mirror of
https://github.com/sqlite/sqlite.git
synced 2025-08-08 14:02:16 +03:00
Fix a read of invalid memory that could occur in btree.c. (CVS 2180)
FossilOrigin-Name: 929745c1833e7f4323884a1bc0c632f5b319da35
This commit is contained in:
danielk1977
12
manifest
12
manifest
@@ -1,5 +1,5 @@
|
||||
C Remove\sincorrect\sassert()\sand\sadd\sextra\soption\sto\saccount\sfor\snon-standard\s'sort'\sprogram\sin\ssome\slinux\sversions.\s(CVS\s2179)
|
||||
D 2005-01-07T01:56:17
|
||||
C Fix\sa\sread\sof\sinvalid\smemory\sthat\scould\soccur\sin\sbtree.c.\s(CVS\s2180)
|
||||
D 2005-01-07T08:56:44
|
||||
F Makefile.in ecf441ac5ca1ccfc8748a8a9537706e69893dfa4
|
||||
F Makefile.linux-gcc a9e5a0d309fa7c38e7c14d3ecf7690879d3a5457
|
||||
F README a01693e454a00cc117967e3f9fdab2d4d52e9bc1
|
||||
@@ -29,7 +29,7 @@ F sqlite3.def dbaeb20c153e1d366e8f421b55a573f5dfc00863
|
||||
F sqlite3.pc.in 985b9bf34192a549d7d370e0f0b6b34a4f61369a
|
||||
F src/attach.c e49d09dad9f5f9fb10b4b0c1be5a70ae4c45e689
|
||||
F src/auth.c 3b81f2a42f48a62c2c9c9b0eda31a157c681edea
|
||||
F src/btree.c fa113d624d38bcb36700a0244b47f39d57d34efb
|
||||
F src/btree.c 8cab7c66c822ae9c37c59a923ffec81927583ee2
|
||||
F src/btree.h 861e40b759a195ba63819740e484390012cf81ab
|
||||
F src/build.c af1296e8a21a406b4f4c4f1e1365e075071219f3
|
||||
F src/cursor.c f883813759742068890b1f699335872bfa8fdf41
|
||||
@@ -263,7 +263,7 @@ F www/tclsqlite.tcl e73f8f8e5f20e8277619433f7970060ab01088fc
|
||||
F www/vdbe.tcl 095f106d93875c94b47367384ebc870517431618
|
||||
F www/version3.tcl 092a01f5ef430d2c4acc0ae558d74c4bb89638a0
|
||||
F www/whentouse.tcl c3b50d3ac31c54be2a1af9b488a89d22f1e6e746
|
||||
P 9d674d1dc09f72c64ef7f37cd9838c7a9c50b746
|
||||
R d21fa91d39b388686915b90d94c4baf8
|
||||
P bf14387697459d8d348a35ca50e2ee9407dcf1e1
|
||||
R 69691ec0fc90d47f2795ea61e7840061
|
||||
U danielk1977
|
||||
Z d4d186f3d78d137c0d019d40b89696b1
|
||||
Z 5456339343e3dea6f3d7b76699be8b22
|
||||
|
||||
@@ -1 +1 @@
|
||||
bf14387697459d8d348a35ca50e2ee9407dcf1e1
|
||||
929745c1833e7f4323884a1bc0c632f5b319da35
|
||||
20
src/btree.c
20
src/btree.c
@@ -9,7 +9,7 @@
|
||||
** May you share freely, never taking more than you give.
|
||||
**
|
||||
*************************************************************************
|
||||
** $Id: btree.c,v 1.225 2004/11/23 09:06:56 danielk1977 Exp $
|
||||
** $Id: btree.c,v 1.226 2005/01/07 08:56:44 danielk1977 Exp $
|
||||
**
|
||||
** This file implements a external (disk-based) database using BTrees.
|
||||
** For a detailed discussion of BTrees, refer to
|
||||
@@ -3429,13 +3429,19 @@ static void dropCell(MemPage *pPage, int idx, int sz){
|
||||
** in pTemp or the original pCell) and also record its index.
|
||||
** Allocating a new entry in pPage->aCell[] implies that
|
||||
** pPage->nOverflow is incremented.
|
||||
**
|
||||
** If nSkip is non-zero, then do not copy the first nSkip bytes of the
|
||||
** cell. The caller will overwrite them after this function returns. If
|
||||
** nSkip is non-zero, then pCell may not point to a valid memory location
|
||||
** (but pCell+nSkip is always valid).
|
||||
*/
|
||||
static int insertCell(
|
||||
MemPage *pPage, /* Page into which we are copying */
|
||||
int i, /* New cell becomes the i-th cell of the page */
|
||||
u8 *pCell, /* Content of the new cell */
|
||||
int sz, /* Bytes of content in pCell */
|
||||
u8 *pTemp /* Temp storage space for pCell, if needed */
|
||||
u8 *pTemp, /* Temp storage space for pCell, if needed */
|
||||
u8 nSkip /* Do not write the first nSkip bytes of the cell */
|
||||
){
|
||||
int idx; /* Where to write new cell content in data[] */
|
||||
int j; /* Loop counter */
|
||||
@@ -3452,7 +3458,7 @@ static int insertCell(
|
||||
assert( sqlite3pager_iswriteable(pPage->aData) );
|
||||
if( pPage->nOverflow || sz+2>pPage->nFree ){
|
||||
if( pTemp ){
|
||||
memcpy(pTemp, pCell, sz);
|
||||
memcpy(pTemp+nSkip, pCell+nSkip, sz-nSkip);
|
||||
pCell = pTemp;
|
||||
}
|
||||
j = pPage->nOverflow++;
|
||||
@@ -3477,7 +3483,7 @@ static int insertCell(
|
||||
assert( end <= get2byte(&data[hdr+5]) );
|
||||
pPage->nCell++;
|
||||
pPage->nFree -= 2;
|
||||
memcpy(&data[idx], pCell, sz);
|
||||
memcpy(&data[idx+nSkip], pCell+nSkip, sz-nSkip);
|
||||
for(j=end-2, ptr=&data[j]; j>ins; j-=2, ptr-=2){
|
||||
ptr[0] = ptr[-2];
|
||||
ptr[1] = ptr[-1];
|
||||
@@ -3963,7 +3969,7 @@ static int balance_nonroot(MemPage *pPage){
|
||||
iSpace += sz;
|
||||
assert( iSpace<=pBt->psAligned*5 );
|
||||
}
|
||||
rc = insertCell(pParent, nxDiv, pCell, sz, pTemp);
|
||||
rc = insertCell(pParent, nxDiv, pCell, sz, pTemp, 4);
|
||||
if( rc!=SQLITE_OK ) goto balance_cleanup;
|
||||
put4byte(findOverflowCell(pParent,nxDiv), pNew->pgno);
|
||||
j++;
|
||||
@@ -4275,7 +4281,7 @@ int sqlite3BtreeInsert(
|
||||
}else{
|
||||
assert( pPage->leaf );
|
||||
}
|
||||
rc = insertCell(pPage, pCur->idx, newCell, szNew, 0);
|
||||
rc = insertCell(pPage, pCur->idx, newCell, szNew, 0, 0);
|
||||
if( rc!=SQLITE_OK ) goto end_insert;
|
||||
rc = balance(pPage);
|
||||
/* sqlite3BtreePageDump(pCur->pBt, pCur->pgnoRoot, 1); */
|
||||
@@ -4362,7 +4368,7 @@ int sqlite3BtreeDelete(BtCursor *pCur){
|
||||
assert( MX_CELL_SIZE(pBt)>=szNext+4 );
|
||||
tempCell = sqliteMallocRaw( MX_CELL_SIZE(pBt) );
|
||||
if( tempCell==0 ) return SQLITE_NOMEM;
|
||||
rc = insertCell(pPage, pCur->idx, pNext-4, szNext+4, tempCell);
|
||||
rc = insertCell(pPage, pCur->idx, pNext-4, szNext+4, tempCell, 0);
|
||||
if( rc!=SQLITE_OK ) return rc;
|
||||
put4byte(findOverflowCell(pPage, pCur->idx), pgnoChild);
|
||||
rc = balance(pPage);
|
||||
|
||||
Reference in New Issue
Block a user