From: drh <>
Date: Mon, 25 May 2026 18:53:35 +0000 (+0000)
Subject: Enhance the defenses against malformed JSONB in the jsonbPayloadSize()
X-Git-Tag: release~30
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=2e6dc01ea75736313fb80fbc6fd4b012ebaa758c;p=thirdparty%2Fsqlite.git

Enhance the defenses against malformed JSONB in the jsonbPayloadSize()
routine.

FossilOrigin-Name: 73dfb252f86807464642037df6ec7353b5b52d8c447837c7c4a6540ec622f29d
---

diff --git a/manifest b/manifest
index 1cda8777f0..0667cb93fb 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\spotential\s1\sbyte\soverwrite\sthat\scould\soccur\swhen\sprocessing\na\scarefully\scrafted\ssuper-journal\sfile.
-D 2026-05-25T18:50:36.784
+C Enhance\sthe\sdefenses\sagainst\smalformed\sJSONB\sin\sthe\sjsonbPayloadSize()\nroutine.
+D 2026-05-25T18:53:35.158
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -696,7 +696,7 @@ F src/hash.h 46b92795a95bfefb210f52f0c316e9d7cdbcdd7e7fcfb0d8be796d3a5767cddf
 F src/hwtime.h 21c2cf1f736e7b97502c3674d0c386db3f06870d6f10d0cf8174e2a4b8cb726e
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c dfd311b0ac2d4f6359e62013db67799757f4d2cc56cca5c10f4888acfbbfa3fd
-F src/json.c 047c4cec4d688f6aaca609c3cfb2403a4cf00fefab8b150a22362a2439c2caa8
+F src/json.c 07395d2ac4318038efd71ec44e40f279ed8203ddee0cdf0fece92a87fe9a51b7
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 56a542244fbefc739a2ef57fac007c16b2aefdb4377f584e9547db2ce3e071f9
 F src/main.c 387bb9d0216d6d35b221481ba8e661d94ad043060cd89581b6422c269ce680a0
@@ -2198,10 +2198,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 02733fc4bc27df64b50ca5027ac94fc643146efb24bb4fdbcc70c45e1c58c919
-Q +897b443fb35d550891315890a5af473d347af3b6ecea11fcafafb5b06a1b50a5
-Q +b3766c3afd0ac4d31f158ee5938f19d72a047872e422b5f19b1567c60640f54d
-R c3fc380e6153a86c5f44e942f9507e62
+P f654fa5ac938bb61d917fc33298052f5bd7a6e5e33b0539ac15cbd45bec023d3
+Q +32c9f71a989fa4c81a613398ca5c1e68eb88b2a90ac4a4a7bf39e755717f43b1
+R 8ccedf2f79e509b79f57cb5cd0be312a
 U drh
-Z 56866845b858bde42dad2a731387b4be
+Z 0de945a6b6bb010399f38b3660471a95
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index a3c08e2e6b..a1f4145c56 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f654fa5ac938bb61d917fc33298052f5bd7a6e5e33b0539ac15cbd45bec023d3
+73dfb252f86807464642037df6ec7353b5b52d8c447837c7c4a6540ec622f29d
diff --git a/src/json.c b/src/json.c
index cf8b4c9157..f6ab7593de 100644
--- a/src/json.c
+++ b/src/json.c
@@ -2124,9 +2124,10 @@ static u32 jsonbPayloadSize(const JsonParse *pParse, u32 i, u32 *pSz){
   u8 x;
   u32 sz;
   u32 n;
-  assert( i<=pParse->nBlob );
-  x = pParse->aBlob[i]>>4;
-  if( x<=11 ){
+  if( i>=pParse->nBlob ){
+    *pSz = 0;
+    return 0;
+  }else if( (x = pParse->aBlob[i]>>4)<=11 ){
     sz = x;
     n = 1;
   }else if( x==12 ){