Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(53)

Side by Side Diff: third_party/sqlite/patches/0008-fts3-Interior-node-corruption-detection.patch

Issue 2751253002: [sql] Import SQLite 3.17.0. (Closed)
Patch Set: also clang on Linux i386 Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 From 3141c2a626c531ba20ec54397a09fb6b88d07c4a Mon Sep 17 00:00:00 2001
2 From: Scott Hess <shess@chromium.org>
3 Date: Thu, 26 May 2011 18:44:46 +0000
4 Subject: [PATCH 08/10] [fts3] Interior node corruption detection.
5
6 In auditing as part of a previous import, I noticed this case which
7 seemed to allow for buffer overrun. The nPrefix check was commented out
8 because nBuffer wasn't always initialized, and I never circled back to
9 resolve that.
10
11 It may be appropriate to just drop this patch, for now leaving it for
12 consistency.
13
14 BUG=84057, 83946
15
16 Original review URLs:
17 http://codereview.chromium.org/7075014
18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import)
19 ---
20 third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++--
21 1 file changed, 8 insertions(+), 2 deletions(-)
22
23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext /fts3/fts3.c
24 index 4f2ebb8..8f15099 100644
25 --- a/third_party/sqlite/src/ext/fts3/fts3.c
26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c
27 @@ -1822,8 +1822,14 @@ static int fts3ScanInteriorNode(
28 isFirstTerm = 0;
29 zCsr += fts3GetVarint32(zCsr, &nSuffix);
30
31 - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){
32 - rc = FTS_CORRUPT_VTAB;
33 + /* NOTE(shess): Previous code checked for negative nPrefix and
34 + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if
35 + ** the prefix is longer than the previous term, or if the suffix
36 + ** causes overflow.
37 + */
38 + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */
39 + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){
40 + rc = SQLITE_CORRUPT;
41 goto finish_scan;
42 }
43 if( nPrefix+nSuffix>nAlloc ){
44 --
45 2.7.0
46
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698