diff --git a/manifest b/manifest index 3f879cecf6..3e1bf9a2fe 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\sproblem\swith\sbytecode\sgeneration\swhen\sa\squery\sinvolves\stwo\sor\smore\nindexes\son\sexpressions\sconnected\sby\sOR.\nTicket\s[d96eba87698a428c1ddd0790ea04] -D 2018-12-14T11:16:52.652 +C When\ssaving\sthe\sposition\sof\sa\scursor\sat\sthe\sb-tree\slayer,\sallocate\sa\sfew\sextra\nbytes\sat\sthe\send\sof\sthe\sbuffer\sused\sto\ssave\sthe\skey.\sOtherwise,\sif\sthe\skey\sis\ncorrupt,\sthe\scode\sthat\srestores\sthe\scursor\sposition\smay\soverread\sthe\sbuffer\sby\sa\nlittle. +D 2018-12-14T13:18:35.216 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in d8b254f8bb81bab43c340d70d17dc3babab40fcc8a348c8255881f780a45fee6 @@ -448,7 +448,7 @@ F src/auth.c 0fac71038875693a937e506bceb492c5f136dd7b1249fbd4ae70b4e8da14f9df F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6 -F src/btree.c 14b4b17b75af36e0431df2676205296bc234a634cf18798ad81f768b455b9e93 +F src/btree.c 89e9abe6a3f7461c8c5d44314b261e1dd29a31557d1dd91c72378bc0976fc1f6 F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2 F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96 F src/build.c ef9d7dc73e40dd9d10c28848343e21e8bc1baaab92cfb75eda893fff4fbf6b55 @@ -773,7 +773,7 @@ F test/dataversion1.test 6e5e86ac681f0782e766ebcb56c019ae001522d114e0e111e5ebf68 F test/date.test 9b73bbeb1b82d9c1f44dec5cf563bf7da58d2373 F test/date2.test 74c234bece1b016e94dd4ef9c8cc7a199a8806c0e2291cab7ba64bace6350b10 F test/dbfuzz.c 73047c920d6210e5912c87cdffd9a1c281d4252e -F test/dbfuzz001.test 28f24ed01e9322f4c7aeba4c228f57e9e8ab6a96b474465e872425205a31b1b2 +F test/dbfuzz001.test 96b52856ffce5442e404847de33487db5ce49aa27778497a42328d5acf6859d7 F test/dbfuzz2-seed1.db e6225c6f3d7b63f9c5b6867146a5f329d997ab105bee64644dc2b3a2f2aebaee F test/dbfuzz2.c b8ed9b32a1f287505e55970e55203bedcb9170f137ecefa2254033c9faccdfba F test/dbpage.test 650234ba683b9d82b899c6c51439819787e7609f17a0cc40e0080a7b6443bc38 @@ -1787,8 +1787,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P cc42dd15100db28a9796254f69a4e367ea5eae29f546be055017cf3e12aa66ba 89a25abfcd069aebdf817890e5c27f46de3000fb858ae01029e4528f9d677567 -R 6e4a89239ac2714d2f3e8e3c0f340ed6 -T +closed 89a25abfcd069aebdf817890e5c27f46de3000fb858ae01029e4528f9d677567 -U drh -Z 4c06ed13d4147ae87910536f3d08fc7f +P 7e4ed8b5c2047b69bbb037497111e56e465a4d9f8afca3b337f9ac744471dc4a +R ba1eb44fdcbd375391cb2e9633b3bcc5 +U dan +Z 7755266d0736215443f101017f7858b1 diff --git a/manifest.uuid b/manifest.uuid index b4892511f2..14967ae5e6 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -7e4ed8b5c2047b69bbb037497111e56e465a4d9f8afca3b337f9ac744471dc4a \ No newline at end of file +160b1e31c0f27257c06c2987af9ec3a64abfacb2150325b72e8ccd3d217b5baa \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index 52b816fbe3..55518bd8a2 100644 --- a/src/btree.c +++ b/src/btree.c @@ -660,10 +660,15 @@ static int saveCursorKey(BtCursor *pCur){ /* Only the rowid is required for a table btree */ pCur->nKey = sqlite3BtreeIntegerKey(pCur); }else{ - /* For an index btree, save the complete key content */ + /* For an index btree, save the complete key content. It is possible + ** that the current key is corrupt. In that case, it is possible that + ** the sqlite3VdbeRecordUnpack() function may overread the buffer by + ** up to the size of 1 varint plus 1 8-byte value when the cursor + ** position is restored. Hence the 17 bytes of padding allocated + ** below. */ void *pKey; pCur->nKey = sqlite3BtreePayloadSize(pCur); - pKey = sqlite3Malloc( pCur->nKey ); + pKey = sqlite3Malloc( pCur->nKey + 9 + 8 ); if( pKey ){ rc = sqlite3BtreePayload(pCur, 0, (int)pCur->nKey, pKey); if( rc==SQLITE_OK ){ diff --git a/test/dbfuzz001.test b/test/dbfuzz001.test index 75117f7291..0c19b06180 100644 --- a/test/dbfuzz001.test +++ b/test/dbfuzz001.test @@ -269,4 +269,87 @@ do_test dbfuzz001-200 { catchsql {INSERT INTO t3 SELECT * FROM t2;} } {1 {database disk image is malformed}} + +do_test dbfuzz001-110 { + sqlite3 db {} + db deserialize [decode_hexdb { +| size 3584 pagesize 512 filename x/c02.db +| page 1 offset 0 +| 0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. +| 16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07 .....@ ........ +| 32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04 ................ +| 48: 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 ................ +| 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c ................ +| 96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0 ..,P............ +| 112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00 .V...*.......... +| 256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61 ......"......1ta +| 272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54 blet4t4.CREATE T +| 288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11 ABLE t4(x)*..... +| 304: 01 3f 69 6e 64 65 78 74 33 78 74 33 05 43 52 45 .?indext3xt3.CRE +| 320: 41 54 45 20 49 4e 44 45 58 20 74 33 78 20 4f 4e ATE INDEX t3x ON +| 336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e t3(x).......Ein +| 352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45 dext2cdt2.CREATE +| 368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74 INDEX t2cd ON t +| 384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61 2(c,d)(......=ta +| 400: 62 6c 65 74 33 74 33 07 43 52 45 41 54 45 20 54 blet3t3.CREATE T +| 416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29 ABLE t3(c,x,e,f) +| 432: 28 02 06 17 11 11 01 3d 74 61 74 65 6c 03 62 74 (......=tatel.bt +| 448: 32 32 43 52 45 41 54 45 20 54 41 42 4c 45 20 74 22CREATE TABLE t +| 464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11 2(c,d,e,f)$..... +| 480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41 .5tablet1t1.CREA +| 496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29 TE TABLE t1(a,b) +| page 2 offset 512 +| 0: 0d 00 00 00 04 01 cf 00 01 fa 01 f3 01 de 01 cf ................ +| 160: 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 .. ............. +| 448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d ................ +| 464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03 ....seveneight.. +| 480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00 ...@.......@.... +| 496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02 ................ +| page 3 offset 1024 +| 0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa ......T......... +| 16: 01 a1 01 96 01 6f 01 54 00 00 00 00 00 00 00 00 .....o.T........ +| 112: 00 00 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| 336: 00 00 00 00 19 08 05 17 17 17 17 65 69 67 68 74 ...........eight +| 352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 65 6e 25 eightsevenseven% +| 368: 07 05 07 07 07 07 40 18 00 00 00 00 00 00 40 18 ......@.......@. +| 384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14 ......@.......@. +| 400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03 ................ +| 416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17 ................ +| 432: 17 73 65 76 65 6e 65 69 67 68 74 65 69 67 68 74 .seveneighteight +| 448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00 seven%......@... +| 464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00 ....@.......@... +| 480: 00 00 00 00 40 14 00 00 00 00 00 00 09 02 05 01 ....@........... +| 496: 01 01 01 03 04 04 03 07 01 05 09 01 01 09 02 02 ................ +| page 4 offset 1536 +| 0: 0d 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ +| 192: 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 ................ +| 208: 00 e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +| page 5 offset 2048 +| 0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc ................ +| 16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00 ................ +| 240: 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 ................ +| 400: 00 00 00 00 00 00 0f 04 17 07 01 65 69 67 68 74 ...........eight +| 416: 65 69 67 68 74 08 15 04 07 07 01 40 18 00 00 00 eight......@.... +| 432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01 ...@............ +| 448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17 ................ +| 464: 01 73 65 76 65 6e 65 69 67 68 74 04 15 04 07 07 .seveneight..... +| 480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00 .@.......@...... +| 496: 00 03 07 04 01 01 01 03 04 02 05 04 09 01 09 02 ................ +| page 6 offset 2560 +| 0: 0a 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ +| 464: 00 00 00 00 00 00 00 00 00 00 7f 00 00 00 00 00 ................ +| page 7 offset 3072 +| 0: 0d 00 00 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec ................ +| 16: 01 e0 01 d4 01 cb 01 c2 00 00 00 00 00 00 00 00 ................ +| 448: 00 00 07 08 02 17 65 69 67 68 74 07 07 02 17 65 ......eight....e +| 464: 69 67 68 74 0a 06 02 07 40 18 00 00 00 00 00 00 ight....@....... +| 480: 0a 05 02 07 40 18 00 00 00 00 00 00 03 04 02 01 ....@........... +| 496: 04 03 03 02 01 04 03 02 02 01 02 03 01 02 01 02 ................ +| end x/c02.db + }] + execsql { + DELETE FROM t3 WHERE x IN (SELECT x FROM t4); + } +} {} + finish_test