Avoid a buffer overread when comparing against a corrupt record that spans at least one overflow page.

FossilOrigin-Name: 62a5b3633a086694ef0e579a0a82322cb1ae3d60
2025-08-07 02:42:48 +03:00 · 2015-05-26 20:31:20 +00:00
parent cc7aa1f6f3
commit b95e1193d5
4 changed files with 15 additions and 11 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -4951,18 +4951,22 @@ int sqlite3BtreeMovetoUnpacked(
          /* The record flows over onto one or more overflow pages. In
          ** this case the whole cell needs to be parsed, a buffer allocated
          ** and accessPayload() used to retrieve the record into the
-          ** buffer before VdbeRecordCompare() can be called. */
+          ** buffer before VdbeRecordCompare() can be called. An extra
+          ** byte of zeroed padding is allocated at the end of the buffer,
+          ** as this stops the record-compare routines from reading past
+          ** the end of the buffer if the record is corrupt.  */
          void *pCellKey;
          u8 * const pCellBody = pCell - pPage->childPtrSize;
          btreeParseCellPtr(pPage, pCellBody, &pCur->info);
          nCell = (int)pCur->info.nKey;
-          pCellKey = sqlite3Malloc( nCell );
+          pCellKey = sqlite3Malloc( nCell+1 );
          if( pCellKey==0 ){
            rc = SQLITE_NOMEM;
            goto moveto_finish;
          }
          pCur->aiIdx[pCur->iPage] = (u16)idx;
          rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2);
+          ((unsigned char *)pCellKey)[nCell] = 0;
          if( rc ){
            sqlite3_free(pCellKey);
            goto moveto_finish;