mirror of
https://github.com/sqlite/sqlite.git
synced 2025-08-07 02:42:48 +03:00
Add corruptD.test, a container for testing the "cell overflow" problem. Also shuffle a small amount of code in BtreeInitPage() to check that the page header pointer to the start of the cell offset array is set to a sane value. (CVS 6710)
FossilOrigin-Name: 7fa5d3cb0fa05f7d901bcc139c2c037ce5944caa
This commit is contained in:
danielk1977
13
manifest
13
manifest
@@ -1,5 +1,5 @@
|
||||
C Define\sa\sset\sof\sconstants\sto\suse\sas\sthe\s"index"\sargument\sto\ssqlite3BtreeGetMeta\sand\sUpdateMeta.\sThis\smakes\ssome\sparts\sof\sthe\scode\seasier\sto\sfollow.\s(CVS\s6709)
|
||||
D 2009-06-03T11:25:07
|
||||
C Add\scorruptD.test,\sa\scontainer\sfor\stesting\sthe\s"cell\soverflow"\sproblem.\sAlso\sshuffle\sa\ssmall\samount\sof\scode\sin\sBtreeInitPage()\sto\scheck\sthat\sthe\spage\sheader\spointer\sto\sthe\sstart\sof\sthe\scell\soffset\sarray\sis\sset\sto\sa\ssane\svalue.\s(CVS\s6710)
|
||||
D 2009-06-03T17:26:18
|
||||
F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0
|
||||
F Makefile.in 8b8fb7823264331210cddf103831816c286ba446
|
||||
F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
|
||||
@@ -106,7 +106,7 @@ F src/auth.c 98db07c2088455797678eb1031f42d4d94d18a71
|
||||
F src/backup.c ff50af53184a5fd7bdee4d620b5dabef74717c79
|
||||
F src/bitvec.c 0ef0651714728055d43de7a4cdd95e703fac0119
|
||||
F src/btmutex.c 9b899c0d8df3bd68f527b0afe03088321b696d3c
|
||||
F src/btree.c 5afa1b5b68217afc9dc96e18ab1ab2f888709139
|
||||
F src/btree.c b0ac995593edf809962b16b7bfa55455c2f31545
|
||||
F src/btree.h f70b694e8c163227369a66863b01fbff9009f323
|
||||
F src/btreeInt.h df64030d632f8c8ac217ed52e8b6b3eacacb33a5
|
||||
F src/build.c 20e02fd72249159ff6829009f3029d16d59cdff5
|
||||
@@ -291,6 +291,7 @@ F test/corrupt9.test 794d284109c65c8f10a2b275479045e02d163bae
|
||||
F test/corruptA.test 99e95620b980161cb3e79f06a884a4bb8ae265ff
|
||||
F test/corruptB.test 505331779fe7a96fe38ecbb817f19c63bc27d171
|
||||
F test/corruptC.test 47d544f612b8a26a05900d65289abb1ae3b30837
|
||||
F test/corruptD.test b098214f314d4aa3aaba9b1219ee01ffe099c02a
|
||||
F test/count.test 99c78f584038fec8fe081447738307c9dc69e5e0
|
||||
F test/crash.test 1b6ac8410689ff78028887f445062dc897c9ac89
|
||||
F test/crash2.test 5b14d4eb58b880e231361d3b609b216acda86651
|
||||
@@ -732,7 +733,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff
|
||||
F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
|
||||
F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
|
||||
F tool/vdbe-compress.tcl 672f81d693a03f80f5ae60bfefacd8a349e76746
|
||||
P baea79fd0cfeb860973846c3f2776776c87f0ae3
|
||||
R 9dba26e86c2e22da89e4d07f10eb0cbe
|
||||
P 6dbf4eca00f845baa7200aba421d0bc158ba96aa
|
||||
R 082e50f4fb6f4bbdc7df5b4799b07891
|
||||
U danielk1977
|
||||
Z 4e60210e731fb6afe9c94533b62cf6ef
|
||||
Z f49134d2c7bfd4d13daac32bbf8ae5be
|
||||
|
||||
@@ -1 +1 @@
|
||||
6dbf4eca00f845baa7200aba421d0bc158ba96aa
|
||||
7fa5d3cb0fa05f7d901bcc139c2c037ce5944caa
|
||||
17
src/btree.c
17
src/btree.c
@@ -9,7 +9,7 @@
|
||||
** May you share freely, never taking more than you give.
|
||||
**
|
||||
*************************************************************************
|
||||
** $Id: btree.c,v 1.610 2009/06/03 11:25:07 danielk1977 Exp $
|
||||
** $Id: btree.c,v 1.611 2009/06/03 17:26:18 danielk1977 Exp $
|
||||
**
|
||||
** This file implements a external (disk-based) database using BTrees.
|
||||
** See the header comment on "btreeInt.h" for additional information.
|
||||
@@ -1145,7 +1145,7 @@ int sqlite3BtreeInitPage(MemPage *pPage){
|
||||
|
||||
/* Compute the total free space on the page */
|
||||
pc = get2byte(&data[hdr+1]);
|
||||
nFree = data[hdr+7] + top - (cellOffset + 2*pPage->nCell);
|
||||
nFree = data[hdr+7] + top;
|
||||
while( pc>0 ){
|
||||
u16 next, size;
|
||||
if( pc>usableSize-4 ){
|
||||
@@ -1161,11 +1161,18 @@ int sqlite3BtreeInitPage(MemPage *pPage){
|
||||
nFree += size;
|
||||
pc = next;
|
||||
}
|
||||
pPage->nFree = (u16)nFree;
|
||||
if( nFree>=usableSize ){
|
||||
/* Free space cannot exceed total page size */
|
||||
|
||||
/* At this point, nFree contains the sum of the offset to the start
|
||||
** of the cell-content area plus the number of free bytes within
|
||||
** the cell-content area. If this is greater than the usable-size
|
||||
** of the page, then the page must be corrupted. This check also
|
||||
** serves to verify that the offset to the start of the cell-content
|
||||
** area, according to the page header, lies within the page.
|
||||
*/
|
||||
if( nFree>usableSize ){
|
||||
return SQLITE_CORRUPT_BKPT;
|
||||
}
|
||||
pPage->nFree = nFree - (cellOffset + 2*pPage->nCell);
|
||||
|
||||
#if 0
|
||||
/* Check that all the offsets in the cell offset array are within range.
|
||||
|
||||
136
test/corruptD.test
Normal file
136
test/corruptD.test
Normal file
@@ -0,0 +1,136 @@
|
||||
# 2009 June 3
|
||||
#
|
||||
# The author disclaims copyright to this source code. In place of
|
||||
# a legal notice, here is a blessing:
|
||||
#
|
||||
# May you do good and not evil.
|
||||
# May you find forgiveness for yourself and forgive others.
|
||||
# May you share freely, never taking more than you give.
|
||||
#
|
||||
#***********************************************************************
|
||||
#
|
||||
# $Id: corruptD.test,v 1.1 2009/06/03 17:26:20 danielk1977 Exp $
|
||||
|
||||
set testdir [file dirname $argv0]
|
||||
source $testdir/tester.tcl
|
||||
|
||||
#--------------------------------------------------------------------------
|
||||
# OVERVIEW
|
||||
#
|
||||
# This test file attempts to verify that SQLite does not read past the
|
||||
# end of any in-memory buffers as a result of corrupted database page
|
||||
# images. Usually this happens because a field within a database page
|
||||
# that contains an offset to some other structure within the same page
|
||||
# is set to too large a value. A database page contains the following
|
||||
# such fields:
|
||||
#
|
||||
# 1. The page header field that contains the offset to the first
|
||||
# free block of space.
|
||||
#
|
||||
# 2. The first two bytes of all but the last free block on the free-block
|
||||
# list (the offset to the next free block).
|
||||
#
|
||||
# 3. The page header field containing the number of cells on the page
|
||||
# (implicitly defines the offset to the final element in the cell offset
|
||||
# array, which could potentially be off the end of the page).
|
||||
#
|
||||
# 4. The page header field containing the offset to the start of the cell
|
||||
# content area.
|
||||
#
|
||||
# 5. The contents of the cell offset array.
|
||||
#
|
||||
# 6. The first few bytes of each cell determine the size of the cell
|
||||
# stored within the page, and hence the offset to the final byte of
|
||||
# the cell.
|
||||
#
|
||||
# If any of the above fields are set to too large a value, then a buffer
|
||||
# overread may occur. This test script creates and operates on various
|
||||
# strategically corrupted database files to attempt to provoke such buffer
|
||||
# overreads.
|
||||
#
|
||||
# Very often, a buffer overread passes unnoticed, particularly in workstation
|
||||
# environments. For this reason, this test script should be run using valgrind
|
||||
# (or similar) in order to verify that no overreads occur.
|
||||
#
|
||||
# TEST PLAN
|
||||
#
|
||||
# Test cases corruptD-1.* are white-box tests. They attempt to corrupt
|
||||
# one of the above fields, then exercise each part of the code in btree.c
|
||||
# that uses said field.
|
||||
#
|
||||
# Offset variables 1, 2, 3 and 4 are all checked to make sure they
|
||||
# will not result in buffer overruns as part of page initialization in
|
||||
# sqlite3BtreeInitPage(). Offsets 5 and 6 cannot be tested as part of
|
||||
# page initialization, as trying to do so causes a performance hit.
|
||||
#
|
||||
|
||||
do_test corruptD-1.0 {
|
||||
execsql {
|
||||
PRAGMA auto_vacuum = 0;
|
||||
PRAGMA page_size = 1024;
|
||||
CREATE TABLE t1(a, b);
|
||||
CREATE INDEX i1 ON t1(a, b);
|
||||
}
|
||||
for {set ii 1} {$ii < 50} {incr ii} {
|
||||
execsql { INSERT INTO t1 VALUES($ii, $ii * $ii) }
|
||||
}
|
||||
execsql {
|
||||
DELETE FROM t1 WHERE a = 10;
|
||||
DELETE FROM t1 WHERE a = 20;
|
||||
DELETE FROM t1 WHERE a = 30;
|
||||
DELETE FROM t1 WHERE a = 40;
|
||||
}
|
||||
copy_file test.db test.bu
|
||||
} {}
|
||||
|
||||
proc incr_change_counter {} {
|
||||
hexio_write test.db 24 [
|
||||
hexio_render_int32 [expr [hexio_get_int [hexio_read test.db 24 4]] + 1]
|
||||
]
|
||||
}
|
||||
|
||||
proc restore_file {} {
|
||||
db close
|
||||
copy_file test.bu test.db
|
||||
sqlite3 db test.db
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------------
|
||||
# The following tests, corruptD-1.1.*, focus on the page header field
|
||||
# containing the offset of the first free block in a page.
|
||||
#
|
||||
do_test corruptD-1.1.1 {
|
||||
incr_change_counter
|
||||
hexio_write test.db [expr 1024+1] FFFF
|
||||
catchsql { SELECT * FROM t1 }
|
||||
} {1 {database disk image is malformed}}
|
||||
do_test corruptD-1.1.2 {
|
||||
incr_change_counter
|
||||
hexio_write test.db [expr 1024+1] [hexio_render_int32 1021]
|
||||
catchsql { SELECT * FROM t1 }
|
||||
} {1 {database disk image is malformed}}
|
||||
|
||||
#-------------------------------------------------------------------------
|
||||
# The following tests, corruptD-1.2.*, focus on the offsets contained
|
||||
# in the first 2 byte of each free-block on the free-list.
|
||||
#
|
||||
do_test corruptD-1.2.1 {
|
||||
restore_file
|
||||
} {}
|
||||
do_test corruptD-1.2.2 {
|
||||
} {}
|
||||
|
||||
#-------------------------------------------------------------------------
|
||||
# The following tests, corruptD-1.4.*, ...
|
||||
#
|
||||
|
||||
|
||||
#-------------------------------------------------------------------------
|
||||
# The following tests, corruptD-1.5.*, focus on the offsets contained
|
||||
# in the cell offset array.
|
||||
#
|
||||
# defragmentPage
|
||||
#
|
||||
|
||||
finish_test
|
||||
|
||||
Reference in New Issue
Block a user