Fix an OOM-handling problem affecting locale=1 fts5 tables.

FossilOrigin-Name: d8103684f660ff9b3186d0f89afb113ca580bd16f0bf413ed8a9434236b54426
2025-07-27 20:41:58 +03:00 · 2024-09-09 19:12:57 +00:00
parent 882aba4090
commit cd889c7a88
4 changed files with 33 additions and 14 deletions
--- a/ext/fts5/fts5_main.c
+++ b/ext/fts5/fts5_main.c
@ -90,7 +90,7 @@ struct Fts5Global {
 ** Size of header on fts5_locale() values. And macro to access a buffer
 ** containing a copy of the header from an Fts5Config pointer.
 */
-#define FTS5_LOCALE_HDR_SIZE sizeof( ((Fts5Global*)0)->aLocaleHdr )
+#define FTS5_LOCALE_HDR_SIZE ((int)sizeof( ((Fts5Global*)0)->aLocaleHdr ))
 #define FTS5_LOCALE_HDR(pConfig) ((const u8*)(pConfig->pGlobal->aLocaleHdr))


@ -1284,8 +1284,16 @@ void sqlite3Fts5ClearLocale(Fts5Config *pConfig){
 int sqlite3Fts5IsLocaleValue(Fts5Config *pConfig, sqlite3_value *pVal){
  int ret = 0;
  if( sqlite3_value_type(pVal)==SQLITE_BLOB ){
-    if( sqlite3_value_bytes(pVal)>(int)FTS5_LOCALE_HDR_SIZE
-     && 0==memcmp(sqlite3_value_blob(pVal), FTS5_LOCALE_HDR(pConfig), 4)
+    /* Call sqlite3_value_bytes() after sqlite3_value_blob() in this case.
+    ** If the blob was created using zeroblob(), then sqlite3_value_blob()
+    ** may call malloc(). If this malloc() fails, then the values returned
+    ** by both value_blob() and value_bytes() will be 0. If value_bytes() were 
+    ** called first, then the NULL pointer returned by value_blob() might
+    ** be dereferenced.  */
+    const u8 *pBlob = sqlite3_value_blob(pVal);
+    int nBlob = sqlite3_value_bytes(pVal); 
+    if( nBlob>FTS5_LOCALE_HDR_SIZE
+     && 0==memcmp(pBlob, FTS5_LOCALE_HDR(pConfig), FTS5_LOCALE_HDR_SIZE)
    ){
      ret = 1;
    }
@ -3011,7 +3019,7 @@ static void fts5ExtractValueFromColumn(
    int ii;

    if( pConfig->eContent==FTS5_CONTENT_EXTERNAL ){
-      if( nBlob<(int)FTS5_LOCALE_HDR_SIZE 
+      if( nBlob<FTS5_LOCALE_HDR_SIZE 
       || memcmp(pBlob, FTS5_LOCALE_HDR(pConfig), FTS5_LOCALE_HDR_SIZE) 
      ){
        sqlite3_result_error_code(pCtx, SQLITE_ERROR);
--- a/ext/fts5/test/fts5faultI.test
+++ b/ext/fts5/test/fts5faultI.test
@ -246,7 +246,7 @@ do_execsql_test 10.1 {
 } {hello}

 faultsim_save_and_close
-do_faultsim_test 10 -faults oom* -prep {
+do_faultsim_test 10.1 -faults oom* -prep {
  faultsim_restore_and_reopen
 } -body {
  execsql {
@ -256,6 +256,17 @@ do_faultsim_test 10 -faults oom* -prep {
  faultsim_test_result {0 hello}
 }

+faultsim_save_and_close
+do_faultsim_test 10.2 -faults oom* -prep {
+  faultsim_restore_and_reopen
+} -body {
+  execsql {
+    INSERT INTO ft VALUES(zeroblob(10000));
+  }
+} -test {
+  faultsim_test_result {1 {datatype mismatch}}
+}
+
 #-------------------------------------------------------------------------
 reset_db