Fix potential 32-bit integer overflow problems on the offset and length

parameters to sqlite3_blob_read() and sqlite3_blob_write(). For sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if the interface fails with SQLITE_MISUSE. FossilOrigin-Name: 5df02f50f8348dfde4fc15126abc7b7ef7803e69
2025-11-11 01:42:22 +03:00 · 2015-02-07 15:16:35 +00:00
parent 0e55db1cd8
commit d10d18da5f
4 changed files with 38 additions and 11 deletions
--- a/14
+++ b/14
@@ -1,5 +1,5 @@
-C Change\sthe\sname\sof\s".info"\sto\s".dbinfo"\sand\sadd\san\soptional\ssecond\sargument\nwhich\sis\sthe\sATTACH-ed\sDB\sabout\swhich\sinformation\sis\sprovided.\s\sProvide\n".indexes"\sas\san\salternative\sname\sto\sthe\slegacy\s".indices"\scommand.
-D 2015-02-06T14:51:13.355
+C Fix\spotential\s32-bit\sinteger\soverflow\sproblems\son\sthe\soffset\sand\slength\nparameters\sto\ssqlite3_blob_read()\sand\ssqlite3_blob_write().\s\sFor\nsqlite3_blob_open(),\smake\ssure\sthe\s*ppBlob\sreturn\sparameter\sis\szeroed\sif\nthe\sinterface\sfails\swith\sSQLITE_MISUSE.
+D 2015-02-07T15:16:35.893
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 6b9e7677829aa94b9f30949656e27312aefb9a46
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -298,7 +298,7 @@ F src/vdbe.h 6fc69d9c5e146302c56e163cb4b31d1ee64a18c3
 F src/vdbeInt.h 9bb69ff2447c34b6ccc58b34ec35b615f86ead78
 F src/vdbeapi.c 4bc511a46b9839392ae0e90844a71dc96d9dbd71
 F src/vdbeaux.c 97911edb61074b871ec4aa2d6bb779071643dee5
-F src/vdbeblob.c 4af4bfb71f6df7778397b4a0ebc1879793276778
+F src/vdbeblob.c 4f2e8e075d238392df98c5e03a64342465b03f90
 F src/vdbemem.c 31d8eabb0cd78bfeab4e5124c7363c3e9e54db9f
 F src/vdbesort.c 6d64c5448b64851b99931ede980addc3af70d5e2
 F src/vdbetrace.c 7e4222955e07dd707a2f360c0eb73452be1cb010
@@ -638,7 +638,7 @@ F test/in3.test 3cbf58c87f4052cee3a58b37b6389777505aa0c0
 F test/in4.test d2b38cba404bc4320f4fe1b595b3d163f212c068
 F test/in5.test 1de657472fa9ac2924be25c2c959ac5ca1aae554
 F test/incrblob.test e81846d214f3637622620fbde7cd526781cfe328
-F test/incrblob2.test bf4d549aa4a466d7fbe3e3a3693d3861263d5600
+F test/incrblob2.test 0d8821730a84f90af78a9dd547fe7a2480a06240
 F test/incrblob3.test d8d036fde015d4a159cd3cbae9d29003b37227a4
 F test/incrblob4.test f26502a5697893e5acea268c910f16478c2f0fab
 F test/incrblob_err.test af1f12ba60d220c9752073ff2bda2ad59e88960d
@@ -1239,7 +1239,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 0a3100a7f264ffce6078c35e341f2f0af6c09fbb
-R a582dddcff23f4b3aa0ab625ed7ba566
+P 0f65a7e2e09f801b66897479d501607caeae4abf
+R a72e608518946b8cddba99b1913bccc8
 U drh
-Z 91c27780af6a4d5e0c7b8a8aa90c189d
+Z 826c67b7d3493617a37693ae1605b2c3
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-0f65a7e2e09f801b66897479d501607caeae4abf
+5df02f50f8348dfde4fc15126abc7b7ef7803e69
--- a/src/vdbeblob.c
+++ b/src/vdbeblob.c
@@ -154,12 +154,17 @@ int sqlite3_blob_open(
  Incrblob *pBlob = 0;

 #ifdef SQLITE_ENABLE_API_ARMOR
-  if( !sqlite3SafetyCheckOk(db) || ppBlob==0 || zTable==0 ){
+  if( ppBlob==0 ){
+    return SQLITE_MISUSE_BKPT;
+  }
+#endif
+  *ppBlob = 0;
+#ifdef SQLITE_ENABLE_API_ARMOR
+  if( !sqlite3SafetyCheckOk(db) || zTable==0 ){
    return SQLITE_MISUSE_BKPT;
  }
 #endif
  flags = !!flags;                /* flags = (flags ? 1 : 0); */
-  *ppBlob = 0;

  sqlite3_mutex_enter(db->mutex);

@@ -373,7 +378,7 @@ static int blobReadWrite(
  sqlite3_mutex_enter(db->mutex);
  v = (Vdbe*)p->pStmt;

-  if( n<0 || iOffset<0 || (iOffset+n)>p->nByte ){
+  if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
    /* Request is out of range. Return a transient error. */
    rc = SQLITE_ERROR;
  }else if( v==0 ){
--- a/test/incrblob2.test
+++ b/test/incrblob2.test
@@ -324,12 +324,34 @@ do_test incrblob2-6.2 {
  sqlite3_blob_read $rdHandle 0 2
 } {AB}

+do_test incrblob2-6.2b {
+  set rc [catch {
+    # Prior to 2015-02-07, the following caused a segfault due to
+    # integer overflow.
+    sqlite3_blob_read $rdHandle 2147483647 2147483647
+  } errmsg]
+  lappend rc $errmsg
+} {1 SQLITE_ERROR}
+
 do_test incrblob2-6.3 {
  set wrHandle [db incrblob t1 data 1]
  sqlite3_blob_write $wrHandle 0 ZZZZZZZZZZ
  sqlite3_blob_read $rdHandle 2 4
 } {ZZZZ}

+do_test incrblob2-6.3b {
+  set rc [catch {
+    # Prior to 2015-02-07, the following caused a segfault due to
+    # integer overflow.
+    sqlite3_blob_write $wrHandle 2147483647 YYYYYYYYYYYYYYYYYY
+  } errmsg]
+  lappend rc $errmsg
+} {1 SQLITE_ERROR}
+do_test incrblob2-6.3c {
+  sqlite3_blob_read $rdHandle 2 4
+} {ZZZZ}
+
+
 do_test incrblob2-6.4 {
  close $wrHandle
  close $rdHandle