From: dan Date: Tue, 19 May 2026 20:27:54 +0000 (+0000) Subject: Fix a potential buffer overread in fts5 that could occur when handling corrupt records. X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=8154476ff86860490f2aaa1626909ad5a10a65df;p=thirdparty%2Fsqlite.git Fix a potential buffer overread in fts5 that could occur when handling corrupt records. FossilOrigin-Name: 70021c3291b38192832c99fa4d8155249dd39f5b26334595c71f5cee66d13ebb --- diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c index 374a00e887..ffb356a0d3 100644 --- a/ext/fts5/fts5_index.c +++ b/ext/fts5/fts5_index.c @@ -3706,7 +3706,7 @@ static void fts5IndexExtractColset( /* Advance pointer p until it points to pEnd or an 0x01 byte that is ** not part of a varint */ while( paiCol[i]==iCurrent ){ diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test index 925b2f9360..dc6a2df40b 100644 --- a/ext/fts5/test/fts5corruptA.test +++ b/ext/fts5/test/fts5corruptA.test @@ -96,6 +96,33 @@ do_catchsql_test 2.2 { SELECT rowid FROM t1('cccccccccccccccccccccccccccccccccccccccccccccccc'); } {1 {fts5: corruption on page 1, segment 1, table "t1"}} +#------------------------------------------------------------------------- +reset_db +do_execsql_test 3.0 { + CREATE VIRTUAL TABLE t1 USING fts5(a, b, c); + INSERT INTO t1 VALUES( + 'hello', + 'alpha bravo charlie delta echo foxtrot golf hotel india juliet kilo lima mike november oscar papa quebec romeo sierra tango uniform victor whiskey xray yankee zulu', + 'ant bear cat dog elephant fox gorilla hippo iguana jaguar kangaroo lion monkey newt octopus panda quail rabbit snake turtle unicorn vulture walrus xerus yak zebra' + ); + + UPDATE t1_data SET block = unhex( + -- Preserve bytes 0-168: header through hello's nSz field + hex(substr(block, 1, 169)) + -- Inject 448 bytes of 0xFF: corrupted poslist + subsequent term data + || replace(hex(zeroblob(448)), '00', 'FF') + -- Preserve 16 bytes of page index needed for hello lookup + || hex(substr(block, 618, 16)) + -- Corrupt remaining 37 footer bytes (not needed for hello lookup) + || replace(hex(zeroblob(37)), '00', 'FF') + ) + WHERE id = 137438953473; +} + +do_test 3.1 { + execsql { SELECT * FROM t1 WHERE t1 MATCH '{a b}: hello' } + set {} {} +} {} + sqlite3_fts5_may_be_corrupt 0 finish_test - diff --git a/manifest b/manifest index e7ddb14395..3a38d04dc4 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Silently\signore\snested\sporter\stokenizers\sin\sFTS5.\s\sHaving\snested\sporter\ntokenizers\sis\spointless,\sbut\sit\sdoes\suse\sstack\sspace\sunnecessarily.\n[bugs:/forumpost/a7766198f1|Bug\sreport\sa7766198f1]. -D 2026-05-19T19:33:49.913 +C Fix\sa\spotential\sbuffer\soverread\sin\sfts5\sthat\scould\soccur\swhen\shandling\scorrupt\srecords. +D 2026-05-19T20:27:54.708 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -113,7 +113,7 @@ F ext/fts5/fts5_buffer.c dcc3f0352339fe79c9d8abbc1c2009bc3469206467880bf43558447 F ext/fts5/fts5_config.c bfba970fe1e4eed18ee57c8d51458e226db9a960ddf775c5e50e3d76603a667e F ext/fts5/fts5_expr.c 71d48e8cf0358deace4949276647d317ff7665db6db09f40b81e2e7fe6664c7c F ext/fts5/fts5_hash.c d5871df92ce3fa210a650cf419ee916b87c29977e86084d06612edf772bff6f5 -F ext/fts5/fts5_index.c ef212de7aed4872fbf3c414f501b8586a4870f282e79e5f5c083e8fc816c1eea +F ext/fts5/fts5_index.c 4ac3d9e9f83280d9b7bf29c0948c3a1ed17533ecaab3fbf0ad95218c3409b42e F ext/fts5/fts5_main.c b0fed47b3b4420ba6810373480a75bc28a9c0b7d16478d19a396436fb3ff17d7 F ext/fts5/fts5_storage.c 19bc7c4cbe1e6a2dd9849ef7d84b5ca1fcbf194cefc3e386b901e00e08bf05c2 F ext/fts5/fts5_tcl.c 2be6cc14f9448f720fd4418339cd202961a0801ea9424cb3d9de946f8f5a051c @@ -169,7 +169,7 @@ F ext/fts5/test/fts5corrupt6.test 2d72db743db7b5d9c9a6d0cfef24d799ed1aa5e8192b66 F ext/fts5/test/fts5corrupt7.test 814aab492d7a09abb5bfdd81cc66fc206d7f3868f9a3bae91876e02efc466fb3 F ext/fts5/test/fts5corrupt8.test 0b10750caf8aa23fa1c379ca4caf6130d41454505e4d5315590f4061eedcbe44 F ext/fts5/test/fts5corrupt9.test 4253b9b59f33effac8b67da72ec34309c738aca2d5e8e2656bfbbd6a489a1dfe -F ext/fts5/test/fts5corruptA.test 592787ad5f4e10177861e1efa231819a9d77038f8c605c81c7e41b63c2436f15 +F ext/fts5/test/fts5corruptA.test 7b31551444569420903d34ae50a55a1227d16969264f0b50de2dc812bc0b3414 F ext/fts5/test/fts5corruptbig.test 9f95b40fa36e292feceab02b2ef06e21878bfa1ac7afefa138aae05518b51774 F ext/fts5/test/fts5delete.test 2a5008f8b1174ef41d1974e606928c20e4f9da77d9f8347aed818994d89cced4 F ext/fts5/test/fts5detail.test 54015e9c43ec4ba542cfb93268abdf280e0300f350efd08ee411284b03595cc4 @@ -2205,8 +2205,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P c20cb75ca07d0553d7a847c65a40efb2e5c587579ec32b02121a8963c70db12f -R a0856429c8b463de3af8d046e5aa8425 -U drh -Z 074530ae03de0bc55aa18e545a3a8127 +P 0bdeedf56c9d7209d1ea8f950d0ef03c78cbf677528d9d30c5f4ec48c4e1a571 +R ff653f1bd0df57be89423e3ea714f832 +U dan +Z 1d38bbb8dfe18d91c29fbafebf7a7b6a # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index d092a2abe5..703040a9e1 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -0bdeedf56c9d7209d1ea8f950d0ef03c78cbf677528d9d30c5f4ec48c4e1a571 +70021c3291b38192832c99fa4d8155249dd39f5b26334595c71f5cee66d13ebb