| OLD | NEW |
|---|
| 1 From 88d98dd2627e3dad4685443441fcd99a6ba61642 Mon Sep 17 00:00:00 2001 | 1 From ce5e0e867ac54738b813c800cf1a0545258189bc Mon Sep 17 00:00:00 2001 |
| 2 From: Scott Hess <shess@chromium.org> | 2 From: Scott Hess <shess@chromium.org> |
| 3 Date: Thu, 26 May 2011 18:44:46 +0000 | 3 Date: Thu, 26 May 2011 18:44:46 +0000 |
| 4 Subject: [PATCH 15/23] [fts3] Interior node corruption detection. | 4 Subject: [PATCH 09/16] [fts3] Interior node corruption detection. |
| 5 | 5 |
| 6 In auditing as part of a previous import, I noticed this case which | 6 In auditing as part of a previous import, I noticed this case which |
| 7 seemed to allow for buffer overrun. The nPrefix check was commented out | 7 seemed to allow for buffer overrun. The nPrefix check was commented out |
| 8 because nBuffer wasn't always initialized, and I never circled back to | 8 because nBuffer wasn't always initialized, and I never circled back to |
| 9 resolve that. | 9 resolve that. |
| 10 | 10 |
| 11 It may be appropriate to just drop this patch, for now leaving it for | 11 It may be appropriate to just drop this patch, for now leaving it for |
| 12 consistency. | 12 consistency. |
| 13 | 13 |
| 14 BUG=84057, 83946 | 14 BUG=84057, 83946 |
| 15 | 15 |
| 16 Original review URLs: | 16 Original review URLs: |
| 17 http://codereview.chromium.org/7075014 | 17 http://codereview.chromium.org/7075014 |
| 18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) | 18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) |
| 19 --- | 19 --- |
| 20 third_party/sqlite/src/ext/fts3/fts3.c | 8 +++++++- | 20 third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++-- |
| 21 1 file changed, 7 insertions(+), 1 deletion(-) | 21 1 file changed, 8 insertions(+), 2 deletions(-) |
| 22 | 22 |
| 23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext
/fts3/fts3.c | 23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext
/fts3/fts3.c |
| 24 index da55f2a..d11572a 100644 | 24 index dbd2835..3a1152d 100644 |
| 25 --- a/third_party/sqlite/src/ext/fts3/fts3.c | 25 --- a/third_party/sqlite/src/ext/fts3/fts3.c |
| 26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c | 26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c |
| 27 @@ -1230,7 +1230,13 @@ static int fts3ScanInteriorNode( | 27 @@ -1773,8 +1773,14 @@ static int fts3ScanInteriorNode( |
| 28 isFirstTerm = 0; | 28 isFirstTerm = 0; |
| 29 zCsr += sqlite3Fts3GetVarint32(zCsr, &nSuffix); | 29 zCsr += fts3GetVarint32(zCsr, &nSuffix); |
| 30 | 30 |
| 31 - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ | 31 - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ |
| 32 - rc = FTS_CORRUPT_VTAB; |
| 32 + /* NOTE(shess): Previous code checked for negative nPrefix and | 33 + /* NOTE(shess): Previous code checked for negative nPrefix and |
| 33 + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if | 34 + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if |
| 34 + ** the prefix is longer than the previous term, or if the suffix | 35 + ** the prefix is longer than the previous term, or if the suffix |
| 35 + ** causes overflow. | 36 + ** causes overflow. |
| 36 + */ | 37 + */ |
| 37 + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ | 38 + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ |
| 38 + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){ | 39 + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){ |
| 39 rc = SQLITE_CORRUPT; | 40 + rc = SQLITE_CORRUPT; |
| 40 goto finish_scan; | 41 goto finish_scan; |
| 41 } | 42 } |
| 43 if( nPrefix+nSuffix>nAlloc ){ |
| 42 -- | 44 -- |
| 43 2.2.1 | 45 2.2.1 |
| 44 | 46 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 901033002:
Import SQLite 3.8.7.4. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master