Avoid a buffer overread in fts5 that could occur when parsing corrupt configuration records.

FossilOrigin-Name: 355afd77df21a2265871ca6d075f26b1fa121c7c2682cf512281944ff0c2186d
2025-08-01 06:27:03 +03:00 · 2019-12-10 03:40:11 +00:00
parent b5f6243f6d
commit db5ed35609
4 changed files with 15 additions and 10 deletions
--- a/ext/fts5/fts5_config.c
+++ b/ext/fts5/fts5_config.c
@ -150,7 +150,7 @@ static int fts5Dequote(char *z){
  assert( q=='[' || q=='\'' || q=='"' || q=='`' );
  if( q=='[' ) q = ']';  

-  while( ALWAYS(z[iIn]) ){
+  while( z[iIn] ){
    if( z[iIn]==q ){
      if( z[iIn+1]!=q ){
        /* Character iIn was the close quote. */
--- a/ext/fts5/test/fts5eb.test
+++ b/ext/fts5/test/fts5eb.test
@ -75,6 +75,11 @@ do_catchsql_test 2.5 {
  SELECT fts5_expr(NULL, NULL)
 } {1 {parse error in ""}}

+for {set i 0} {$i < 255} {incr i} {
+  do_test 2.6.$i {
+    lindex [catchsql {sELECT fts5_expr(NULL, char($i));}] 0
+  } 1
+}

 do_execsql_test 3.0 {
  CREATE VIRTUAL TABLE e1 USING fts5(text, tokenize = 'porter unicode61');