c9b5f4dcaea18111d43efe95f2ac276cd86d770dce10fd99ccc93886 F src/build.c 8581de0af3b6c448f5d64e2d18a91ac1e7057b3bcb8b8827e1240f80d87486a4 @@ -2198,9 +2198,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 24b8ecd17f70f222c40aa91382515a7d0d0b82c882498ae0714818d672806e7f -Q +4b16b80cf2e26c41f0828d65883145dc81c0987110c3f04a864cec43e7c418e5 -R 6f5606fdbd8f4c5422503bb256f4ddcd +P 2a8951b548a9408df300d238a9fea313268a30c322f0efc0b233bdd3e71a7f9d +Q +6193e4105b6a58eac2bc17c5b2d55fdae332816b59beed1fe24c15dff1372322 +R c863d4804af7fe78f3db629d90cd9339 U drh -Z 6768569daddda80128545c4db75384d8 +Z f89b7a602cde4d61767338853aa2a936 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 04bb7e778e..550146b4df 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -2a8951b548a9408df300d238a9fea313268a30c322f0efc0b233bdd3e71a7f9d +c37b0d93bf750ddad0b271c5f133320f754e5af73c0b68a3d19f9276e196d667 diff --git a/src/btree.c b/src/btree.c index 66a4238303..8e6f3f1079 100644 --- a/src/btree.c +++ b/src/btree.c @@ -1646,7 +1646,7 @@ static int defragmentPage(MemPage *pPage, int nMaxFrag){ ** reconstruct the entire page. */ if( (int)data[hdr+7]<=nMaxFrag ){ int iFree = get2byte(&data[hdr+1]); - if( iFree>usableSize-4 ) return SQLITE_CORRUPT_PAGE(pPage); + if( NEVER(iFree>usableSize-4) ) return SQLITE_CORRUPT_PAGE(pPage); if( iFree ){ int iFree2 = get2byte(&data[iFree]); if( iFree2>usableSize-4 ) return SQLITE_CORRUPT_PAGE(pPage); @@ -5290,6 +5290,12 @@ static int accessPayload( (eOp==0 ? PAGER_GET_READONLY : 0) ); if( rc==SQLITE_OK ){ + if( eOp!=0 + && (sqlite3PagerPageRefcount(pDbPage)!=1 + || NEVER(((MemPage*)sqlite3PagerGetExtra(pDbPage))->isInit)) ){ + sqlite3PagerUnref(pDbPage); + return SQLITE_CORRUPT_PAGE(pPage); + } aPayload = sqlite3PagerGetData(pDbPage); nextPage = get4byte(aPayload); rc = copyPayload(&aPayload[offset+4], pBuf, a, eOp, pDbPage);