From 56e38185fe26dbaeba7545bf94c5a25150e16907 Mon Sep 17 00:00:00 2001
From: dan <dan@noemail.net>
Date: Fri, 12 Jun 2020 15:17:27 +0000
Subject: [PATCH] Fix a buffer overread in fts3 that could occur when decoding
 a corrupted record.

FossilOrigin-Name: 9a4a40c45feb2bb89020dc7711b4753479112ceae7ce2a44521d72afeddfac83
---
 ext/fts3/fts3.c        |  5 ++++-
 manifest               | 15 +++++++++------
 manifest.uuid          |  2 +-
 test/fts3corrupt2.test |  2 +-
 test/fts3corrupt4.test | 35 ++++++++++++++++++++++++++++++++---
 5 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index 88ff0ee2c5..7e2cd79055 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -2267,6 +2267,9 @@ static int fts3PoslistMerge(
       */
       fts3GetDeltaVarint(&p1, &i1);
       fts3GetDeltaVarint(&p2, &i2);
+      if( i1<2 || i2<2 ){
+        break;
+      }
       do {
         fts3PutDeltaVarint(&p, &iPrev, (i1<i2) ? i1 : i2); 
         iPrev -= 2;
@@ -5170,7 +5173,7 @@ static void fts3EvalInvalidatePoslist(Fts3Phrase *pPhrase){
 **
 ** Parameter nNear is passed the NEAR distance of the expression (5 in
 ** the example above). When this function is called, *paPoslist points to
-** the position list, and *pnToken is the number of phrase tokens in, the
+** the position list, and *pnToken is the number of phrase tokens in the
 ** phrase on the other side of the NEAR operator to pPhrase. For example,
 ** if pPhrase refers to the "def ghi" phrase, then *paPoslist points to
 ** the position list associated with phrase "abc".
diff --git a/manifest b/manifest
index 55bfba8acb..18064f8a96 100644
--- a/manifest
+++ b/manifest
@@ -1,15 +1,18 @@
 B fd5abb1a7b5a55127d5c0d5ff448020d8bccab44e4f5afe1eb88fc19578af735
-C Remove\sa\sNEVER()\sthat\sturns\sout\sto\sbe\sreachable.
-D 2020-06-12T00:31:52.711
+C Fix\sa\sbuffer\soverread\sin\sfts3\sthat\scould\soccur\swhen\sdecoding\sa\scorrupted\srecord.
+D 2020-06-12T15:17:27.136
+F ext/fts3/fts3.c acc51e4378dd772251b31ead0ccd19070fc1774f6f6a55b11e00cb885e0f34bc
 F src/btree.c fabc215bd1ebab0e48108e95e0f50531da9883156b95888f479f6c696db032ad
 F src/global.c 0409ae635839e0bef26a69b68be64126ab6cba62ac19bd7694f1652e591c4c17
 F src/select.c 929e1c0db3cb3d9f7d2304c6596868abcb6dfd7c2a0ac1bdf12a5a4432078ba4
 F src/sqliteInt.h fe320867c4f48eeeca523062c5668508b3f9b88d65690d42610bd138a5fdb5c4
 F src/test1.c e9f68f157f8fd027ee4c32c4b427f4eed274749bfb745427e2d954fa89d95ad3
 F src/window.c 88a63e6948ea924b3cf9ad8aff5ea1fa53bebdb2f13340867205fda16ed0f19c
+F test/fts3corrupt2.test e318f0676e5e78d5a4b702637e2bb25265954c08a1b1e4aaf93c7880bb0c67d0
+F test/fts3corrupt4.test e77b06926348eb45b71569f9dc45e5b19c984ca1b1ef6671367f4ca9d6eaa973
 F test/fuzzdata8.db 9ce2e5f0d7e5e61d5f8f0817346b2a3db2aeebbaff20d04043521623ea0558be
 F test/window1.test 9d7f4990e5b36d95af93b189da4aa75216c6690ce95cced3c8b6d3234be51c2c
-P 98cea4a32ba558c137d71a5e373a6803d764d34c5640907371dcf6468ffb2e64
-R fe941a98130365dcc5664681cdfda93a
-U drh
-Z a269c334c0d41dc18dbae6d92c570372
+P 44e573ecd5c2b60107133d60c51f3a04a3f904e9c1cf926e9b8ea977c7acae8d
+R bcbd79b4c6c35d1dd8c3ebd4907c7f1d
+U dan
+Z ff2fe4fe3a58fa1f7eb72368a5beb544
diff --git a/manifest.uuid b/manifest.uuid
index 8e39176095..3d3c7ebf68 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-44e573ecd5c2b60107133d60c51f3a04a3f904e9c1cf926e9b8ea977c7acae8d
\ No newline at end of file
+9a4a40c45feb2bb89020dc7711b4753479112ceae7ce2a44521d72afeddfac83
\ No newline at end of file
diff --git a/test/fts3corrupt2.test b/test/fts3corrupt2.test
index 40783facf9..58643534f1 100644
--- a/test/fts3corrupt2.test
+++ b/test/fts3corrupt2.test
@@ -16,6 +16,7 @@ source $testdir/tester.tcl
 ifcapable !fts3 { finish_test ; return }
 
 set ::testprefix fts3corrupt2
+sqlite3_fts3_may_be_corrupt 1
 
 set data [list]
 lappend data {*}{
@@ -107,5 +108,4 @@ foreach c {50 100 150 200 250} {
 
 
 
-
 finish_test
diff --git a/test/fts3corrupt4.test b/test/fts3corrupt4.test
index 8bbf0f5bbc..3bcf06af25 100644
--- a/test/fts3corrupt4.test
+++ b/test/fts3corrupt4.test
@@ -5849,8 +5849,6 @@ do_catchsql_test 37.1 {
 
 #-------------------------------------------------------------------------
 #
-reset_db
-
 reset_db
 do_test 38.0 {
   sqlite3 db {}
@@ -6061,9 +6059,40 @@ do_execsql_test 38.1 {
   UPDATE t1 SET b=a;
 }
 
-do_catchsql_test 38.1 {
+do_catchsql_test 38.2 {
   SELECT b FROM t1 WHERE a MATCH 'e*e*e*e*e*e*e*e*e*e*e*e*e*e*e*e*'
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+reset_db
+set saved $sqlite_fts3_enable_parentheses
+set sqlite_fts3_enable_parentheses 1
+do_execsql_test 39.0 {
+  CREATE VIRTUAL TABLE t0 USING fts3(
+    col0 INTEGER PRIMARY KEY,
+    col1 VARCHAR(8),
+    col2 BINARY,
+    col3 BINARY
+  );
+  INSERT INTO t0_content VALUES(1,1,'1234','aaaa','bbbb');
+  INSERT INTO t0_segdir VALUES(0,0,0,0,'0 42',X'000131030782000103323334050101010200000461616161050101020200000462626262050101030200');
+}
+
+do_test 39.1 {
+  catch {
+    db eval { SELECT rowid FROM t0 WHERE t0 MATCH '1 NEAR 1' }
+  }
+} 0
+
+do_test 39.2 {
+  catch {
+    db eval {
+  SELECT matchinfo(t0,'yxy') FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
+    }
+  }
+} 0
+
+
+set sqlite_fts3_enable_parentheses $saved
 
 finish_test