Fix a potential NULL-pointer deference in RTREE due to corrupt shadow tables.

FossilOrigin-Name: 1fdd3604eef880414682e9e6f74d714520fe1c63f267ec4da752d2dc1da6bf72
2025-07-29 08:01:23 +03:00 · 2018-12-21 17:51:30 +00:00
parent fb077f3c50
commit 273e01b4c6
4 changed files with 118 additions and 10 deletions
--- a/ext/rtree/rtreefuzz001.test
+++ b/ext/rtree/rtreefuzz001.test
@ -472,7 +472,6 @@ do_test rtreefuzz001-100 {
 do_test rtreefuzz001-200 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
-.open --hexdb
 | size 16384 pagesize 4096 filename c3.db
 | page 1 offset 0
 |      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
@ -568,4 +567,109 @@ do_test rtreefuzz001-210 {
  }
 } {1 {database disk image is malformed}}

+do_test rtreefuzz001-300 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+| size 16384 pagesize 4096 filename c4.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 04   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04   ................
+|     96: 00 00 00 00 0d 00 00 00 04 0e 9c 00 0f ad 0f 4f   ...............O
+|    112: 0e fc 0e 9c 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   3728: 00 00 00 00 00 00 00 00 00 00 00 00 5e 04 07 17   ............^...
+|   3744: 1f 1f 01 81 0b 74 61 62 6c 65 74 31 5f 70 61 72   .....tablet1_par
+|   3760: 65 6e 74 74 31 5f 70 61 72 65 6e 74 04 43 52 45   entt1_parent.CRE
+|   3776: 41 54 45 20 54 41 42 4c 45 20 22 74 31 5f 70 61   ATE TABLE "t1_pa
+|   3792: 72 65 6e 74 22 28 6e 6f 64 65 6e 6f 20 49 4e 54   rent"(nodeno INT
+|   3808: 45 47 45 52 20 50 52 49 4d 41 52 59 20 4b 45 59   EGER PRIMARY KEY
+|   3824: 2c 70 61 72 65 6e 74 6e 6f 64 65 29 51 03 06 17   ,parentnode)Q...
+|   3840: 1b 1b 01 7b 74 61 62 6c 65 74 31 5f 6e 6f 64 65   ....tablet1_node
+|   3856: 74 31 5f 6e 6f 64 65 03 43 52 45 41 54 45 20 54   t1_node.CREATE T
+|   3872: 41 42 4c 45 20 22 74 31 5f 6e 6f 64 65 22 28 6e   ABLE "t1_node"(n
+|   3888: 6f 64 65 6e 6f 20 49 4e 54 45 47 45 52 20 50 52   odeno INTEGER PR
+|   3904: 49 4d 41 52 59 20 4b 45 59 2c 64 61 74 61 29 5c   IMARY KEY,data)\
+|   3920: 02 07 17 1d 1d 01 81 0b 74 61 62 6c 65 74 31 5f   ........tablet1_
+|   3936: 72 6f 77 69 64 74 31 5f 72 6f 77 69 64 02 43 52   rowidt1_rowid.CR
+|   3952: 45 41 54 45 20 54 41 42 4c 45 20 22 74 31 5f 72   EATE TABLE "t1_r
+|   3968: 6f 77 69 64 22 28 72 6f 77 69 64 20 49 4e 54 45   owid"(rowid INTE
+|   3984: 47 45 72 20 50 52 49 4d 41 52 59 20 4b 45 59 2c   GEr PRIMARY KEY,
+|   4000: 6e 6f 64 65 6e 6f 2c 61 30 2c 61 31 29 51 01 07   nodeno,a0,a1)Q..
+|   4016: 17 11 11 08 81 0f 74 61 62 6c 65 74 31 74 31 43   ......tablet1t1C
+|   4032: 52 45 41 54 45 20 56 49 52 54 55 41 4c 20 54 41   REATE VIRTUAL TA
+|   4048: 42 4c 45 20 74 31 20 55 53 49 4e 47 20 72 74 72   BLE t1 USING rtr
+|   4064: 65 65 28 69 64 2c 78 30 2c 78 31 2c 79 30 2c 79   ee(id,x0,x1,y0,y
+|   4080: 31 2c 2b 6c 61 62 65 6c 2c 2b 6f 74 68 65 72 29   1,+label,+other)
+| page 2 offset 4096
+|      0: 0d 00 00 00 0e 0e f7 00 0f e8 0f 00 fb 70 f9 e0   .............p..
+|     16: f9 10 f8 10 f7 00 f5 e0 f4 f0 f3 90 f2 90 f1 80   ................
+|     32: f0 60 ef 00 00 00 00 00 00 00 00 00 00 00 00 00   .`..............
+|   3824: 00 00 00 00 00 00 00 0d 0e 05 00 09 1d 00 74 6f   ..............to
+|   3840: 70 20 68 61 6c 66 10 0d 05 00 09 23 00 62 6f 74   p half.....#.bot
+|   3856: 74 6f 6d 20 68 61 6c 66 0f 0c 05 00 09 21 00 72   tom half.....!.r
+|   3872: 69 67 68 74 20 68 61 6c 66 0e 0b 05 00 09 1f 00   ight half.......
+|   3888: 6c 65 66 74 20 68 61 6c 66 14 0a 05 00 09 2b 00   left half.....+.
+|   3904: 00 03 98 20 49 98 2f 6c 62 05 74 68 69 6e 67 0d   ... I./lb.thing.
+|   3920: 09 05 00 09 1d 00 74 6f 70 20 65 64 67 65 10 08   ......top edge..
+|   3936: 05 00 09 23 00 62 6f 74 74 6f 6d 20 65 64 67 65   ...#.bottom edge
+|   3952: 0f 07 05 00 09 21 00 72 69 67 68 74 20 65 64 67   .....!.right edg
+|   3968: 65 0e 06 05 00 09 1f 00 6c 65 66 74 20 65 64 67   e.......left edg
+|   3984: 65 0b 05 05 00 09 19 00 63 65 6e 74 65 72 17 04   e.......center..
+|   4000: 05 00 09 31 00 75 70 70 65 72 2d 72 69 67 68 74   ...1.upper-right
+|   4016: 20 63 6f 72 6e 65 72 17 03 05 00 09 31 00 6c 6f    corner.....1.lo
+|   4032: 77 65 72 2d 72 69 67 68 74 20 63 6f 72 6e 65 72   wer-right corner
+|   4048: 16 02 05 00 09 2f 00 75 70 70 65 72 2d 6c 65 66   ...../.upper-lef
+|   4064: 74 20 63 6f 72 6e 65 72 16 01 05 00 09 2f 00 6c   t corner...../.l
+|   4080: 6f 77 65 72 2d 6c 65 66 74 20 63 6f 72 6e 65 72   ower-left corner
+| page 3 offset 8192
+|      0: 0d 00 00 00 01 0b 2d 00 0b 2d 00 00 00 00 00 00   ......-..-......
+|   2848: 00 00 00 00 00 00 00 00 00 00 00 00 00 89 50 01   ..............P.
+|   2864: 04 00 93 24 00 00 00 0e 00 00 00 00 00 00 00 01   ...$............
+|   2880: 00 00 00 04 01 20 00 00 00 00 00 04 12 00 00 00   ..... ..........
+|   2896: 00 00 00 00 00 00 00 23 00 00 00 00 41 20 00 00   .......#....A ..
+|   2912: 42 b4 00 00 42 c8 00 00 00 00 00 00 00 00 00 03   B...B...........
+|   2928: 42 b4 00 00 42 c8 00 00 00 00 00 00 41 20 00 00   B...B.......A ..
+|   2944: 00 00 00 00 00 00 00 04 42 b4 00 00 42 c8 00 00   ........B...B...
+|   2960: 42 b4 00 00 42 c8 00 00 00 00 00 00 00 00 00 05   B...B...........
+|   2976: 42 20 00 00 42 70 00 00 42 20 00 00 42 70 00 00   B ..Bp..B ..Bp..
+|   2992: 00 00 00 00 00 00 00 06 00 00 00 00 40 a0 00 00   ............@...
+|   3008: 00 00 00 04 2c 80 00 00 00 00 00 00 00 00 00 74   ....,..........t
+|   3024: 2b e0 00 04 2c 80 00 04 2c 80 00 00 00 00 00 00   +...,...,.......
+|   3040: 00 00 00 80 00 00 00 04 2c 80 00 00 00 00 00 04   ........,.......
+|   3056: 0a 00 00 00 00 00 b0 80 00 00 04 2c 80 00 04 2b   ...........,...+
+|   3072: e0 00 04 2c 80 00 00 00 00 00 00 00 00 00 a0 00   ...,............
+|   3088: 00 00 04 2c 80 00 00 00 00 00 04 2c 80 00 00 00   ...,.......,....
+|   3104: 00 00 00 00 00 00 b0 00 00 00 04 24 80 00 00 00   ...........$....
+|   3120: 00 00 04 2c 80 00 00 00 00 00 00 00 50 00 91 f0   ...,........P...
+|   3136: 06 c6 56 67 42 06 86 16 c6 61 40 a0 50 00 92 b0   ..VgB....a@.P...
+|   3152: 07 46 86 52 07 76 86 f6 c6 52 07 46 86 96 e6 70   .F.R.v...R.F...p
+|   3168: d0 90 50 00 91 d0 07 46 f7 02 06 56 46 76 51 00   ..P....F...VFvQ.
+|   3184: 80 50 00 92 30 06 26 f7 47 46 f6 d2 06 56 46 76   .P..0.&.GF...VFv
+|   3200: 50 f0 70 50 00 92 10 07 26 96 76 87 42 06 56 46   P.pP....&.v.B.VF
+|   3216: 76 50 e0 60 50 00 91 f0 06 c6 56 67 42 06 56 46   vP.`P.....VgB.VF
+|   3232: 76 50 b0 50 50 00 91 90 06 36 56 e7 46 57 21 70   vP.PP....6V.FW!p
+|   3248: 40 50 00 93 10 07 57 07 06 57 22 d7 26 96 76 87   @P....W..W".&.v.
+|   3264: 42 06 36 f7 26 e6 57 21 70 30 50 00 93 10 06 c6   B.6.&.W!p0P.....
+|   3280: f7 76 57 22 d7 26 96 76 87 42 06 36 f7 26 e6 57   .vW".&.v.B.6.&.W
+|   3296: 21 60 20 50 00 92 f0 07 57 07 06 57 22 d6 c6 56   !` P....W..W"..V
+|   3312: 60 00 00 c4 24 c0 00 04 2c 80 00 00 00 00 00 04   `...$...,.......
+|   3328: 2c 80 00 00 00 00 00 00 00 00 00 d0 00 00 00 04   ,...............
+|   3344: 2c 80 00 00 00 00 00 04 24 80 00 00 00 00 00 00   ,.......$.......
+|   3360: 00 00 00 e0 00 00 00 04 2c 80 00 04 24 c0 00 04   ........,...$...
+|   3376: 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ,...............
+| page 4 offset 12288
+|      0: 0d 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00   ................
+| end c4.db
+  }]
+  catchsql {
+    UPDATE t1 SET label='x';
+  }
+} {1 {malformed database schema (?)}}
+do_test rtreefuzz001-310 {
+  catchsql {
+    SELECT rtreecheck('t1');
+  }
+} {1 {database disk image is malformed}}
+
+
 finish_test