Fix a potential buffer overread in the dbstat virtual table when processing

a corrupt database file. FossilOrigin-Name: a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5
2025-11-12 13:01:09 +03:00 · 2018-11-13 20:21:52 +00:00
parent 91a21f4d08
commit f9dc5f7726
3 changed files with 8 additions and 7 deletions
--- a/12
+++ b/12
@@ -1,5 +1,5 @@
-C Turn\son\sASAN\sfor\sthe\sdbfuzz2\sutility.\s\sFix\sa\sbuffer\soverread\sassociated\nwith\ssqlite3_deserialize().
-D 2018-11-13T19:51:41.357
+C Fix\sa\spotential\sbuffer\soverread\sin\sthe\sdbstat\svirtual\stable\swhen\sprocessing\na\scorrupt\sdatabase\sfile.
+D 2018-11-13T20:21:52.241
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in b730006b54c990461d864c5387f2e6f13aadb0236804555fb010ed6865a5f058
@@ -456,7 +456,7 @@ F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
 F src/ctime.c 109e58d00f62e8e71ee1eb5944ac18b90171c928ab2e082e058056e1137cc20b
 F src/date.c ebe1dc7c8a347117bb02570f1a931c62dd78f4a2b1b516f4837d45b7d6426957
 F src/dbpage.c cfa87c8a9e3b5267a72faa3a592a497cd3810146c056c53a3472caf763c8556b
-F src/dbstat.c 9ad3f2d9d19a915d414870b9405b19493eed41975f3ad0d13f70fdd0831853b4
+F src/dbstat.c d54c2449d03f7d8a2e11a18f50364520ae1e364457fddb5e4dd79450bad428a0
 F src/delete.c cec65c0e74be7492cafba1b77580732b0b1a41a4dbc4ac70909ac44b65b2a20b
 F src/expr.c 9aacc0b72348ba90010b672dcbbbe2fa56e1182043bc917a3a147b2bc57a5497
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
@@ -1778,7 +1778,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P f9755f81b1c0fd29f242dce78a2fba570fa2714d76e93b8563f426a040352513
-R 98a6d1adc30b12dd5c82022baece83c9
+P 4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d
+R a67b2811aa07e1e1e0992fd02687f209
 U drh
-Z 74a6937661c8cfdeda0ca01cd02a14d0
+Z 582daefcbaa8d9f654e4fc231aaea0cb
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4e38f27b55030e908bd36f32101e26b30f10dbde67e12c8197d0363ee12aa06d
+a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5
--- a/src/dbstat.c
+++ b/src/dbstat.c
@@ -397,6 +397,7 @@ static int statDecodePage(Btree *pBt, StatPage *p){
        if( nPayload>(u32)nLocal ){
          int j;
          int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4);
+          if( iOff+nLocal>nUsable ) goto statPageIsCorrupt;
          pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4);
          pCell->nOvfl = nOvfl;
          pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl);