Avoid ever writing before the start of an allocated buffer in the DIRECT_OVERFLOW_READ code. Fix for [e3a290961a6].

FossilOrigin-Name: c3c15d20c6913811956a5041c959a56ca4eeb5eb
2025-08-07 02:42:48 +03:00 · 2014-10-01 12:01:10 +00:00
parent b08cd3f345
commit 9501a64516
4 changed files with 62 additions and 8 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -4022,6 +4022,7 @@ static int accessPayload(
  MemPage *pPage = pCur->apPage[pCur->iPage]; /* Btree page of current entry */
  BtShared *pBt = pCur->pBt;                  /* Btree this cursor belongs to */
 #ifdef SQLITE_DIRECT_OVERFLOW_READ
+  unsigned char * const pBufStart = pBuf;
  int bEnd;                                 /* True if reading to end of data */
 #endif

@@ -4149,6 +4150,7 @@ static int accessPayload(
        **   4) there is no open write-transaction, and
        **   5) the database is not a WAL database,
        **   6) all data from the page is being read.
+        **   7) at least 4 bytes have already been read into the output buffer 
        **
        ** then data can be read directly from the database file into the
        ** output buffer, bypassing the page-cache altogether. This speeds
@@ -4160,9 +4162,11 @@ static int accessPayload(
         && pBt->inTransaction==TRANS_READ                     /* (4) */
         && (fd = sqlite3PagerFile(pBt->pPager))->pMethods     /* (3) */
         && pBt->pPage1->aData[19]==0x01                       /* (5) */
+         && &pBuf[-4]>=pBufStart                               /* (7) */
        ){
          u8 aSave[4];
          u8 *aWrite = &pBuf[-4];
+          assert( aWrite>=pBufStart );                         /* hence (7) */
          memcpy(aSave, aWrite, 4);
          rc = sqlite3OsRead(fd, aWrite, a+4, (i64)pBt->pageSize*(nextPage-1));
          nextPage = get4byte(aWrite);