From: drh <>
Date: Mon, 25 May 2026 18:50:36 +0000 (+0000)
Subject: Fix a potential 1 byte overwrite that could occur when processing
X-Git-Tag: release~31
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=bf5c8d7d16c37242fc33a0021d10d044487421a1;p=thirdparty%2Fsqlite.git

Fix a potential 1 byte overwrite that could occur when processing
a carefully crafted super-journal file.

FossilOrigin-Name: f654fa5ac938bb61d917fc33298052f5bd7a6e5e33b0539ac15cbd45bec023d3
---

diff --git a/manifest b/manifest
index 0a151c0467..1cda8777f0 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\spotential\sbuffer\soverwrite\sthat\scould\soccur\swhen\sin\sfts5\swhen\shandling\scorrupt\srecords.
-D 2026-05-25T17:23:58.807
+C Fix\sa\spotential\s1\sbyte\soverwrite\sthat\scould\soccur\swhen\sprocessing\na\scarefully\scrafted\ssuper-journal\sfile.
+D 2026-05-25T18:50:36.784
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -723,7 +723,7 @@ F src/os_setup.h 8efc64eda6a6c2f221387eefc2e7e45fd5a3d5c8337a7a83519ba4fbd2957ae
 F src/os_unix.c 92a1773139e0c6206a927c7e1648b06287583570b6e253210a06ee3886739d39
 F src/os_win.c 938805c15e855819cb0874aea560c3a7250175d311a5494b47a4f8b69dcd59c0
 F src/os_win.h 5e168adf482484327195d10f9c3bce3520f598e04e07ffe62c9c5a8067c1037b
-F src/pager.c fe34fd22ec251436985d7b6ebdd05bf238a17901c2cb23d3d28974dd2361a912
+F src/pager.c 5e98a67fad5e33c9588460c42063859d22aca8d3140865fd411056dd360b26c2
 F src/pager.h 6137149346e6c8a3ddc1eeb40aee46381e9bc8b0fcc6dda8a1efde993c2275b8
 F src/parse.y d5a3c5b0277a441c38b35071c05e2b61ff5fc918a63309c809f4b6706179c320
 F src/pcache.c 588cc3c5ccaaadde689ed35ce5c5c891a1f7b1f4d1f56f6cf0143b74d8ee6484
@@ -1442,7 +1442,7 @@ F test/misc6.test 953cc693924d88e6117aeba16f46f0bf5abede91
 F test/misc7.test d595599972ec0b436985f0f02f243b68500ffc977b9b3194ec66c0866cfddcab
 F test/misc8.test 08d2380bc435486b12161521f225043ac2be26f02471c2c1ea4cac0b1548edbd
 F test/misuse.test 859f37014d9824ca66bd90c36372c08c80c51c9593a7cfa8a31d4f92cd4d5b7f
-F test/mjournal.test 28a08d5cb5fb5b5702a46e19176e45e964e0800d1f894677169e79f34030e152
+F test/mjournal.test dcee98981209630e158537ea340501388cb57b7a56e806dee3128202432bee0a
 F test/mmap1.test 18de3fd7b70a777af6004ca2feecfcdd3d0be17fa04058e808baf530c94b1a1d
 F test/mmap2.test dba452dc7db91e9df10f70bdd73dc4190c7b8ee7b5133b4684f04277ada0b9ac
 F test/mmap3.test b3c297e78e6a8520aafcc1a8f140535594c9086e
@@ -2198,9 +2198,10 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 39a72dbe53c94be6784fa042cf093151eff43d67086449a4da975416adde120a
-Q +de009593f692251c4a033742b1e79c4ddb5ddcb174209d58c4d1bea19ceb360c
-R 2f9fc7664870f8a1c148f05002b9cd69
+P 02733fc4bc27df64b50ca5027ac94fc643146efb24bb4fdbcc70c45e1c58c919
+Q +897b443fb35d550891315890a5af473d347af3b6ecea11fcafafb5b06a1b50a5
+Q +b3766c3afd0ac4d31f158ee5938f19d72a047872e422b5f19b1567c60640f54d
+R c3fc380e6153a86c5f44e942f9507e62
 U drh
-Z 92b7e76790604b028c0081ea890bc948
+Z 56866845b858bde42dad2a731387b4be
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 20b1884215..a3c08e2e6b 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-02733fc4bc27df64b50ca5027ac94fc643146efb24bb4fdbcc70c45e1c58c919
+f654fa5ac938bb61d917fc33298052f5bd7a6e5e33b0539ac15cbd45bec023d3
diff --git a/src/pager.c b/src/pager.c
index 61b391d6b4..eafa17adcf 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -2566,7 +2566,7 @@ static int pager_delsuper(Pager *pPager, const char *zSuper){
   if( rc!=SQLITE_OK ) goto delsuper_out;
   nSuperPtr = 1 + (i64)pVfs->mxPathname;
   assert( nSuperJournal>=0 && nSuperPtr>0 );
-  zFree = sqlite3Malloc(4 + nSuperJournal + nSuperPtr + 2);
+  zFree = sqlite3Malloc(4 + nSuperJournal + 2 + nSuperPtr + 2);
   if( !zFree ){
     rc = SQLITE_NOMEM_BKPT;
     goto delsuper_out;
@@ -2827,10 +2827,10 @@ static int pager_playback(Pager *pPager, int isHot){
   **
   ** TODO: Technically the following is an error because it assumes that
   ** buffer Pager.pTmpSpace is (mxPathname+1) bytes or larger. i.e. that
-  ** (pPager->pageSize >= pPager->pVfs->mxPathname+1). Using os_unix.c,
+  ** ((pPager->pageSize+8) >= pPager->pVfs->mxPathname+1). Using os_unix.c,
   ** mxPathname is 512, which is the same as the minimum allowable value
-  ** for pageSize.
-  */
+  ** for pageSize, and so this assumption holds. But it might not for some
+  ** custom VFS.  */
   zSuper = pPager->pTmpSpace;
   rc = readSuperJournal(pPager->jfd, zSuper, 1+(i64)pPager->pVfs->mxPathname);
   if( rc==SQLITE_OK && zSuper[0] ){
diff --git a/test/mjournal.test b/test/mjournal.test
index 7aaa86bae0..c7c12c7d6c 100644
--- a/test/mjournal.test
+++ b/test/mjournal.test
@@ -159,4 +159,60 @@ do_hasmj_test 2.3 {
   COMMIT;
 } {0}
 
+#-------------------------------------------------------------------------
+reset_db
+
+do_execsql_test 3.0 {
+  PRAGMA synchronous = OFF;
+  CREATE TABLE t1(x, y);
+}
+
+do_execsql_test 3.1 {
+  BEGIN;
+    INSERT INTO t1 VALUES(100, 200);
+}
+
+db_save
+db close
+db_restore
+
+do_test 3.2 {
+
+  # Append super-journal name to test.db-journal
+  #
+  set mjname [file join [pwd] test.db-super]
+  binary scan $mjname c* bytes
+  set cksum 0
+  foreach b $bytes { incr cksum $b }
+  set fd [open test.db-journal a+]
+  fconfigure $fd -translation binary -encoding iso8859-1
+  puts -nonewline $fd $mjname
+  puts -nonewline $fd [binary format I [string length $mjname]]
+  puts -nonewline $fd [binary format I $cksum]
+  puts -nonewline $fd [binary decode hex "d9d505f920a163d7"]
+  close $fd
+
+  # Create super-journal
+  #
+  set fd [open test.db-super w]
+  fconfigure $fd -translation binary -encoding iso8859-1
+  puts -nonewline $fd "test2.db-journal\0test.db-journal\0"
+  close $fd
+
+  # Create corrupt child journal
+  #
+  set fd [open test2.db-journal w]
+  fconfigure $fd -translation binary -encoding iso8859-1
+  puts -nonewline $fd [binary decode hex "00200001[string repeat 41 512]"]
+  puts -nonewline $fd [binary decode hex "0000020000008200d9d505f920a163d7"]
+  close $fd
+} {}
+
+sqlite3 db test.db
+do_execsql_test 3.3 {
+  SELECT * FROM sqlite_schema
+} {table t1 t1 2 {CREATE TABLE t1(x, y)}}
+
+
+
 finish_test