A different approach to preventing buffer overreads when comparing a vector

of values with a corrupt index record that spans at least one overflow page. FossilOrigin-Name: 95eaa49f4ee071c7a0f690a695f1f2d1ebca68a8
2025-08-08 14:02:16 +03:00 · 2015-05-27 15:42:53 +00:00
parent a7298ac191 3548db7c13
commit f9705d4b66
3 changed files with 20 additions and 11 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -4942,12 +4942,22 @@ int sqlite3BtreeMovetoUnpacked(
          /* The record flows over onto one or more overflow pages. In
          ** this case the whole cell needs to be parsed, a buffer allocated
          ** and accessPayload() used to retrieve the record into the
-          ** buffer before VdbeRecordCompare() can be called. */
+          ** buffer before VdbeRecordCompare() can be called. 
+          **
+          ** If the record is corrupt, the xRecordCompare routine may read
+          ** up to two varints past the end of the buffer. An extra 18 
+          ** bytes of padding is allocated at the end of the buffer in
+          ** case this happens.  */
          void *pCellKey;
          u8 * const pCellBody = pCell - pPage->childPtrSize;
          btreeParseCellPtr(pPage, pCellBody, &pCur->info);
          nCell = (int)pCur->info.nKey;
-          pCellKey = sqlite3Malloc( nCell );
+          testcase( nCell<0 );
+          if( nCell<2 ){
+            rc = SQLITE_CORRUPT_BKPT;
+            goto moveto_finish;
+          }
+          pCellKey = sqlite3Malloc( nCell+18 );
          if( pCellKey==0 ){
            rc = SQLITE_NOMEM;
            goto moveto_finish;