database/sqlite
database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-06-10 17:21:47 +03:00
Code

Fix a use-after-free error that could occur if an fts5 table is written while scanning it using an fts5vocab cursor.

Browse Source 
FossilOrigin-Name: e751c2ec786b5c1a1c9640fdc3fde036879a2c32db2bd67fe7c72604780f67b8
This commit is contained in:
dan 2021-09-06 16:15:23 +00:00
parent 905b82d5f5
commit fb8ca7de0c
4 changed files with 67 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
ext/fts5/fts5_index.c
View File

@ -837,6 +837,40 @@ int sqlite3Fts5StructureTest(Fts5Index *p, void *pStruct){
return SQLITE_OK; return SQLITE_OK;
} }
/*
** Ensure that structure object (*pp) is writable.
**
** This function is a no-op if (*pRc) is not SQLITE_OK when it is called. If
** an error occurs, (*pRc) is set to an SQLite error code before returning.
*/
static void fts5StructureMakeWritable(int *pRc, Fts5Structure **pp){
Fts5Structure *p = *pp;
if( *pRc==SQLITE_OK && p->nRef>1 ){
int nByte = sizeof(Fts5Structure)+(p->nLevel-1)*sizeof(Fts5StructureLevel);
Fts5Structure *pNew;
pNew = (Fts5Structure*)sqlite3Fts5MallocZero(pRc, nByte);
if( pNew ){
int i;
memcpy(pNew, p, nByte);
for(i=0; i<p->nLevel; i++) pNew->aLevel[i].aSeg = 0;
for(i=0; i<p->nLevel; i++){
Fts5StructureLevel *pLvl = &pNew->aLevel[i];
int nByte = sizeof(Fts5StructureSegment) * pNew->aLevel[i].nSeg;
pLvl->aSeg = (Fts5StructureSegment*)sqlite3Fts5MallocZero(pRc, nByte);
if( pLvl->aSeg==0 ){
for(i=0; i<p->nLevel; i++){
sqlite3_free(pNew->aLevel[i].aSeg);
}
sqlite3_free(pNew);
return;
}
memcpy(pLvl->aSeg, p->aLevel[i].aSeg, nByte);
}
}
*pp = pNew;
}
}
/* /*
** Deserialize and return the structure record currently stored in serialized ** Deserialize and return the structure record currently stored in serialized
** form within buffer pData/nData. ** form within buffer pData/nData.
@ -938,9 +972,11 @@ static int fts5StructureDecode(
} }
/* /*
** ** Add a level to the Fts5Structure.aLevel[] array of structure object
** (*ppStruct).
*/ */
static void fts5StructureAddLevel(int *pRc, Fts5Structure **ppStruct){ static void fts5StructureAddLevel(int *pRc, Fts5Structure **ppStruct){
fts5StructureMakeWritable(pRc, ppStruct);
if( *pRc==SQLITE_OK ){ if( *pRc==SQLITE_OK ){
Fts5Structure *pStruct = *ppStruct; Fts5Structure *pStruct = *ppStruct;
int nLevel = pStruct->nLevel; int nLevel = pStruct->nLevel;

21
ext/fts5/test/fts5vocab2.test
View File

@ -255,6 +255,27 @@ do_test 5.1 {
do_execsql_test 5.2 { do_execsql_test 5.2 {
SELECT * FROM t1 SELECT * FROM t1
} {one two three four five} } {one two three four five}
#-------------------------------------------------------------------------
# Check that the fts5 table cannot be written while there are vocab
# cursors open.
reset_db
do_execsql_test 5.0 {
CREATE VIRTUAL TABLE t1 USING fts5(a);
CREATE VIRTUAL TABLE v1 USING fts5vocab(t1, instance);
WITH s(i) AS (
VALUES(1) UNION ALL SELECT i+1 FROM s WHERE i<10000
)
INSERT INTO t1 SELECT
'State Emergency Service (SES), Rural Fire Service (RFS) and Volunteers'
FROM s;
}
do_catchsql_test 5.1 {
INSERT INTO t1 SELECT rowid FROM v1
} {1 {query aborted}}
finish_test finish_test

16
manifest
View File

@ -1,5 +1,5 @@
C Fix\san\sissue\sin\sthe\s"shrink.test"\stest\sscript\sreported\sby\n[forum:/forumpost/90a74bd61861f58f|forum\spost\s90a74bd618]. C Fix\sa\suse-after-free\serror\sthat\scould\soccur\sif\san\sfts5\stable\sis\swritten\swhile\sscanning\sit\susing\san\sfts5vocab\scursor.
D 2021-09-06T15:59:32.983 D 2021-09-06T16:15:23.416
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@ -119,7 +119,7 @@ F ext/fts5/fts5_buffer.c 89a51b37c4aa1c02c1ec24c18c55196c0693b29a752fedfd036938d
F ext/fts5/fts5_config.c 8336d0ff6db0933f63cfec8ae0ab76e68393259cbccc0b46e1f79f7fa1842ff3 F ext/fts5/fts5_config.c 8336d0ff6db0933f63cfec8ae0ab76e68393259cbccc0b46e1f79f7fa1842ff3
F ext/fts5/fts5_expr.c 6ea447b0cb1888110087a8c04133817b0ccf964fe22414371b0e32189a556533 F ext/fts5/fts5_expr.c 6ea447b0cb1888110087a8c04133817b0ccf964fe22414371b0e32189a556533
F ext/fts5/fts5_hash.c 1aa93c9b5f461afba66701ee226297dc78402b3bdde81e90a10de5fe3df14959 F ext/fts5/fts5_hash.c 1aa93c9b5f461afba66701ee226297dc78402b3bdde81e90a10de5fe3df14959
F ext/fts5/fts5_index.c 75249b8218dac9c9e7d62362e2be414c1399fdc380c838e5512e2042967b38c8 F ext/fts5/fts5_index.c 99d3242d8416c2bb0c8e6e44e9259aac4386ea9e4f6fd0c740733583b72a4a60
F ext/fts5/fts5_main.c 35ebbcae681a4a40027c47bc2e94d7e7c81e331dc406bb9b23c546454ee8f98a F ext/fts5/fts5_main.c 35ebbcae681a4a40027c47bc2e94d7e7c81e331dc406bb9b23c546454ee8f98a
F ext/fts5/fts5_storage.c 58ba71e6cd3d43a5735815e7956ee167babb4d2cbfe206905174792af4d09d75 F ext/fts5/fts5_storage.c 58ba71e6cd3d43a5735815e7956ee167babb4d2cbfe206905174792af4d09d75
F ext/fts5/fts5_tcl.c b1445cbe69908c411df8084a10b2485500ac70a9c747cdc8cda175a3da59d8ae F ext/fts5/fts5_tcl.c b1445cbe69908c411df8084a10b2485500ac70a9c747cdc8cda175a3da59d8ae
@ -229,7 +229,7 @@ F ext/fts5/test/fts5unindexed.test 9021af86a0fb9fc616f7a69a996db0116e7936d0db638
F ext/fts5/test/fts5update.test b8affd796e45c94a4d19ad5c26606ea06065a0f162a9562d9f005b5a80ccf0bc F ext/fts5/test/fts5update.test b8affd796e45c94a4d19ad5c26606ea06065a0f162a9562d9f005b5a80ccf0bc
F ext/fts5/test/fts5version.test c8f2cc105f0abf0224965f93e584633dee3e06c91478bc67e468f7cfdf97fd6a F ext/fts5/test/fts5version.test c8f2cc105f0abf0224965f93e584633dee3e06c91478bc67e468f7cfdf97fd6a
F ext/fts5/test/fts5vocab.test 7ed80d9af1ddaaa1637da05e406327b5aac250848bc604c1c1cc667908b87760 F ext/fts5/test/fts5vocab.test 7ed80d9af1ddaaa1637da05e406327b5aac250848bc604c1c1cc667908b87760
F ext/fts5/test/fts5vocab2.test c0a8397523561eb780b4f439e75d4969fade0ac40bc73e0c8fd2f3e065111161 F ext/fts5/test/fts5vocab2.test c9674cf0ffc0384162cdc78828189bb4ed4d54e2798063b5d737e50704a2db5c
F ext/fts5/tool/fts5speed.tcl b0056f91a55b2d1a3684ec05729de92b042e2f85 F ext/fts5/tool/fts5speed.tcl b0056f91a55b2d1a3684ec05729de92b042e2f85
F ext/fts5/tool/fts5txt2db.tcl c0d43c8590656f8240e622b00957b3a0facc49482411a9fdc2870b45c0c82f9f F ext/fts5/tool/fts5txt2db.tcl c0d43c8590656f8240e622b00957b3a0facc49482411a9fdc2870b45c0c82f9f
F ext/fts5/tool/loadfts5.tcl 95b03429ee6b138645703c6ca192c3ac96eaf093 F ext/fts5/tool/loadfts5.tcl 95b03429ee6b138645703c6ca192c3ac96eaf093
@ -1922,7 +1922,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P b3cfe23bec0b95ca673802526704200e2396df715fdded72aa71addd7f47e0e1 P 6c3734edb2ecabd85a715c853ef58da39381af26d3dd32e53c068b4fcf6fb98f
R d804c1fe9dfdd55c91d9dd7be30deb33 R b61370b93af0502187f5ca4ecbb0c1a4
U drh U dan
Z c12e0d7a856c0cabe2857d56a3d90a01 Z 47ef5fcc5dc27245bda95f4b4ccf3ea9

2
manifest.uuid
View File

@ -1 +1 @@
6c3734edb2ecabd85a715c853ef58da39381af26d3dd32e53c068b4fcf6fb98f e751c2ec786b5c1a1c9640fdc3fde036879a2c32db2bd67fe7c72604780f67b8