database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-01 06:27:03 +03:00
Code Activity

Fix a buffer overread in fts3 that could occur when decoding a corrupted record.

Browse Source 
FossilOrigin-Name: 9a4a40c45feb2bb89020dc7711b4753479112ceae7ce2a44521d72afeddfac83
This commit is contained in:
dan
2020-06-12 15:17:27 +00:00
parent 6aa7515c46
commit 56e38185fe
5 changed files with 47 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ext/fts3/fts3.c
View File

@ -2267,6 +2267,9 @@ static int fts3PoslistMerge(
*/
fts3GetDeltaVarint(&p1, &i1);
fts3GetDeltaVarint(&p2, &i2);
if( i1<2 || i2<2 ){
break;
}
do {
fts3PutDeltaVarint(&p, &iPrev, (i1<i2) ? i1 : i2);
iPrev -= 2;
@ -5170,7 +5173,7 @@ static void fts3EvalInvalidatePoslist(Fts3Phrase *pPhrase){
**
** Parameter nNear is passed the NEAR distance of the expression (5 in
** the example above). When this function is called, *paPoslist points to
** the position list, and *pnToken is the number of phrase tokens in, the
** the position list, and *pnToken is the number of phrase tokens in the
** phrase on the other side of the NEAR operator to pPhrase. For example,
** if pPhrase refers to the "def ghi" phrase, then *paPoslist points to
** the position list associated with phrase "abc".