blob: 69a628211b94e82bdc6e320ad79214393ac254b4 [file] [log] [blame]
From 3141c2a626c531ba20ec54397a09fb6b88d07c4a Mon Sep 17 00:00:00 2001
From: Scott Hess <shess@chromium.org>
Date: Thu, 26 May 2011 18:44:46 +0000
Subject: [PATCH 08/10] [fts3] Interior node corruption detection.
In auditing as part of a previous import, I noticed this case which
seemed to allow for buffer overrun. The nPrefix check was commented out
because nBuffer wasn't always initialized, and I never circled back to
resolve that.
It may be appropriate to just drop this patch, for now leaving it for
consistency.
BUG=84057, 83946
Original review URLs:
http://codereview.chromium.org/7075014
http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import)
---
third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext/fts3/fts3.c
index 4f2ebb8..8f15099 100644
--- a/third_party/sqlite/src/ext/fts3/fts3.c
+++ b/third_party/sqlite/src/ext/fts3/fts3.c
@@ -1822,8 +1822,14 @@ static int fts3ScanInteriorNode(
isFirstTerm = 0;
zCsr += fts3GetVarint32(zCsr, &nSuffix);
- if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){
- rc = FTS_CORRUPT_VTAB;
+ /* NOTE(shess): Previous code checked for negative nPrefix and
+ ** nSuffix and suffix overrunning zEnd. Additionally corrupt if
+ ** the prefix is longer than the previous term, or if the suffix
+ ** causes overflow.
+ */
+ if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */
+ || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){
+ rc = SQLITE_CORRUPT;
goto finish_scan;
}
if( nPrefix+nSuffix>nAlloc ){
--
2.7.0