database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-07 02:42:48 +03:00
Code Activity

Take extra care to avoid an OOB read caused by a corrupt b-tree page.

Browse Source 
FossilOrigin-Name: 04925dee41a21ffca9a9f9df27d8165431668c42c2b33d08b077fdb28011170b
This commit is contained in:
dan
2017-10-19 15:17:38 +00:00
parent c1abf2d360
commit f2f72a0f9f
5 changed files with 129 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/btree.c
View File

@@ -4824,7 +4824,7 @@ static const void *fetchPayload(
BtCursor *pCur, /* Cursor pointing to entry to read from */
u32 *pAmt /* Write the number of available bytes here */
){
u32 amt;
int amt;
assert( pCur!=0 && pCur->iPage>=0 && pCur->pPage);
assert( pCur->eState==CURSOR_VALID );
assert( sqlite3_mutex_held(pCur->pBtree->db->mutex) );
@@ -4833,9 +4833,14 @@ static const void *fetchPayload(
assert( pCur->info.nSize>0 );
assert( pCur->info.pPayload>pCur->pPage->aData || CORRUPT_DB );
assert( pCur->info.pPayload<pCur->pPage->aDataEnd ||CORRUPT_DB);
amt = (int)(pCur->pPage->aDataEnd - pCur->info.pPayload);
if( pCur->info.nLocal<amt ) amt = pCur->info.nLocal;
*pAmt = amt;
amt = pCur->info.nLocal;
if( amt>(int)(pCur->pPage->aDataEnd - pCur->info.pPayload) ){
/* There is too little space on the page for the expected amount
** of local content. Database must be corrupt. */
assert( CORRUPT_DB );
amt = MAX(0, (int)(pCur->pPage->aDataEnd - pCur->info.pPayload));
}
*pAmt = (u32)amt;
return (void*)pCur->info.pPayload;
}