Fix a potential buffer overread that could have occurred when searching

a corrupt database file. FossilOrigin-Name: db2935473eab91cde3c01353ae29e112ab0c7acb
author: drh <drh@noemail.net> 2014-03-26 16:22:38 +0000
committer: drh <drh@noemail.net> 2014-03-26 16:22:38 +0000
commit: cefb6ce1628b08fb52dafd1bb72c27a12d13c74b (patch)
tree: 6725df43f63bf3ac3a29976217ba7857cbc2f4b1
parent: 468108628c0399f0bc52f639b93317565badb3aa (diff)
download: sqlite-cefb6ce1628b08fb52dafd1bb72c27a12d13c74b.tar.gz
sqlite-cefb6ce1628b08fb52dafd1bb72c27a12d13c74b.zip
4 files changed, 47 insertions, 16 deletions
diff --git a/manifest b/manifest
index 219399a93..59059e4a6 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Version\s3.8.4.1
-D 2014-03-11T15:27:36.923
+C Fix\sa\spotential\sbuffer\soverread\sthat\scould\shave\soccurred\swhen\ssearching\na\scorrupt\sdatabase\sfile.
+D 2014-03-26T16:22:38.603
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 2ef13430cd359f7b361bb863504e227b25cc7f81
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -282,7 +282,7 @@ F src/vdbe.c 5f0fffa9bf49a90c05dc3d46d8217603fd0ee00e
 F src/vdbe.h fb2c48c198300a7c632f09fc940011d2ad2fc2ae
 F src/vdbeInt.h e54fc4f289fce48e81b3371128446033d097733b
 F src/vdbeapi.c 0ed6053f947edd0b30f64ce5aeb811872a3450a4
-F src/vdbeaux.c e45e3f9daf38c5be3fd39e9aacc1c9066af57a06
+F src/vdbeaux.c 714df4e1c82f629d39602fd5a0b6cace9b8832d6
 F src/vdbeblob.c 15377abfb59251bccedd5a9c7d014a895f0c04aa
 F src/vdbemem.c 6fc77594c60f6155404f3f8d71bf36d1fdeb4447
 F src/vdbesort.c 46801acb342e5e4c07ba1777fe58880c143abb59
@@ -405,7 +405,7 @@ F test/corruptE.test 193b4ca4e927e77c1d5f4f56203ddc998432a7ee
 F test/corruptF.test be9fde98e4c93648f1ba52b74e5318edc8f59fe4
 F test/corruptG.test 58ec333a01997fe655e34e5bea52b7a2a6b9704d
 F test/corruptH.test 88ed71a086e13591c917aac6de32750e7c7281cb
-F test/corruptI.test 88886ec9cd1bdba835263566bbf60ee009c6ea09
+F test/corruptI.test 1b796461e5b635e0a74e3c4ecb1121c82d319dff
 F test/count.test 42a251178e32f617eda33f76236a7f79825a50b5
 F test/coveridxscan.test cdb47d01acc4a634a34fd25abe85189e0d0f1e62
 F test/crash.test fb9dc4a02dcba30d4aa5c2c226f98b220b2b959f
@@ -1156,10 +1156,13 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh d1a6de74685f360ab718efda6265994b99bbea01
 F tool/win/sqlite.vsix 030f3eeaf2cb811a3692ab9c14d021a75ce41fff
-P 33f5694fa42d9a521ca081de4ddd1e9dc8952b16
-R 581994aed374f15c1c6bac5b0a9a5df5
-T +bgcolor * #d0c0ff
-T +sym-release *
-T +sym-version-3.8.4.1 *
+P 018d317b1257ce68a92908b05c9c7cf1494050d0
+Q +28ddecff044dbc2dff50a7d8406ab67dfe06587f
+Q +2b28e8d582cf10936fa1faca04a16ca2eeead66f
+Q +f585f5d7a0f9bf8c590388654a3638231eba8892
+R d3c352c55aee563c98af249e5e0d2457
+T *branch * branch-3.8.4
+T *sym-branch-3.8.4 *
+T -sym-trunk *
 U drh
-Z c1ec45dc8a92b80bfa16f4c74ccfeec8
+Z 010e4636395249d78c141a982e21e290
diff --git a/manifest.uuid b/manifest.uuid
index 1f0b42178..5cb0ff0f9 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-018d317b1257ce68a92908b05c9c7cf1494050d0
-\ No newline at end of file
+db2935473eab91cde3c01353ae29e112ab0c7acb
+\ No newline at end of file
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index a641a72ec..96fd4016d 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -3432,6 +3432,7 @@ int sqlite3VdbeRecordCompare(
   }else{
     idx1 = getVarint32(aKey1, szHdr1);
     d1 = szHdr1;
+    if( d1>(unsigned)nKey1 ) return 1;  /* Corruption */
     i = 0;
   }
 
diff --git a/test/corruptI.test b/test/corruptI.test
index 51cf64c9b..087a0f3b0 100644
--- a/test/corruptI.test
+++ b/test/corruptI.test
@@ -32,21 +32,48 @@ do_execsql_test 1.1 {
   PRAGMA auto_vacuum=0;
   CREATE TABLE t1(a);
   CREATE INDEX i1 ON t1(a);
-  INSERT INTO t1 VALUES('a');
+  INSERT INTO t1 VALUES('abcdefghijklmnop');
 } {}
 db close
 
 do_test 1.2 {
   set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
   set off [expr 2*1024 + $offset + 1]
-  hexio_write test.db $off FF06
-
-  breakpoint
+  hexio_write test.db $off 7f06
+  sqlite3 db test.db
+  catchsql { SELECT * FROM t1 WHERE a = 10 }
+} {0 {}}
 
+do_test 1.3 {
+  db close
+  set offset [hexio_get_int [hexio_read test.db [expr 2*1024 + 8] 2]]
+  set off [expr 2*1024 + $offset + 1]
+  hexio_write test.db $off FFFF7f02
   sqlite3 db test.db
   catchsql { SELECT * FROM t1 WHERE a = 10 }
+} {0 {}}
+
+do_test 2.0 {
+  execsql {
+    CREATE TABLE r(x);
+    INSERT INTO r VALUES('ABCDEFGHIJK');
+    CREATE INDEX r1 ON r(x);
+  }
+  set pg [db one {SELECT rootpage FROM sqlite_master WHERE name = 'r1'}]
+} {5}
+
+do_test 2.1 {
+  db close
+  set offset [hexio_get_int [hexio_read test.db [expr (5-1)*1024 + 8] 2]]
+  set off [expr (5-1)*1024 + $offset + 1]
+  hexio_write test.db $off FFFF0004
+  sqlite3 db test.db
+  catchsql { SELECT * FROM r WHERE x >= 10.0 }
 } {1 {database disk image is malformed}}
 
+do_test 2.2 {
+  catchsql { SELECT * FROM r WHERE x >= 10 }
+} {1 {database disk image is malformed}}
 
-finish_test
 
+finish_test
author	drh <drh@noemail.net>	2014-03-26 16:22:38 +0000
committer	drh <drh@noemail.net>	2014-03-26 16:22:38 +0000
commit	cefb6ce1628b08fb52dafd1bb72c27a12d13c74b (patch)
tree	6725df43f63bf3ac3a29976217ba7857cbc2f4b1
parent	468108628c0399f0bc52f639b93317565badb3aa (diff)
download	sqlite-cefb6ce1628b08fb52dafd1bb72c27a12d13c74b.tar.gz sqlite-cefb6ce1628b08fb52dafd1bb72c27a12d13c74b.zip