From: dan Date: Wed, 3 Jun 2026 13:49:33 +0000 (+0000) Subject: Fix another potential buffer overrun that could occur in fts5 when processing corrupt... X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=6feeafc7deaa60e321ceb0f7361d883e13b4c68c;p=thirdparty%2Fsqlite.git Fix another potential buffer overrun that could occur in fts5 when processing corrupt records. FossilOrigin-Name: 6ee44b199512b8cac604bf062f893a9047af4b5bfc881bb7cb69ae42d0a0adb4 --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 1daa2f1335..2503ce6225 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -3557,8 +3557,7 @@ static void fts5PoslistFilterCallback( do { while( ieState ){ fts5BufferSafeAppendBlob(pCtx->pBuf, &pChunk[iStart], i-iStart); diff --git a/ext/fts5/test/fts5corrupt5.test b/ext/fts5/test/fts5corrupt5.test index caffb0eeb9..65529c861a 100644 --- a/ext/fts5/test/fts5corrupt5.test +++ b/ext/fts5/test/fts5corrupt5.test @@ -1998,6 +1998,142 @@ do_catchsql_test 12.1 { SELECT rowid FROM ft('a:aaa') } {0 1} +#------------------------------------------------------------------------- +reset_db +do_test 13.0 { + sqlite3 db {} + db deserialize [decode_hexdb { +.open --hexdb +| size 24576 pagesize 4096 filename vuln_001.db +| page 1 offset 0 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. +| 16: 10 00 01 01 00 40 20 20 00 00 00 03 00 00 00 06 .....@ ........ +| 32: 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 ................ +| 48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ +| 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 ................ +| 96: 00 2e 76 89 0d 00 00 00 06 0e 09 00 0f ca 0f 77 ..v............w +| 112: 0f 0f 0e b7 0e 5e 0e 09 00 00 00 00 00 00 00 00 .....^.......... +| 3584: 00 00 00 00 00 00 00 00 00 53 06 06 17 1d 1d 01 .........S...... +| 3600: 7b 74 61 62 6c 65 74 5f 63 6f 6e 66 69 67 74 5f .tablet_configt_ +| 3616: 63 6f 6e 66 69 67 06 43 52 45 41 54 45 20 54 41 config.CREATE TA +| 3632: 42 4c 45 20 27 74 5f 63 6f 6e 66 69 67 27 28 6b BLE 't_config'(k +| 3648: 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 76 29 PRIMARY KEY, v) +| 3664: 20 57 49 54 48 4f 55 54 20 52 4f 57 49 44 57 05 WITHOUT ROWIDW. +| 3680: 06 17 1f 1f 01 7f 74 61 62 6c 65 74 5f 64 6f 63 ......tablet_doc +| 3696: 73 69 7a 65 74 5f 64 6f 63 73 69 7a 65 05 43 52 sizet_docsize.CR +| 3712: 45 41 54 45 20 54 41 42 4c 45 20 27 74 5f 64 6f EATE TABLE 't_do +| 3728: 63 73 69 7a 65 27 28 69 64 20 49 4e 54 45 47 45 csize'(id INTEGE +| 3744: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 73 R PRIMARY KEY, s +| 3760: 7a 20 42 4c 4f 42 29 56 04 06 17 1f 1f 01 7d 74 z BLOB)V.......t +| 3776: 61 62 6c 65 74 5f 63 6f 6e 74 65 6e 74 74 5f 63 ablet_contentt_c +| 3792: 6f 6e 74 65 6e 74 04 43 52 45 41 54 45 20 54 41 ontent.CREATE TA +| 3808: 42 4c 45 20 27 74 5f 63 6f 6e 74 65 6e 74 27 28 BLE 't_content'( +| 3824: 69 64 20 49 4e 54 45 47 45 52 20 50 52 49 4d 41 id INTEGER PRIMA +| 3840: 52 59 20 4b 45 59 2c 20 63 30 2c 20 63 31 29 66 RY KEY, c0, c1)f +| 3856: 03 07 17 17 17 01 81 2b 74 61 62 6c 65 74 5f 69 .......+tablet_i +| 3872: 64 78 74 5f 69 64 78 03 43 52 45 41 54 45 20 54 dxt_idx.CREATE T +| 3888: 41 42 4c 45 20 27 74 5f 69 64 78 27 28 73 65 67 ABLE 't_idx'(seg +| 3904: 69 64 2c 20 74 65 72 6d 2c 20 70 67 6e 6f 2c 20 id, term, pgno, +| 3920: 50 52 49 4d 41 52 59 20 4b 45 59 28 73 65 67 69 PRIMARY KEY(segi +| 3936: 64 2c 20 74 65 72 6d 29 29 20 57 49 54 48 4f 55 d, term)) WITHOU +| 3952: 54 20 52 4f 57 49 44 51 02 06 17 19 19 01 7f 74 T ROWIDQ.......t +| 3968: 61 62 6c 65 74 5f 64 61 74 61 74 5f 64 61 74 61 ablet_datat_data +| 3984: 02 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74 .CREATE TABLE 't +| 4000: 5f 64 61 74 61 27 28 69 64 20 49 4e 54 45 47 45 _data'(id INTEGE +| 4016: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 62 R PRIMARY KEY, b +| 4032: 6c 6f 63 6b 20 42 4c 4f 42 29 34 01 06 17 0f 0f lock BLOB)4..... +| 4048: 08 5b 74 61 62 6c 65 74 74 43 52 45 41 54 45 20 .[tablettCREATE +| 4064: 56 49 52 54 55 41 4c 20 54 41 42 4c 45 20 74 20 VIRTUAL TABLE t +| 4080: 55 53 49 4e 47 20 66 74 73 35 28 61 2c 20 62 29 USING fts5(a, b) +| page 2 offset 4096 +| 0: 0d 00 00 00 04 0b da 00 0f e7 0f ef 0f ce 0b da ................ +| 3024: 00 00 00 00 00 00 00 00 00 00 87 6c 84 80 80 80 ...........l.... +| 3040: 80 02 04 00 8f 5c 00 00 03 e8 80 80 80 80 80 80 ................ +| 3056: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3072: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3088: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3104: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3120: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3136: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3152: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3168: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3184: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3200: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3216: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3232: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3248: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3264: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3280: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3296: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3312: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3328: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3344: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3360: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3376: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3392: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3408: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3424: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3440: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3456: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3472: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3488: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3504: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3520: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3536: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3552: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3568: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3584: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3600: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3616: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3632: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3648: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3664: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3680: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3696: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3712: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3728: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3744: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3760: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3776: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3792: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3808: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3824: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3840: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3856: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3872: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3888: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3904: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3920: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3936: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3952: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3968: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 3984: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 4000: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 4016: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 ................ +| 4032: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 12 84 ................ +| 4048: 80 80 80 80 01 03 00 2a 00 0b 00 0e 06 30 68 65 .......*.....0he +| 4064: 6c 6c 6f 01 04 04 04 06 01 03 00 12 01 02 02 0f llo............. +| 4080: 0a 03 00 24 00 00 00 00 01 01 01 00 01 01 01 02 ...$............ +| page 3 offset 8192 +| 0: 0a 00 00 00 01 0f fa 00 0f fa 00 00 00 00 00 00 ................ +| 4080: 00 00 00 00 00 00 00 00 00 00 05 04 09 0c 01 02 ................ +| page 4 offset 12288 +| 0: 0d 00 00 00 01 0f e8 00 0f e8 00 00 00 00 00 00 ................ +| 4064: 00 00 00 00 00 00 00 00 16 01 04 00 23 1b 68 65 ............#.he +| 4080: 6c 6c 6f 20 77 6f 72 6c 64 66 6f 6f 20 62 61 72 llo worldfoo bar +| page 5 offset 16384 +| 0: 0d 00 00 00 01 0f f9 00 0f f9 00 00 00 00 00 00 ................ +| 4080: 00 00 00 00 00 00 00 00 00 05 01 03 00 10 02 02 ................ +| page 6 offset 20480 +| 0: 0a 00 00 00 01 0f f4 00 0f f4 00 00 00 00 00 00 ................ +| 4080: 00 00 00 00 0b 03 1b 01 76 65 72 73 69 6f 6e 04 ........version. +| end vuln_001.db +}]} {} + +do_catchsql_test 13.1 { + SELECT * FROM t('a:hello') +} {0 {{hello world} {foo bar}}} + sqlite3_fts5_may_be_corrupt 0 finish_test diff --git a/manifest b/manifest index e887a5068c..04d2e9a18f 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\spotential\sUAF\sbug\sin\sthe\szipfile\sextension.\n[bugs:/info/2026-06-03T10:58:51Z|Bug\s2026-06-03T10:58:51Z]. -D 2026-06-03T13:12:20.326 +C Fix\sanother\spotential\sbuffer\soverrun\sthat\scould\soccur\sin\sfts5\swhen\sprocessing\scorrupt\srecords. +D 2026-06-03T13:49:33.981 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -114,7 +114,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c 71d48e8cf0358deace4949276647d317ff7665db6db09f40b81e2e7fe6664c7c F ext/fts5/fts5_hash.c d5871df92ce3fa210a650cf419ee916b87c29977e86084d06612edf772bff6f5 -F ext/fts5/fts5_index.c 4191ee305c15860b02128d8952f2db1a2f44975cd394d8ea32f603c32c460f1f +F ext/fts5/fts5_index.c 2e76c7a54a091dd97a832b9b8a4b1c70d26e511fab48eceb2bc42596b8bd78cf F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -165,7 +165,7 @@ F ext/fts5/test/fts5corrupt.test 237fce1c3261bb3a5bec333b0f0dbf5b105ec32627ef14c F ext/fts5/test/fts5corrupt2.test 4a03a158c2cb617c9f76d26b35c1ef2534124bc0bbddcea38dfd5b170ebea27b F ext/fts5/test/fts5corrupt3.test 121a8a7622dfe1be1bc55cbe70eddd6a3416f76a837dc8c06a11a32e781595a4 F ext/fts5/test/fts5corrupt4.test dc08d19f5b8943e95a7778a7d8da592042504faf18dd93f68f7d7a0d7d7dd733 -F ext/fts5/test/fts5corrupt5.test bdf6c04a1c9176507c8c0e66842b78b3fbcafccde20a41bb22a1b19896784b54 +F ext/fts5/test/fts5corrupt5.test b9085599389721b38f080f501660c931cd608f8ecbc93c23644344f74ef7aa21 F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66c40e871a37ed9eed06 F ext/fts5/test/fts5corrupt7.test 814aab492d7a09abb5bfdd81cc66fc206d7f3868f9a3bae91876e02efc466fb3 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 @@ -2207,8 +2207,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P d066699fcacd87496645f3aa3c4049935410ae2451879a033102304c80273deb -R cf30ef725e80b5da70b496c1747bf479 -U drh -Z d5d76c0310a71cb45cf5a887d4acb843 +P 1fb5e9169ace6bea2bdf9013f39002c1ce5dc9ce51d6007bec22d91f456c15f0 +R d9527843381a40353ef12c2a0218d617 +U dan +Z 4c9563bf6ac5c9c0a0d3eac2b8130ffd # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 5041154832..929bd1c750 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -1fb5e9169ace6bea2bdf9013f39002c1ce5dc9ce51d6007bec22d91f456c15f0 +6ee44b199512b8cac604bf062f893a9047af4b5bfc881bb7cb69ae42d0a0adb4