OLD | NEW |
---|---|
1 From 3141c2a626c531ba20ec54397a09fb6b88d07c4a Mon Sep 17 00:00:00 2001 | 1 From 03fa0b12103886a82be1093fd147406133c33795 Mon Sep 17 00:00:00 2001 |
2 From: Scott Hess <shess@chromium.org> | 2 From: Scott Hess <shess@chromium.org> |
3 Date: Thu, 26 May 2011 18:44:46 +0000 | 3 Date: Thu, 26 May 2011 18:44:46 +0000 |
4 Subject: [PATCH 08/10] [fts3] Interior node corruption detection. | 4 Subject: [PATCH 07/10] [fts3] Interior node corruption detection. |
5 | 5 |
6 In auditing as part of a previous import, I noticed this case which | 6 In auditing as part of a previous import, I noticed this case which |
7 seemed to allow for buffer overrun. The nPrefix check was commented out | 7 seemed to allow for buffer overrun. The nPrefix check was commented out |
8 because nBuffer wasn't always initialized, and I never circled back to | 8 because nBuffer wasn't always initialized, and I never circled back to |
9 resolve that. | 9 resolve that. |
10 | 10 |
11 It may be appropriate to just drop this patch, for now leaving it for | 11 It may be appropriate to just drop this patch, for now leaving it for |
12 consistency. | 12 consistency. |
13 | 13 |
14 BUG=84057, 83946 | 14 BUG=84057, 83946 |
15 | 15 |
16 Original review URLs: | 16 Original review URLs: |
17 http://codereview.chromium.org/7075014 | 17 http://codereview.chromium.org/7075014 |
18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) | 18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) |
19 --- | 19 --- |
20 third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++-- | 20 third_party/sqlite/src/ext/fts3/fts3.c | 8 +++++++- |
21 1 file changed, 8 insertions(+), 2 deletions(-) | 21 1 file changed, 7 insertions(+), 1 deletion(-) |
22 | 22 |
23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext /fts3/fts3.c | 23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext /fts3/fts3.c |
24 index 4f2ebb8..8f15099 100644 | 24 index 9659815da93a..4b032271148e 100644 |
25 --- a/third_party/sqlite/src/ext/fts3/fts3.c | 25 --- a/third_party/sqlite/src/ext/fts3/fts3.c |
26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c | 26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c |
27 @@ -1822,8 +1822,14 @@ static int fts3ScanInteriorNode( | 27 @@ -1844,7 +1844,13 @@ static int fts3ScanInteriorNode( |
28 isFirstTerm = 0; | 28 isFirstTerm = 0; |
29 zCsr += fts3GetVarint32(zCsr, &nSuffix); | 29 zCsr += fts3GetVarint32(zCsr, &nSuffix); |
30 | 30 |
31 - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ | 31 - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ |
32 - rc = FTS_CORRUPT_VTAB; | |
33 + /* NOTE(shess): Previous code checked for negative nPrefix and | 32 + /* NOTE(shess): Previous code checked for negative nPrefix and |
34 + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if | 33 + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if |
35 + ** the prefix is longer than the previous term, or if the suffix | 34 + ** the prefix is longer than the previous term, or if the suffix |
36 + ** causes overflow. | 35 + ** causes overflow. |
37 + */ | 36 + */ |
38 + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ | 37 + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ |
39 + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){ | 38 + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){ |
40 + rc = SQLITE_CORRUPT; | 39 rc = FTS_CORRUPT_VTAB; |
Scott Hess - ex-Googler
2017/03/16 00:40:57
This was wrong, before, changing FTS_CORRUPT_VTAB
| |
41 goto finish_scan; | 40 goto finish_scan; |
42 } | 41 } |
43 if( nPrefix+nSuffix>nAlloc ){ | |
44 -- | 42 -- |
45 2.7.0 | 43 2.11.0 |
46 | 44 |
OLD | NEW |