database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-07-29 08:01:23 +03:00
Code Activity

Fix a buffer overread in fts3 that can occur if the database is corrupt.

Browse Source 
FossilOrigin-Name: 84194c4195d7144ff7f9cedcdc74fdd908f3bfcd
This commit is contained in:
dan
2010-10-27 16:52:27 +00:00
parent 8c30711208
commit 8aaa252d8c
5 changed files with 78 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ext/fts3/fts3_write.c
View File

@ -916,9 +916,19 @@ static int fts3SegReaderNext(Fts3Table *p, Fts3SegReader *pReader){
pReader->nTerm = nPrefix+nSuffix;
pNext += nSuffix;
pNext += sqlite3Fts3GetVarint32(pNext, &pReader->nDoclist);
assert( pNext<&pReader->aNode[pReader->nNode] );
pReader->aDoclist = pNext;
pReader->pOffsetList = 0;
/* Check that the doclist does not appear to extend past the end of the
** b-tree node. And that the final byte of the doclist is either an 0x00
** or 0x01. If either of these statements is untrue, then the data structure
** is corrupt.
*/
if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
|| (pReader->aDoclist[pReader->nDoclist-1]&0xFE)!=0
){
return SQLITE_CORRUPT;
}
return SQLITE_OK;
}