database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-05 15:55:57 +03:00
Code Activity

Avoid reading off the front of a page buffer when balancing a corrupt

Browse Source 
btree page.

FossilOrigin-Name: cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039
This commit is contained in:
drh
2019-01-14 05:48:10 +00:00
parent b10a50e7f8
commit d12db3dabb
3 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
manifest
View File

@@ -1,5 +1,5 @@
C In\sdbfuzz2,\savoid\susing\sa\smalloc\sin\sthe\sLLVMFuzzerInitialize()\sinitializer\nroutine,\sso\sthat\sno\smemory\sleaks\sare\sreported.\s\sAlso,\sshow\sthe\sversion\sof\nSQLite\sbeing\sused\swhen\sthe\s-v\soption\sis\son. C Avoid\sreading\soff\sthe\sfront\sof\sa\spage\sbuffer\swhen\sbalancing\sa\scorrupt\nbtree\spage.
D 2019-01-13T20:23:34.262 D 2019-01-14T05:48:10.140
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F Makefile.in 45a3fef4d325ac0220c2172aeec4e4321da351f073f3b8e8ddea655f49ef6f2b F Makefile.in 45a3fef4d325ac0220c2172aeec4e4321da351f073f3b8e8ddea655f49ef6f2b
@@ -453,7 +453,7 @@ F src/auth.c 0fac71038875693a937e506bceb492c5f136dd7b1249fbd4ae70b4e8da14f9df
F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab
F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33 F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33
F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
F src/btree.c d2ee84255b7372e6a70447f3e260eadfca38d25b1039cf88341df4225cbb3e0e F src/btree.c a1030989a43bb21fde08fbe26e201009b70956560e5663317106f75c45937ac9
F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2 F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2
F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96 F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96
F src/build.c b1e24f1deedee07955cad9c56928cdafa7df1615746688e817bfe0b020a68576 F src/build.c b1e24f1deedee07955cad9c56928cdafa7df1615746688e817bfe0b020a68576
@@ -1798,7 +1798,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P 97e723d746eeb2159f5bf1701532271ac6a4620879c82d496f4499c178b64479 P 824f93246988ffa213bbd41a7de08886999b1a8ae00fdf6b9767acb6e3ec6a1f
R 018cc9497956b71ce50ebe4039e4c70b R 2f2adf3a3a2ba32a22ec63d497830a09
U drh U drh
Z e7be8d96bead9a75143219194f67e213 Z 39dac29da4f114d88e1d1d0c8c22da61

2
manifest.uuid
View File

@@ -1 +1 @@
824f93246988ffa213bbd41a7de08886999b1a8ae00fdf6b9767acb6e3ec6a1f cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039

9
src/btree.c
View File

@@ -6663,9 +6663,16 @@ static void insertCell(
assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB ); assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
assert( idx+sz <= (int)pPage->pBt->usableSize ); assert( idx+sz <= (int)pPage->pBt->usableSize );
pPage->nFree -= (u16)(2 + sz); pPage->nFree -= (u16)(2 + sz);
memcpy(&data[idx], pCell, sz);
if( iChild ){ if( iChild ){
/* In a corrupt database where an entry in the cell index section of
** a btree page has a value of 3 or less, the pCell value might point
** as many as 4 bytes in front of the start of the aData buffer for
** the source page. Make sure this does not cause problems by not
** reading the first 4 bytes */
memcpy(&data[idx+4], pCell+4, sz-4);
put4byte(&data[idx], iChild); put4byte(&data[idx], iChild);
}else{
memcpy(&data[idx], pCell, sz);
} }
pIns = pPage->aCellIdx + i*2; pIns = pPage->aCellIdx + i*2;
memmove(pIns+2, pIns, 2*(pPage->nCell - i)); memmove(pIns+2, pIns, 2*(pPage->nCell - i));