Fix a buffer overread in the fts5_structure virtual table (test code).

FossilOrigin-Name: b837aff79cd159061b46af59eaf96a1a1920eeece27e9e27931cf3387068d96a
2025-08-01 06:27:03 +03:00 · 2023-07-29 20:13:19 +00:00
parent fb546c0bf4
commit 808cf29b55
3 changed files with 11 additions and 10 deletions
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@ -8092,15 +8092,16 @@ static int fts5structCloseMethod(sqlite3_vtab_cursor *cur){
 */
 static int fts5structNextMethod(sqlite3_vtab_cursor *cur){
  Fts5StructVcsr *pCsr = (Fts5StructVcsr*)cur;
+  Fts5Structure *p = pCsr->pStruct;

  assert( pCsr->pStruct );
  pCsr->iSeg++;
  pCsr->iRowid++;
-  while( pCsr->iSeg>=pCsr->pStruct->aLevel[pCsr->iLevel].nSeg ){
+  while( pCsr->iLevel<p->nLevel && pCsr->iSeg>=p->aLevel[pCsr->iLevel].nSeg ){
    pCsr->iLevel++;
    pCsr->iSeg = 0;
  }
-  if( pCsr->iLevel>=pCsr->pStruct->nLevel ){
+  if( pCsr->iLevel>=p->nLevel ){
    fts5StructureRelease(pCsr->pStruct);
    pCsr->pStruct = 0;
  }