blob: 99b17b855a588e16113f3acf67a02ddae0f131ef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From ce5e0e867ac54738b813c800cf1a0545258189bc Mon Sep 17 00:00:00 2001
From: Scott Hess <shess@chromium.org>
Date: Thu, 26 May 2011 18:44:46 +0000
Subject: [PATCH 09/16] [fts3] Interior node corruption detection.
In auditing as part of a previous import, I noticed this case which
seemed to allow for buffer overrun. The nPrefix check was commented out
because nBuffer wasn't always initialized, and I never circled back to
resolve that.
It may be appropriate to just drop this patch, for now leaving it for
consistency.
BUG=84057, 83946
Original review URLs:
http://codereview.chromium.org/7075014
http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import)
---
third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext/fts3/fts3.c
index dbd2835..3a1152d 100644
--- a/third_party/sqlite/src/ext/fts3/fts3.c
+++ b/third_party/sqlite/src/ext/fts3/fts3.c
@@ -1773,8 +1773,14 @@ static int fts3ScanInteriorNode(
isFirstTerm = 0;
zCsr += fts3GetVarint32(zCsr, &nSuffix);
- if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){
- rc = FTS_CORRUPT_VTAB;
+ /* NOTE(shess): Previous code checked for negative nPrefix and
+ ** nSuffix and suffix overrunning zEnd. Additionally corrupt if
+ ** the prefix is longer than the previous term, or if the suffix
+ ** causes overflow.
+ */
+ if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */
+ || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){
+ rc = SQLITE_CORRUPT;
goto finish_scan;
}
if( nPrefix+nSuffix>nAlloc ){
--
2.2.1
|
