Fix another integer overflow triggered by a corrupt database in recently modified vacuum code.

FossilOrigin-Name: 4e2dd2a53364f1fed48b995fd5d2642472585f6da5e4735e9da193ba7ff45514
2025-08-08 14:02:16 +03:00 · 2020-12-15 19:27:20 +00:00
parent 0bf333467c
commit 7f60706691
4 changed files with 115 additions and 8 deletions
--- a/13
+++ b/13
@@ -1,5 +1,5 @@
-C When\sthe\s-statstep\soption\sis\spassed\sto\sthe\s"rbu"\sexecutable,\sprint\sout\smemory\sstats\sright\sbefore\sexiting,\sas\swell\sas\severy\s-statstep\ssteps.
-D 2020-12-15T16:28:07.633
+C Fix\sanother\sinteger\soverflow\striggered\sby\sa\scorrupt\sdatabase\sin\srecently\smodified\svacuum\scode.
+D 2020-12-15T19:27:20.474
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -481,7 +481,7 @@ F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
 F src/backup.c 3014889fa06e20e6adfa0d07b60097eec1f6e5b06671625f476a714d2356513d
 F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33
 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
-F src/btree.c f8cdad7e00eedad4e4f5183aee8db354dd3622604a27bd2223811eeb182236fb
+F src/btree.c b995dfb6a2d79e2be51ce65a6f54a52f2c327507c35f3f8558d0def711d59298
 F src/btree.h 285f8377aa1353185a32bf455faafa9ff9a0d40d074d60509534d14990c7829e
 F src/btreeInt.h 7614cae30f95b6aed0c7cac7718276a55cfe2c77058cbfd8bef5b75329757331
 F src/build.c f6449d4e85e998e14d3f537e8ea898dca2fcb83c277db3e60945af9b9177db81
@@ -791,6 +791,7 @@ F test/corruptJ.test 4d5ccc4bf959464229a836d60142831ef76a5aa4
 F test/corruptK.test 5b4212fe346699831c5ad559a62c54e11c0611bdde1ea8423a091f9c01aa32af
 F test/corruptL.test 22589f503602cc5984e80f27f46c4de2134f24f1515ba2440513c377cb692258
 F test/corruptM.test 7d574320e08c1b36caa3e47262061f186367d593a7e305d35f15289cc2c3e067
+F test/corruptN.test 781c5f26a2d8918f03d45ac4968a738031eeb113a4b153c7588756d9b09c7b04
 F test/cost.test 1d156ce9858780a966c062694687afe0343a0ed12d081d071fb57027e726bafc
 F test/count.test e0699a15712bc2a4679d60e408921c2cce7f6365a30340e790c98e0f334a9c77
 F test/countofview.test e17d6e6688cf74f22783c9ec6e788c0790ee4fbbaee713affd00b1ac0bb39b86
@@ -1890,7 +1891,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P ea0a7f103a6f6a9e57d7377140ff9f372bf2b156f86f148291fb05a7030f2b36
-R a2929ff08e32fd95eef1d5a44bce177d
+P 94f81b51176566409b7d16b30d861f48ad15bb43a145df6e02e0880f7c348109
+R f70af48afc53d25055f1c1dd84b7bed4
 U dan
-Z 7d2f5d8183adfe209996b488d97e46d6
+Z 726142031de41291f3ae18db2fa43170
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-94f81b51176566409b7d16b30d861f48ad15bb43a145df6e02e0880f7c348109
+4e2dd2a53364f1fed48b995fd5d2642472585f6da5e4735e9da193ba7ff45514
--- a/src/btree.c
+++ b/src/btree.c
@@ -8966,7 +8966,7 @@ int sqlite3BtreeTransferRow(BtCursor *pDest, BtCursor *pSrc, i64 iKey){
  u8 *aOut = pBt->pTmpSpace;    /* Pointer to next output buffer */
  const u8 *aIn;                /* Pointer to next input buffer */
  int nIn;                      /* Size of input buffer aIn[] */
-  int nRem;                     /* Bytes of data still to copy */
+  u32 nRem;                     /* Bytes of data still to copy */

  getCellInfo(pSrc);
  aOut += putVarint32(aOut, pSrc->info.nPayload);
--- a/test/corruptN.test
+++ b/test/corruptN.test
@@ -0,0 +1,106 @@
+# 2020-12-16
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice, here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix corruptN
+
+# These tests deal with corrupt database files
+#
+database_may_be_corrupt
+
+reset_db
+do_test 1.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+.open --hexdb
+| size 4096 pagesize 512 filename sql024239.txt.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04   ................
+|     48: 00 00 00 00 89 00 00 04 00 10 00 01 0a 00 00 01   ................
+|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c   ................
+|     96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0   ..,P............
+|    112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00   .V...*..........
+|    256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61   .............1ta
+|    272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54   blet4t4.CREATE T
+|    288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11   ABLE t4(x)*.....
+|    304: 01 3f 69 6e 64 65 78 74 33 78 74 33 05 43 52 45   .?indext3xt3.CRE
+|    320: 41 54 45 20 49 4e 44 45 58 20 74 33 78 20 4f 4e   ATE INDEX t3x ON
+|    336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e    t3(x).......Ein
+|    352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45   dext2cdt2.CREATE
+|    368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74    INDEX t2cd ON t
+|    384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61   2(c,d)(......=ta
+|    400: 62 6c 65 74 33 74 33 07 43 52 45 41 54 45 20 54   blet3t3.CREATE T
+|    416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29   ABLE t3(c,x,e,f)
+|    432: 28 02 06 17 11 11 01 3d 74 61 62 6c 65 74 32 74   (......=tablet2t
+|    448: 32 03 43 52 45 41 54 45 20 54 41 42 4c 45 20 74   2.CREATE TABLE t
+|    464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11   2(c,d,e,f)$.....
+|    480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41   .5tablet1t1.CREA
+|    496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29   TE TABLE t1(a,b)
+| page 2 offset 512
+|      0: 0d 00 00 00 04 01 41 00 01 fa 01 f3 01 de 01 cf   ......A.........
+|    160: 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00   .. .............
+|    448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d   ................
+|    464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03   ....seveneight..
+|    480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00   ...@.......@....
+|    496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02   ................
+| page 3 offset 1024
+|      0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa   ......T.........
+|     16: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|    112: 00 00 dd 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|    336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74   ...........eight
+|    352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e 25   eightsevenseven%
+|    368: 07 05 07 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|    432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08   ................
+|    480: 00 00 0f 04 17 17 01 65 69 67 68 74 65 69 67 68   .......eighteigh
+|    496: 74 08 15 04 07 07 01 40 18 00 00 00 00 00 00 40   t......@.......@
+| page 4 offset 1536
+|      0: 18 00 00 00 00 00 00 07 07 04 01 01 01 04 04 06   ................
+|     16: 07 04 01 01 01 02 02 05 0f 04 17 17 01 73 6d 76   .............smv
+|     32: 65 6e 65 69 67 68 74 04 15 04 07 07 01 40 14 00   eneight......@..
+| page 5 offset 2048
+|      0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc   ................
+|     16: 01 dc 01 e1 01 96 01 cc 00 00 00 00 00 00 00 00   ................
+|    160: 00 00 00 00 00 00 32 00 00 00 00 00 00 00 00 00   ......2.........
+|    368: 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|    400: 00 00 00 00 00 00 0f 04 17 17 01 85 69 67 68 74   ............ight
+|    416: 65 69 67 68 74 08 15 04 07 07 01 40 18 00 00 00   eight......@....
+|    432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01   ...@............
+|    448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17   ................
+|    464: 01 73 6d 76 65 6e 65 69 67 68 74 04 15 04 07 07   .smveneight.....
+|    480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00   .@.......@......
+|    496: 00 03 07 04 01 01 01 03 04 02 05 04 03 01 09 02   ................
+| page 6 offset 2560
+|      0: 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|     16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00   ................
+|    304: 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00   ...&............
+| page 7 offset 3072
+|      0: 0d 00 00 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec   ................
+|     16: 01 e0 01 d4 01 cb 01 c2 00 00 00 00 00 00 00 00   ................
+|    128: 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 04   ............. ..
+|    384: 00 00 00 00 00 00 00 00 00 07 08 02 17 65 69 fc   .............ei.
+|    400: 68 74 07 07 02 17 65 69 67 68 74 0a fb fd f8 bf   ht....eight.....
+|    416: e7 ff ff ff 00 00 00 0a 05 02 07 40 18 00 00 00   ...........@....
+|    432: 00 00 00 03 04 02 01 04 03 03 02 01 04 03 02 01   ................
+|    448: ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00   ................
+| end sql024239.txt.db
+}]} {}
+
+do_catchsql_test 1.1 {
+  VACUUM;
+} {1 {database disk image is malformed}}
+
+
+finish_test