Avoid a buffer overread in fts3 that could occur when handling corrupt data structures. FossilOrigin-Name: 45f459d2fa4be97d9bbb970efbc0b5d40efaf93f52ed111fd0fcdc572c24327b (cherry picked from commit 822810b95a680e86f92d0d9e3a659e0dda8ce6d5) Cherry picks https://sqlite.org/src/info/45f459d2fa4be97d Bug: 1209517 Change-Id: I63542120e068b5254e6fce9f68830052c8eb2baf

commit: 09b4d6e90623cea239af64d3ba4dd9327ce99f23 [log] [tgz]
author: Darwin Huang <huangdarwin@chromium.org> Wed Jun 16 00:36:00 2021
committer: Darwin Huang <huangdarwin@chromium.org> Wed Jun 16 00:36:00 2021
tree: 2c7b2734f4d3ab13a28ab0d0e601cf4512a848e5
parent: 2be5a4e3efd34e2ffcbaa65b105802b1791dc752 [diff]
diff --git a/amalgamation/sqlite3.c b/amalgamation/sqlite3.c
index 647aff1..7f20d38 100644
--- a/amalgamation/sqlite3.c
+++ b/amalgamation/sqlite3.c

@@ -1188,7 +1188,7 @@
 */
 #define SQLITE_VERSION        "3.35.5"
 #define SQLITE_VERSION_NUMBER 3035005
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt1"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt1"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -181733,8 +181733,8 @@
   int nNext                       /* Size of buffer zNext in bytes */
 ){
   int n;
-  UNUSED_PARAMETER(nNext);
-  for(n=0; n<nPrev && zPrev[n]==zNext[n]; n++);
+  for(n=0; n<nPrev && n<nNext && zPrev[n]==zNext[n]; n++);
+  assert_fts3_nc( n<nNext );
   return n;
 }
 
@@ -233739,7 +233739,7 @@
 /************** End of stmt.c ************************************************/
 #if __LINE__!=233740
 #undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt2"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt2"
 #endif
 /* Return the source-id for this library */
 SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }

diff --git a/amalgamation/sqlite3.h b/amalgamation/sqlite3.h
index f7420b7..31e4fc4 100644
--- a/amalgamation/sqlite3.h
+++ b/amalgamation/sqlite3.h

@@ -125,7 +125,7 @@
 */
 #define SQLITE_VERSION        "3.35.5"
 #define SQLITE_VERSION_NUMBER 3035005
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt1"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt1"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers

diff --git a/amalgamation_dev/sqlite3.c b/amalgamation_dev/sqlite3.c
index 50eb482..8226e44 100644
--- a/amalgamation_dev/sqlite3.c
+++ b/amalgamation_dev/sqlite3.c

@@ -1188,7 +1188,7 @@
 */
 #define SQLITE_VERSION        "3.35.5"
 #define SQLITE_VERSION_NUMBER 3035005
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt1"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt1"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -182244,8 +182244,8 @@
   int nNext                       /* Size of buffer zNext in bytes */
 ){
   int n;
-  UNUSED_PARAMETER(nNext);
-  for(n=0; n<nPrev && zPrev[n]==zNext[n]; n++);
+  for(n=0; n<nPrev && n<nNext && zPrev[n]==zNext[n]; n++);
+  assert_fts3_nc( n<nNext );
   return n;
 }
 
@@ -234250,7 +234250,7 @@
 /************** End of stmt.c ************************************************/
 #if __LINE__!=234251
 #undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt2"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt2"
 #endif
 /* Return the source-id for this library */
 SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }

diff --git a/amalgamation_dev/sqlite3.h b/amalgamation_dev/sqlite3.h
index f7420b7..31e4fc4 100644
--- a/amalgamation_dev/sqlite3.h
+++ b/amalgamation_dev/sqlite3.h

@@ -125,7 +125,7 @@
 */
 #define SQLITE_VERSION        "3.35.5"
 #define SQLITE_VERSION_NUMBER 3035005
-#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 9e7a11c4a75ee64b006a62512c8f39eaed02665428732fea717f0af6f847alt1"
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 7dd0b0cff3f06b1f1a3bc94233e1d1574288f3ed9bbc277639d2cc5713d0alt1"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers

diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index bc42fc3..bd2f19d 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c

@@ -2003,8 +2003,8 @@
   int nNext                       /* Size of buffer zNext in bytes */
 ){
   int n;
-  UNUSED_PARAMETER(nNext);
-  for(n=0; n<nPrev && zPrev[n]==zNext[n]; n++);
+  for(n=0; n<nPrev && n<nNext && zPrev[n]==zNext[n]; n++);
+  assert_fts3_nc( n<nNext );
   return n;
 }
 

diff --git a/manifest b/manifest
index db0a4d4..27be994 100644
--- a/manifest
+++ b/manifest

@@ -102,7 +102,7 @@
 F ext/fts3/fts3_tokenizer1.c 5c98225a53705e5ee34824087478cf477bdb7004
 F ext/fts3/fts3_unicode.c de426ff05c1c2e7bce161cf6b706638419c3a1d9c2667de9cb9dc0458c18e226
 F ext/fts3/fts3_unicode2.c 416eb7e1e81142703520d284b768ca2751d40e31fa912cae24ba74860532bf0f
-F ext/fts3/fts3_write.c a5159accfd88f85fd3fc2298286d7a9427a02d1ea9a52b7c79730cff7a0bc03f
+F ext/fts3/fts3_write.c 75b151c9b074c0f74f29ab4b843d1c272fd96a9e82556bca947ad2d0fc8ea41d
 F ext/fts3/fts3speed.tcl b54caf6a18d38174f1a6e84219950d85e98bb1e9
 F ext/fts3/mkfts3amal.tcl 252ecb7fe6467854f2aa237bf2c390b74e71f100
 F ext/fts3/tool/fts3cov.sh c331d006359456cf6f8f953e37f2b9c7d568f3863f00bb5f7eb87fea4ac01b73
@@ -971,7 +971,7 @@
 F test/fts3corrupt3.test 0d5b69a0998b4adf868cc301fc78f3d0707745f1d984ce044c205cdb764b491f
 F test/fts3corrupt4.test b71512ec391d39da96d60d01959e4e9f20d4237a964a94abcf5f5a2ad28378c1
 F test/fts3corrupt5.test 0549f85ec4bd22e992f645f13c59b99d652f2f5e643dac75568bfd23a6db7ed5
-F test/fts3corrupt6.test d5896a8d389bd824457772dc1e2d2023cd5c5cf8e42733607b5d632103018d8b
+F test/fts3corrupt6.test 938e5f118974c9169bb6ef9501b9d212e1124f2de1b5bf7e6499db870062dd9e
 F test/fts3cov.test 7eacdbefd756cfa4dc2241974e3db2834e9b372ca215880e00032222f32194cf
 F test/fts3d.test 2bd8c97bcb9975f2334147173b4872505b6a41359a4f9068960a36afe07a679f
 F test/fts3defer.test f4c20e4c7153d20a98ee49ee5f3faef624fefc9a067f8d8d629db380c4d9f1de

diff --git a/test/fts3corrupt6.test b/test/fts3corrupt6.test
index 5cb0a18..9db2188 100644
--- a/test/fts3corrupt6.test
+++ b/test/fts3corrupt6.test

@@ -62,6 +62,18 @@
   SELECT count(*) FROM t0 WHERE t0 MATCH '(1 NEAR 1) AND (aaaa OR 1)';
 } 1
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0 {
+  CREATE VIRTUAL TABLE main.Table0 USING fts3();
+  INSERT INTO Table0 VALUES (1), (printf('%8.1280000X') ), (1), (printf('%8.1280000X') ), (1)  ;
+  INSERT INTO Table0 VALUES (0), (printf('%8.1280000X%8.1280000X') ), (1), (printf('%1280000.1280000X%#1280000.1280000E%8.1280000X') ), (1)  ;
+  INSERT INTO Table0 VALUES (1)  ;
+  UPDATE Table0_segdir SET start_block = 1;
+  INSERT INTO Table0 VALUES (1)  ;
+  INSERT INTO Table0(Table0) VALUES('merge=6,8');
+}
+
 set sqlite_fts3_enable_parentheses $saved_sqlite_fts3_enable_parentheses
 finish_test
commit	09b4d6e90623cea239af64d3ba4dd9327ce99f23	[log] [tgz]
author	Darwin Huang <huangdarwin@chromium.org>	Wed Jun 16 00:36:00 2021
committer	Darwin Huang <huangdarwin@chromium.org>	Wed Jun 16 00:36:00 2021
tree	2c7b2734f4d3ab13a28ab0d0e601cf4512a848e5
parent	2be5a4e3efd34e2ffcbaa65b105802b1791dc752 [diff]