Avoid use-after-free and double-free errors that could occur if an fts5 table

is modified in certain ways while there are active cursors. FossilOrigin-Name: 3291b2a6fe6f38ae91b933e5cd2bf7d97432374b4fb1fccd92b4bd759b02ee06
2026-01-06 08:01:16 +03:00 · 2019-01-10 17:08:20 +00:00
parent c80864d77a
commit 25e3073741
5 changed files with 62 additions and 12 deletions
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -512,7 +512,6 @@ struct Fts5Iter {
  Fts5IndexIter base;             /* Base class containing output vars */

  Fts5Index *pIndex;              /* Index that owns this iterator */
-  Fts5Structure *pStruct;         /* Database structure for this iterator */
  Fts5Buffer poslist;             /* Buffer containing current poslist */
  Fts5Colset *pColset;            /* Restrict matches to these columns */

@@ -2758,7 +2757,6 @@ static void fts5MultiIterFree(Fts5Iter *pIter){
    for(i=0; i<pIter->nSeg; i++){
      fts5SegIterClear(&pIter->aSeg[i]);
    }
-    fts5StructureRelease(pIter->pStruct);
    fts5BufferFree(&pIter->poslist);
    sqlite3_free(pIter);
  }
@@ -3404,7 +3402,6 @@ static void fts5MultiIterNew(
  if( pNew==0 ) return;
  pNew->bRev = (0!=(flags & FTS5INDEX_QUERY_DESC));
  pNew->bSkipEmpty = (0!=(flags & FTS5INDEX_QUERY_SKIPEMPTY));
-  pNew->pStruct = pStruct;
  pNew->pColset = pColset;
  fts5StructureRef(pStruct);
  if( (flags & FTS5INDEX_QUERY_NOOUTPUT)==0 ){
--- a/ext/fts5/test/fts5corrupt3.test
+++ b/ext/fts5/test/fts5corrupt3.test
@@ -3512,6 +3512,40 @@ do_catchsql_test 30.1 {
  SELECT fts5_decode(id, block) FROM t1_data;
 } {1 {database disk image is malformed}}

+#-------------------------------------------------------------------------
+reset_db
+do_test 31.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+| size 8192 pagesize 4096 filename crash-7629f35f11d48e.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 02   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|     96: 00 00 00 00 0d 00 00 00 01 0f c7 00 0f c7 00 00   ................
+|   4032: 00 00 00 00 00 00 00 37 01 06 17 15 15 01 53 74   .......7......St
+|   4048: 61 62 6c 65 64 75 61 6c 64 75 61 6c 02 43 52 45   abledualdual.CRE
+|   4064: 41 54 45 20 54 41 42 4c 45 20 64 75 61 6c 28 64   ATE TABLE dual(d
+|   4080: 75 6d 6d 79 20 76 61 72 28 31 29 29 0d 00 00 00   ummy var(1))....
+| page 2 offset 4096
+|      0: 01 0f fb 00 0f fb 00 00 00 00 00 00 00 00 00 00   ................
+|   4080: 00 00 00 00 00 00 00 00 00 00 00 03 01 02 0f 58   ...............X
+| end crash-7629f35f11d48e.db
+}]} {}
+
+do_execsql_test 31.1 {
+  CREATE VIRTUAL TABLE t1 USING fts5(a,b,c);
+  WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<72)
+    INSERT INTO t1(a) SELECT randomblob(2829) FROM c;
+  WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<10)
+    INSERT INTO t1(a) SELECT randomblob(3000) FROM c;
+}
+
+do_catchsql_test 31.2 {
+  DELETE FROM t1 WHERE a MATCH X'6620e574f32a';
+} {0 {}}
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test

--- a/ext/fts5/test/fts5update.test
+++ b/ext/fts5/test/fts5update.test
@@ -115,5 +115,24 @@ do_execsql_test 2.2.integrity {
  INSERT INTO x2(x2) VALUES('integrity-check');
 }

+#-------------------------------------------------------------------------
+#
+do_execsql_test 3.0 {
+  CREATE VIRTUAL TABLE x3 USING fts5(x, detail=%DETAIL%);
+  INSERT INTO x3 VALUES('one');
+  INSERT INTO x3 VALUES('two');
+  INSERT INTO x3 VALUES('one');
+  INSERT INTO x3 VALUES('two');
+  INSERT INTO x3 VALUES('one');
+}
+
+do_test 3.1 {
+  db eval { SELECT * FROM x3('one') } {
+    db eval {
+      INSERT INTO x3(x3) VALUES('optimize');
+    }
+  }
+} {}
+
 }
 finish_test
--- a/16
+++ b/16
@@ -1,5 +1,5 @@
-C Fix\sfurther\sproblems\swith\sfts5\shandling\scorrupt\sdatabases.
-D 2019-01-10T15:17:32.879
+C Avoid\suse-after-free\sand\sdouble-free\serrors\sthat\scould\soccur\sif\san\sfts5\stable\nis\smodified\sin\scertain\sways\swhile\sthere\sare\sactive\scursors.
+D 2019-01-10T17:08:20.419
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6
@@ -115,7 +115,7 @@ F ext/fts5/fts5_buffer.c 9d7bd654123832879c9f7e2d37f37aebcc3271e65a5e56d9410d81e
 F ext/fts5/fts5_config.c eeec97cb0237991e7fa3bbae07b5cc354e3f238b661200c11228fe167c18f882
 F ext/fts5/fts5_expr.c 188d1dca5a262a0708efc5deb809f1aa6ecea4158986a439d2670cfe72d10b65
 F ext/fts5/fts5_hash.c d415f5ad332b051f0ade564bcf1762c4467cc49b2ba8ea5873d8744c705d8d42
-F ext/fts5/fts5_index.c 8663717e84a7b5006c24fb35b5dd438e153281e41f846fb2ecdbab0584750281
+F ext/fts5/fts5_index.c ec0ca720bf3d564adc659791c6a9e7b98b019b4083882b4ea9173e1870035645
 F ext/fts5/fts5_main.c 90062ccfc54031ff97660e277d868ec080c5b46e42d784856385b12645e60ed6
 F ext/fts5/fts5_storage.c 00db5029ee470172c1a79d7182808b678ee21b7ea1f63618bcb0591bf8cf7f8a
 F ext/fts5/fts5_tcl.c 39bcbae507f594aad778172fa914cad0f585bf92fd3b078c686e249282db0d95
@@ -156,7 +156,7 @@ F ext/fts5/test/fts5connect.test 08030168fc96fc278fa81f28654fb7e90566f33aff269c0
 F ext/fts5/test/fts5content.test 688d5ac7af194ebc67495daea76a69e3cd5480122c2320e72d41241b423b4116
 F ext/fts5/test/fts5corrupt.test 77ae6f41a7eba10620efb921cf7dbe218b0ef232b04519deb43581cb17a57ebe
 F ext/fts5/test/fts5corrupt2.test 7453752ba12ce91690c469a6449d412561cc604b1dec994e16ab132952e7805f
-F ext/fts5/test/fts5corrupt3.test c50be432a544a98761202b9814f40e17c5ef007bf351ec22474015d828f354d6
+F ext/fts5/test/fts5corrupt3.test 87c1289b4d9520f3ca5ca62d5ecf7926d09da8336d1d40a37aa52303ae5bcd06
 F ext/fts5/test/fts5delete.test cbf87e3b8867c4d5cfcaed975c7475fd3f99d072bce2075fcedf43d1f82af775
 F ext/fts5/test/fts5detail.test 31b240dbf6d44ac3507e2f8b65f29fdc12465ffd531212378c7ce1066766f54e
 F ext/fts5/test/fts5determin.test 1b77879b2ae818b5b71c859e534ee334dac088b7cf3ff3bf76a2c82b1c788d11
@@ -215,7 +215,7 @@ F ext/fts5/test/fts5unicode2.test 9b3df486de05fb4bde4aa7ee8de2e6dae1df6eb90e3f2e
 F ext/fts5/test/fts5unicode3.test 590c72e18195bda2446133f9d82d04a4e89d094bba58c75ae10f4afc6faa0744
 F ext/fts5/test/fts5unicode4.test 6463301d669f963c83988017aa354108be0b947d325aef58d3abddf27147b687
 F ext/fts5/test/fts5unindexed.test 9021af86a0fb9fc616f7a69a996db0116e7936d0db63892db6bafabbec21af4d
-F ext/fts5/test/fts5update.test 0737876e20e97a6a6abf45de19fc99315727bcee6a83fadcada1cc080b9aa8f0
+F ext/fts5/test/fts5update.test 8486224b6174c71e459a467f49a9bb67a7656fd54a995b48be1b0dc3bdcf18af
 F ext/fts5/test/fts5version.test c8f2cc105f0abf0224965f93e584633dee3e06c91478bc67e468f7cfdf97fd6a
 F ext/fts5/test/fts5vocab.test 26e069050d6fb389e67f7a9402421948233152ae433e6b8da47cf15d3b5a8d26
 F ext/fts5/test/fts5vocab2.test 5472d6cd852fe848876892c48a754c82af018bf08ca16f1f167db59dc64586f7
@@ -1797,7 +1797,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 10f9e39d6ed2413fa9abc6c82da3ed48f32a42b6190b6219fca7faf850d05113
-R 72fda51f0f3fbf7bf16292ae38b5ad54
+P 83c467d7af63bd2e7800aff4fe9b09dbd75557460b75a9e07205dfae7e28312c
+R 3351e2aae6403322cbe69ee0af9a55bf
 U dan
-Z 0a29b0d3fdcd0377c1379ed4158ea092
+Z 309e7dae9990d8d0bb0ac224fef52616
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-83c467d7af63bd2e7800aff4fe9b09dbd75557460b75a9e07205dfae7e28312c
+3291b2a6fe6f38ae91b933e5cd2bf7d97432374b4fb1fccd92b4bd759b02ee06