| From 0eeedaeb8c90b61873e984cb005a9713bb659340 Mon Sep 17 00:00:00 2001 |
| From: Scott Hess <shess@chromium.org> |
| Date: Thu, 26 May 2011 18:44:46 +0000 |
| Subject: [PATCH 07/10] [fts3] Interior node corruption detection. |
| |
| In auditing as part of a previous import, I noticed this case which |
| seemed to allow for buffer overrun. The nPrefix check was commented out |
| because nBuffer wasn't always initialized, and I never circled back to |
| resolve that. |
| |
| It may be appropriate to just drop this patch, for now leaving it for |
| consistency. |
| |
| BUG=84057, 83946 |
| |
| Original review URLs: |
| http://codereview.chromium.org/7075014 |
| http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import) |
| --- |
| third_party/sqlite/src/ext/fts3/fts3.c | 9 +++++++-- |
| 1 file changed, 7 insertions(+), 2 deletions(-) |
| |
| diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext/fts3/fts3.c |
| index 215278a823bb..4fbbf4f1580e 100644 |
| --- a/third_party/sqlite/src/ext/fts3/fts3.c |
| +++ b/third_party/sqlite/src/ext/fts3/fts3.c |
| @@ -1859,8 +1859,13 @@ static int fts3ScanInteriorNode( |
| isFirstTerm = 0; |
| zCsr += fts3GetVarint32(zCsr, &nSuffix); |
| |
| - assert( nPrefix>=0 && nSuffix>=0 ); |
| - if( &zCsr[nSuffix]>zEnd ){ |
| + /* NOTE(shess): Previous code checked for negative nPrefix and |
| + ** nSuffix and suffix overrunning zEnd. Additionally corrupt if |
| + ** the prefix is longer than the previous term, or if the suffix |
| + ** causes overflow. |
| + */ |
| + if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */ |
| + || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){ |
| rc = FTS_CORRUPT_VTAB; |
| goto finish_scan; |
| } |
| -- |
| 2.14.0 |
