From: drh <> Date: Thu, 28 May 2026 10:18:42 +0000 (+0000) Subject: Fix potential integer overflow in btree overflow page cache computation. X-Git-Tag: release~24 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=a15c39423325496b74d64c9c8e1c15a01955e57c;p=thirdparty%2Fsqlite.git Fix potential integer overflow in btree overflow page cache computation. FossilOrigin-Name: 093e23814e35f0cd0a4bded29b79ddecd7835626d9fe627bfbf4eb138403277f --- diff --git a/manifest b/manifest index 513d067bcd..051804ec52 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\spotential\s1-byte\soverread\sin\ssqlite3changeset_invert()\swhen\s\nprocessing\sa\scorrupt\sbuffer. -D 2026-05-26T15:09:07.010 +C Fix\spotential\sinteger\soverflow\sin\sbtree\soverflow\spage\scache\scomputation. +D 2026-05-28T10:18:42.376 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -675,7 +675,7 @@ F src/auth.c ebec42df26b34a62b6750d30d9c2c03554a1c522020182476f7729a439fef04f F src/backup.c 5c97e8023aab1ce14a42387eb3ae00ba5a0644569e3476f38661fa6f824c3523 F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399 F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea -F src/btree.c 4b074c6d2ca43e683d64297c915be620e2be84b2f22c1da21045249ed1490f03 +F src/btree.c b699db0283d6a68f9ebafc8559a63c40eb1b3fdeed3e448c8d8ba3a648c914a2 F src/btree.h e823c46d87f63d904d735a24b76146d19f51f04445ea561f71cc3382fd1307f0 F src/btreeInt.h 9c0f9ea5c9b5f4dcaea18111d43efe95f2ac276cd86d770dce10fd99ccc93886 F src/build.c 8581de0af3b6c448f5d64e2d18a91ac1e7057b3bcb8b8827e1240f80d87486a4 @@ -2199,9 +2199,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6 -Q +78eaa605cb6c14e5bd49a898b4c737957bd60c8714913cc2341f4ffe3bfe81fe -R 6bc5782cccdca586113cb0e4025d93e7 +P 69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467 +Q +dfa674d6e6bffdb930dbefa767831db7862c322b6d3c7a6322f0fa0f087aaaf9 +R 6720d86b55a7d4bc94312afbba0be7c7 U drh -Z 6fdc2347a7f0dec009e4421d82865621 +Z 98c44a23a6dc62cccc38080934b0ae3d # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index bf6b01e33d..70f2ab599c 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467 +093e23814e35f0cd0a4bded29b79ddecd7835626d9fe627bfbf4eb138403277f diff --git a/src/btree.c b/src/btree.c index 8e6f3f1079..56a826ef69 100644 --- a/src/btree.c +++ b/src/btree.c @@ -5185,7 +5185,9 @@ static int accessPayload( ** means "not yet known" (the cache is lazily populated). */ if( (pCur->curFlags & BTCF_ValidOvfl)==0 ){ - int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize; + i64 nOvfl = pCur->info.nPayload; + testcase( nOvfl - pCur->info.nLocal + ovflSize - 1 > 0xffffffffU ); + nOvfl = (nOvfl - pCur->info.nLocal + ovflSize-1)/ovflSize; if( pCur->aOverflow==0 || nOvfl*(int)sizeof(Pgno) > sqlite3MallocSize(pCur->aOverflow) ){