From ce5e0e867ac54738b813c800cf1a0545258189bc Mon Sep 17 00:00:00 2001 From: Scott Hess Date: Thu, 26 May 2011 18:44:46 +0000 Subject: [PATCH 09/16] [fts3] Interior node corruption detection. In auditing as part of a previous import, I noticed this case which seemed to allow for buffer overrun. The nPrefix check was commented out because nBuffer wasn't always initialized, and I never circled back to resolve that. It may be appropriate to just drop this patch, for now leaving it for consistency. BUG=84057, 83946 Original review URLs: http://codereview.chromium.org/7075014 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) --- third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext/fts3/fts3.c index dbd2835..3a1152d 100644 --- a/third_party/sqlite/src/ext/fts3/fts3.c +++ b/third_party/sqlite/src/ext/fts3/fts3.c @@ -1773,8 +1773,14 @@ static int fts3ScanInteriorNode( isFirstTerm = 0; zCsr += fts3GetVarint32(zCsr, &nSuffix); - if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ - rc = FTS_CORRUPT_VTAB; + /* NOTE(shess): Previous code checked for negative nPrefix and + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if + ** the prefix is longer than the previous term, or if the suffix + ** causes overflow. + */ + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ + || &zCsr[nSuffix]zEnd ){ + rc = SQLITE_CORRUPT; goto finish_scan; } if( nPrefix+nSuffix>nAlloc ){ -- 2.2.1