Google Git
Sign in
chromium / chromium / src / 880eee1501175b7f667e1f6b864ae7801cc4f07d / . / third_party / sqlite / patches / 0008-Fix-Heap-use-after-free-in-releasePageNotNull.patch
blob: 9870dcc938b593d2aa546ab38e90fdbdbc5424cf [file] [log] [blame]
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 12 Mar 2019 17:30:33 -0700
Subject: [PATCH 08/15] Fix Heap-use-after-free in releasePageNotNull
This backports https://www.sqlite.org/src/info/b0d5cf40bba34e45
Bug: 936719
---
third_party/sqlite/patched/src/pager.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/third_party/sqlite/patched/src/pager.c b/third_party/sqlite/patched/src/pager.c
index efb9155f545d..6c21cc6172b9 100644
--- a/third_party/sqlite/patched/src/pager.c
+++ b/third_party/sqlite/patched/src/pager.c
@@ -7174,8 +7174,12 @@ int sqlite3PagerMovepage(Pager *pPager, DbPage *pPg, Pgno pgno, int isCommit){
*/
pPg->flags &= ~PGHDR_NEED_SYNC;
pPgOld = sqlite3PagerLookup(pPager, pgno);
- assert( !pPgOld || pPgOld->nRef==1 );
+ assert( !pPgOld || pPgOld->nRef==1 || CORRUPT_DB );
if( pPgOld ){
+ if( pPgOld->nRef>1 ){
+ sqlite3PagerUnrefNotNull(pPgOld);
+ return SQLITE_CORRUPT_BKPT;
+ }
pPg->flags |= (pPgOld->flags&PGHDR_NEED_SYNC);
if( pPager->tempFile ){
/* Do not discard pages from an in-memory database since we might
--
2.21.0.392.gf8f6787159e-goog