mirror of
https://github.com/sqlite/sqlite.git
synced 2025-11-14 00:22:38 +03:00
Make sure signed integer overflow does not cause a segfault while attempting
to read a corrupt database where the header size varint on a record is larger than the maximum 32-bit signed integer. FossilOrigin-Name: c3baca99f4580652afb2c3f73036ab83796a1557
This commit is contained in:
drh
15
manifest
15
manifest
@@ -1,5 +1,5 @@
|
||||
C Add\stest\scase\sfor\sthe\sproblem\sfixed\sby\s[127a5b776d].
|
||||
D 2013-08-01T17:43:35.105
|
||||
C Make\ssure\ssigned\sinteger\soverflow\sdoes\snot\scause\sa\ssegfault\swhile\sattempting\nto\sread\sa\scorrupt\sdatabase\swhere\sthe\sheader\ssize\svarint\son\sa\srecord\sis\slarger\nthan\sthe\smaximum\s32-bit\ssigned\sinteger.
|
||||
D 2013-08-01T19:17:39.891
|
||||
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
|
||||
F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
|
||||
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
|
||||
@@ -281,7 +281,7 @@ F src/vdbe.c d6048a720c197db2f0e7d618e918bd2e2eff0322
|
||||
F src/vdbe.h f380af2a7fab32ba8a8b05bf042497636afec66d
|
||||
F src/vdbeInt.h e9b7c6b165a31a4715c5aa97223d20d265515231
|
||||
F src/vdbeapi.c 4d13580bd058b39623e8fcfc233b7df4b8191e8b
|
||||
F src/vdbeaux.c c01594ecf5a78ef41a721f3465152bb91883a942
|
||||
F src/vdbeaux.c ca0c9d4b5104a3b4e4cf3c557d661938f15e68ac
|
||||
F src/vdbeblob.c 5dc79627775bd9a9b494dd956e26297946417d69
|
||||
F src/vdbemem.c 833005f1cbbf447289f1973dba2a0c2228c7b8ab
|
||||
F src/vdbesort.c 3937e06b2a0e354500e17dc206ef4c35770a5017
|
||||
@@ -395,6 +395,7 @@ F test/corruptC.test 62a767fe64acb1975f58cc6171192839c783edbb
|
||||
F test/corruptD.test 3b09903a2e2fe07ecafe775fea94177f8a4bb34f
|
||||
F test/corruptE.test d3a3d7e864a95978195741744dda4abfd8286018
|
||||
F test/corruptF.test 1c7b6f77cf3f237fb7fbb5b61d6c921fd4c7b993
|
||||
F test/corruptG.test 01d94538a0666808dae1b4010f24c25becee13af
|
||||
F test/count.test 454e1ce985c94d13efeac405ce54439f49336163
|
||||
F test/coveridxscan.test cdb47d01acc4a634a34fd25abe85189e0d0f1e62
|
||||
F test/crash.test fb9dc4a02dcba30d4aa5c2c226f98b220b2b959f
|
||||
@@ -1103,7 +1104,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
|
||||
F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
|
||||
F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
|
||||
F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac
|
||||
P 127a5b776d16e1e23c5b3d454f6aaea67f1ded3a
|
||||
R 55095a68bf1e6bed6cc6b3606b16b8da
|
||||
U dan
|
||||
Z 4a8fdbd96b68de3d602c8482b890b1d9
|
||||
P 65816718b59b286c11d939235a23c7325f25594b
|
||||
R 40beea5b8511a37f010f0f7e67aa8773
|
||||
U drh
|
||||
Z a89405d573d1d6b7d75b24ed5c21bc2d
|
||||
|
||||
@@ -1 +1 @@
|
||||
65816718b59b286c11d939235a23c7325f25594b
|
||||
c3baca99f4580652afb2c3f73036ab83796a1557
|
||||
@@ -2990,7 +2990,7 @@ int sqlite3VdbeRecordCompare(
|
||||
int nKey1, const void *pKey1, /* Left key */
|
||||
UnpackedRecord *pPKey2 /* Right key */
|
||||
){
|
||||
int d1; /* Offset into aKey[] of next data element */
|
||||
u32 d1; /* Offset into aKey[] of next data element */
|
||||
u32 idx1; /* Offset into aKey[] of next header element */
|
||||
u32 szHdr1; /* Number of bytes in header */
|
||||
int i = 0;
|
||||
@@ -3024,7 +3024,7 @@ int sqlite3VdbeRecordCompare(
|
||||
|
||||
/* Read the serial types for the next element in each key. */
|
||||
idx1 += getVarint32( aKey1+idx1, serial_type1 );
|
||||
if( d1>=nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break;
|
||||
if( d1>=(u32)nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break;
|
||||
|
||||
/* Extract the values to be compared.
|
||||
*/
|
||||
|
||||
56
test/corruptG.test
Normal file
56
test/corruptG.test
Normal file
@@ -0,0 +1,56 @@
|
||||
# 2013-08-01
|
||||
#
|
||||
# The author disclaims copyright to this source code. In place of
|
||||
# a legal notice, here is a blessing:
|
||||
#
|
||||
# May you do good and not evil.
|
||||
# May you find forgiveness for yourself and forgive others.
|
||||
# May you share freely, never taking more than you give.
|
||||
#
|
||||
#***********************************************************************
|
||||
#
|
||||
|
||||
set testdir [file dirname $argv0]
|
||||
source $testdir/tester.tcl
|
||||
set testprefix corruptG
|
||||
|
||||
# Do not use a codec for tests in this file, as the database file is
|
||||
# manipulated directly using tcl scripts (using the [hexio_write] command).
|
||||
#
|
||||
do_not_use_codec
|
||||
|
||||
# Create a simple database with a single entry. Then corrupt the
|
||||
# header-size varint on the index payload so that it maps into a
|
||||
# negative number. Try to use the database.
|
||||
#
|
||||
|
||||
do_execsql_test 1.1 {
|
||||
PRAGMA page_size=512;
|
||||
CREATE TABLE t1(a,b,c);
|
||||
INSERT INTO t1(rowid,a,b,c) VALUES(2,'abc','xyz','123');
|
||||
CREATE INDEX t1abc ON t1(a,b,c);
|
||||
}
|
||||
|
||||
# Corrupt the file
|
||||
db close
|
||||
hexio_write test.db [expr {3*512 - 15}] 888080807f
|
||||
sqlite3 db test.db
|
||||
|
||||
# Try to use the file.
|
||||
do_test 1.2 {
|
||||
catchsql {
|
||||
SELECT c FROM t1 WHERE a>'abc';
|
||||
}
|
||||
} {0 {}}
|
||||
do_test 1.3 {
|
||||
catchsql {
|
||||
PRAGMA integrity_check
|
||||
}
|
||||
} {0 ok}
|
||||
do_test 1.4 {
|
||||
catchsql {
|
||||
SELECT c FROM t1 ORDER BY a;
|
||||
}
|
||||
} {1 {database disk image is malformed}}
|
||||
|
||||
finish_test
|
||||
Reference in New Issue
Block a user