database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-08 14:02:16 +03:00
Code Activity

Extra space to prevent a buffer overread on corrupt STAT4 records.

Browse Source 
dbsqlfuzz 7128d1b41ce9df2c007f9c24c1e89e2f1b2590ca.

FossilOrigin-Name: b99135288b157044e2319833e8632c89483778f876aa45ee66e46ffb6ae42ab2
This commit is contained in:
drh
2023-06-10 17:05:05 +00:00
parent 6bbc5b3730
commit 04b92471f7
3 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/analyze.c
View File

@@ -1849,14 +1849,15 @@ static int loadStatTbl(
decodeIntArray((char*)sqlite3_column_text(pStmt,2),nCol,pSample->anLt,0,0);
decodeIntArray((char*)sqlite3_column_text(pStmt,3),nCol,pSample->anDLt,0,0);
/* Take a copy of the sample. Add two 0x00 bytes the end of the buffer.
/* Take a copy of the sample. Add 8 extra 0x00 bytes the end of the buffer.
** This is in case the sample record is corrupted. In that case, the
** sqlite3VdbeRecordCompare() may read up to two varints past the
** end of the allocated buffer before it realizes it is dealing with
** a corrupt record. Adding the two 0x00 bytes prevents this from causing
** a corrupt record. Or it might try to read a large integer from the
** buffer. In any case, eight 0x00 bytes prevents this from causing
** a buffer overread. */
pSample->n = sqlite3_column_bytes(pStmt, 4);
pSample->p = sqlite3DbMallocZero(db, pSample->n + 2);
pSample->p = sqlite3DbMallocZero(db, pSample->n + 8);
if( pSample->p==0 ){
sqlite3_finalize(pStmt);
return SQLITE_NOMEM_BKPT;