From: drh <> Date: Tue, 26 May 2026 15:09:07 +0000 (+0000) Subject: Fix a potential 1-byte overread in sqlite3changeset_invert() when X-Git-Tag: release~25 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d38b6c0a19d2dd7c27d3ba5e52a3e6b9b10d717e;p=thirdparty%2Fsqlite.git Fix a potential 1-byte overread in sqlite3changeset_invert() when processing a corrupt buffer. FossilOrigin-Name: 69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467 --- diff --git a/ext/session/sessioninvert.test b/ext/session/sessioninvert.test index b9921f5e64..7c9b295f88 100755 --- a/ext/session/sessioninvert.test +++ b/ext/session/sessioninvert.test @@ -181,5 +181,11 @@ do_invert_test 4.1 { {UPDATE t1 0 X. {i 4 t three} {{} {} t four}} } +#------------------------------------------------------------------------- +# +do_test 5.0 { + set C [db one {SELECT unhex('54000009')}] + list [catch { sqlite3changeset_invert $C } msg] $msg +} {1 SQLITE_CORRUPT} finish_test diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c index a4d77a690c..3634013ac4 100644 --- a/ext/session/sqlite3session.c +++ b/ext/session/sqlite3session.c @@ -4153,7 +4153,13 @@ static int sessionChangesetInvert( /* Test for EOF. */ if( (rc = sessionInputBuffer(pInput, 2)) ) goto finished_invert; - if( pInput->iNext>=pInput->nData ) break; + if( pInput->iNext+1>=pInput->nData ){ + if( pInput->iNext!=pInput->nData ){ + rc = SQLITE_CORRUPT_BKPT; + goto finished_invert; + } + break; + } eType = pInput->aData[pInput->iNext]; switch( eType ){ diff --git a/ext/session/test_session.c b/ext/session/test_session.c index 1b09714225..be516e5825 100644 --- a/ext/session/test_session.c +++ b/ext/session/test_session.c @@ -1095,7 +1095,7 @@ static int SQLITE_TCLAPI test_sqlite3changeset_invert( memset(&sIn, 0, sizeof(sIn)); memset(&sOut, 0, sizeof(sOut)); sIn.nStream = test_tcl_integer(interp, SESSION_STREAM_TCL_VAR); - sIn.aData = Tcl_GetByteArrayFromObj(objv[1], &nn); + sIn.aData = testGetByteArrayFromObj(objv[1], &nn); sIn.nData = (int)nn; if( sIn.nStream ){ @@ -1112,6 +1112,7 @@ static int SQLITE_TCLAPI test_sqlite3changeset_invert( Tcl_SetObjResult(interp,Tcl_NewByteArrayObj((unsigned char*)sOut.p,sOut.n)); } sqlite3_free(sOut.p); + free(sIn.aData); return rc; } diff --git a/manifest b/manifest index 9f2ec62721..513d067bcd 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\s32-bit\sinteger\soverflow\sin\ssqlite3changegroup_change_blob()\sthat\ncould\slead\sto\sa\sbuffer\soverwrite. -D 2026-05-26T14:23:36.811 +C Fix\sa\spotential\s1-byte\soverread\sin\ssqlite3changeset_invert()\swhen\s\nprocessing\sa\scorrupt\sbuffer. +D 2026-05-26T15:09:07.010 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -562,7 +562,7 @@ F ext/session/sessiondiff.test e89f7aedcdd89e5ebac3a455224eb553a171e9586fc3e1e6a F ext/session/sessionfault.test c2b43d01213b389a3f518e90775fca2120812ba51e50444c4066962263e45c11 F ext/session/sessionfault2.test b0d6a7c1d7398a7e800d84657404909c7d385965ea8576dc79ed344c46fbf41c F ext/session/sessionfault3.test 9397819ec25b0960c5bc03c78613f9cb5cacc970f83e817aec1775c2a839a787 -F ext/session/sessioninvert.test 9018f6a7387ac745084b6374c5e1aa14d648b372e6e1181cfab3df632b662d26 x +F ext/session/sessioninvert.test 7ccb7609a2c11e4e13e606df439bf3d484ba8e455d0bd3aa8d4828a940e1a242 x F ext/session/sessionmem.test f2a735db84a3e9e19f571033b725b0b2daf847f3f28b1da55a0c1a4e74f1de09 F ext/session/sessionnoact.test 2cf060c12a7a23e663f0ec796561e58638c5c10a846653d37be886414b06ddc9 F ext/session/sessionnoop.test a9366a36a95ef85f8a3687856ebef46983df399541174cb1ede2ee53b8011bc7 @@ -572,9 +572,9 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc -F ext/session/sqlite3session.c b290fc15a18e2ac239c2d3a8617fd34a05cb39b838a45e547ded2db0a578dd95 +F ext/session/sqlite3session.c e36c91f273e4d2ce11c9e3aaba160038c9703cda1feeb79a96bb00f3de1a6d5e F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c -F ext/session/test_session.c 2a02a68b522e2f3d4a64b2a4733af54b0f3e500769aeccd5bcbdd440103db069 +F ext/session/test_session.c 9435a0d2c67b6c693bbf943657eeb83198efe06f796de80a6fd563013fa20bcc F ext/wasm/GNUmakefile 68c750f173106d9d63f12c1edf1256c6f4bad9894b155da5db64322f4912de4b F ext/wasm/README-dist.txt f01081a850ce38a56706af6b481e3a7878e24e42b314cfcd4b129f0f8427066a F ext/wasm/README.md 2e87804e12c98f1d194b7a06162a88441d33bb443efcfe00dc6565a780d2f259 @@ -2199,9 +2199,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 90eb6c22687449441824c7da5741a31e78bb78098c170382b230e851d03212c0 -Q +8a289158e2baeee8aa5e601bde46b0482361064ede09e4108f519270efdd5f69 -R 04e59fd679d81b5d0def33e9d765e8ec +P f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6 +Q +78eaa605cb6c14e5bd49a898b4c737957bd60c8714913cc2341f4ffe3bfe81fe +R 6bc5782cccdca586113cb0e4025d93e7 U drh -Z b3fb4c1477861bb76e1a170baea48365 +Z 6fdc2347a7f0dec009e4421d82865621 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 1dfcfe426c..bf6b01e33d 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6 +69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467