| OLD | NEW |
|---|
| (Empty) |
| 1 From 89a3eac0dd55f34787abe98a509b7006fe2b7618 Mon Sep 17 00:00:00 2001 | |
| 2 From: cpu <cpu@chromium.org> | |
| 3 Date: Mon, 14 Sep 2009 17:37:35 +0000 | |
| 4 Subject: [PATCH 22/23] [fts2] Fix a crasher in full text search (sqlite) | |
| 5 | |
| 6 - If the xxx_segdir table gets corrupted, you can have non-contiguous indexes (i
dx). | |
| 7 - This causes an assertion in debug, and a crash later on on release | |
| 8 | |
| 9 With this change it will return 'corrupted db' | |
| 10 | |
| 11 We shall wait to get a couple more fixes to upstream to sqlite org. | |
| 12 | |
| 13 BUG=21377 | |
| 14 TEST=see bug | |
| 15 | |
| 16 Original review URL: https://codereview.chromium.org/203046 | |
| 17 | |
| 18 === | |
| 19 | |
| 20 Also slipstreams: | |
| 21 | |
| 22 fixup [open][fts2] Tweak Carlos' change to cater for the additional cases: | |
| 23 - More (ordered) segments than we expect - would previously cause stack-based | |
| 24 buffer overflow. | |
| 25 - Less segments than we expect, where the missing segments are a strict | |
| 26 truncation rather than missing in the middle. | |
| 27 | |
| 28 BUG=NONE | |
| 29 TEST=NONE | |
| 30 | |
| 31 Original review URL: https://codereview.chromium.org/209001/ | |
| 32 --- | |
| 33 third_party/sqlite/src/ext/fts2/fts2.c | 15 +++++++++++---- | |
| 34 1 file changed, 11 insertions(+), 4 deletions(-) | |
| 35 | |
| 36 diff --git a/third_party/sqlite/src/ext/fts2/fts2.c b/third_party/sqlite/src/ext
/fts2/fts2.c | |
| 37 index bdbd747..d5587b3 100644 | |
| 38 --- a/third_party/sqlite/src/ext/fts2/fts2.c | |
| 39 +++ b/third_party/sqlite/src/ext/fts2/fts2.c | |
| 40 @@ -1838,7 +1838,7 @@ static const char *const fulltext_zStatement[MAX_STMT] = { | |
| 41 /* SEGDIR_MAX_INDEX */ "select max(idx) from %_segdir where level = ?", | |
| 42 /* SEGDIR_SET */ "insert into %_segdir values (?, ?, ?, ?, ?, ?)", | |
| 43 /* SEGDIR_SELECT_LEVEL */ | |
| 44 - "select start_block, leaves_end_block, root from %_segdir " | |
| 45 + "select start_block, leaves_end_block, root, idx from %_segdir " | |
| 46 " where level = ? order by idx", | |
| 47 /* SEGDIR_SPAN */ | |
| 48 "select min(start_block), max(end_block) from %_segdir " | |
| 49 @@ -5287,16 +5287,19 @@ static int leavesReadersInit(fulltext_vtab *v, int iLeve
l, | |
| 50 sqlite_int64 iEnd = sqlite3_column_int64(s, 1); | |
| 51 const char *pRootData = sqlite3_column_blob(s, 2); | |
| 52 int nRootData = sqlite3_column_bytes(s, 2); | |
| 53 + sqlite_int64 iIndex = sqlite3_column_int64(s, 3); | |
| 54 | |
| 55 /* Corrupt if we get back different types than we stored. */ | |
| 56 + /* Also corrupt if the index is not sequential starting at 0. */ | |
| 57 if( sqlite3_column_type(s, 0)!=SQLITE_INTEGER || | |
| 58 sqlite3_column_type(s, 1)!=SQLITE_INTEGER || | |
| 59 - sqlite3_column_type(s, 2)!=SQLITE_BLOB ){ | |
| 60 + sqlite3_column_type(s, 2)!=SQLITE_BLOB || | |
| 61 + i!=iIndex || | |
| 62 + i>=MERGE_COUNT ){ | |
| 63 rc = SQLITE_CORRUPT_BKPT; | |
| 64 break; | |
| 65 } | |
| 66 | |
| 67 - assert( i<MERGE_COUNT ); | |
| 68 rc = leavesReaderInit(v, i, iStart, iEnd, pRootData, nRootData, | |
| 69 &pReaders[i]); | |
| 70 if( rc!=SQLITE_OK ) break; | |
| 71 @@ -5391,10 +5394,14 @@ static int segmentMerge(fulltext_vtab *v, int iLevel){ | |
| 72 memset(&lrs, '\0', sizeof(lrs)); | |
| 73 rc = leavesReadersInit(v, iLevel, lrs, &i); | |
| 74 if( rc!=SQLITE_OK ) return rc; | |
| 75 - assert( i==MERGE_COUNT ); | |
| 76 | |
| 77 leafWriterInit(iLevel+1, idx, &writer); | |
| 78 | |
| 79 + if( i!=MERGE_COUNT ){ | |
| 80 + rc = SQLITE_CORRUPT_BKPT; | |
| 81 + goto err; | |
| 82 + } | |
| 83 + | |
| 84 /* Since leavesReaderReorder() pushes readers at eof to the end, | |
| 85 ** when the first reader is empty, all will be empty. | |
| 86 */ | |
| 87 -- | |
| 88 2.2.1 | |
| 89 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 901033002:
Import SQLite 3.8.7.4. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master