database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-08 14:02:16 +03:00
Code Activity

New database corruption test cases discovered by dbfuzz2. The new cases

Browse Source 
have been added to test/fuzzdata7.db, but have not yet all been fixed,
so tests will not currently pass.

FossilOrigin-Name: b4210d320c6426d2838d4cc08709fdfd015c1c95fcad9a5f9e8fd390c23b9fad
This commit is contained in:
drh
2018-12-13 03:36:13 +00:00
parent cb0e04f929
commit 5881dfea2c
4 changed files with 19 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/btree.c
View File

@@ -1412,19 +1412,14 @@ static int defragmentPage(MemPage *pPage, int nMaxFrag){
** reconstruct the entire page. */
if( (int)data[hdr+7]<=nMaxFrag ){
int iFree = get2byte(&data[hdr+1]);
/* If the initial freeblock offset were out of bounds, that would
** have been detected by btreeInitPage() when it was computing the
** number of free bytes on the page. */
assert( iFree<=usableSize-4 );
if( iFree ){
int iFree2 = get2byte(&data[iFree]);
/* pageFindSlot() has already verified that free blocks are sorted
** in order of offset within the page, and that no block extends
** past the end of the page. Provided the two free slots do not
** overlap, this guarantees that the memmove() calls below will not
** overwrite the usableSize byte buffer, even if the database page
** is corrupt. */
assert( iFree2==0 || iFree2>iFree );
assert( iFree+get2byte(&data[iFree+2]) <= usableSize );
assert( iFree2==0 || iFree2+get2byte(&data[iFree2+2]) <= usableSize );
if( iFree2>usableSize-4 ) return SQLITE_CORRUPT_PAGE(pPage);
if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
u8 *pEnd = &data[cellOffset + nCell*2];
u8 *pAddr;
@@ -1435,9 +1430,9 @@ static int defragmentPage(MemPage *pPage, int nMaxFrag){
return SQLITE_CORRUPT_PAGE(pPage);
}
if( iFree2 ){
assert( iFree+sz<=iFree2 ); /* Verified by pageFindSlot() */
if( iFree+sz>iFree2 ) return SQLITE_CORRUPT_PAGE(pPage);
sz2 = get2byte(&data[iFree2+2]);
assert( iFree+sz+sz2+iFree2-(iFree+sz) <= usableSize );
if( iFree2+sz2 > usableSize ) return SQLITE_CORRUPT_PAGE(pPage);
memmove(&data[iFree+sz+sz2], &data[iFree+sz], iFree2-(iFree+sz));
sz += sz2;
}