[Backport] Security Bug 1070012 1/5

Improved detection of corruption in the interior
nodes of a segment btree in FTS3/4.

Backports: https://www.sqlite.org/src/info/cc99447ac9231661
Reviewed-On: https://crrev.com/c/2155486

FossilOrigin-Name: cc99447ac923166104e8a7c75088ed95279f4491b30cfa37dc3ee5e005dd9fac
(cherry picked from commit b3f0d92b918b9c79b2fbce26bf08eae10aef890f)
Bug: 1057441
Change-Id: I4c7d32720577ad106a438d87ba6ba467feeb932a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 5 insertions, 2 deletions

diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c
index 4d60a82f6d7..4d2e554f1b3 100644
--- a/chromium/third_party/sqlite/amalgamation/sqlite3.c
+++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c
@@ -166300,7 +166300,7 @@ static int fts3ScanInteriorNode(
   i64 nAlloc = 0;                 /* Size of allocated buffer */
   int isFirstTerm = 1;            /* True when processing first term on page */
   sqlite3_int64 iChild;           /* Block id of child node to descend to */
-
+  int nBuffer = 0;                /* Total term size */
   /* Skip over the 'height' varint that occurs at the start of every
   ** interior node. Then load the blockid of the left-child of the b-tree
   ** node into variable iChild.
@@ -166324,12 +166324,15 @@ static int fts3ScanInteriorNode(
     int cmp;                      /* memcmp() result */
     int nSuffix;                  /* Size of term suffix */
     int nPrefix = 0;              /* Size of term prefix */
-    int nBuffer;                  /* Total term size */
 
     /* Load the next term on the node into zBuffer. Use realloc() to expand
     ** the size of zBuffer if required.  */
     if( !isFirstTerm ){
       zCsr += fts3GetVarint32(zCsr, &nPrefix);
+      if( nPrefix>nBuffer ){
+        rc = FTS_CORRUPT_VTAB;
+        goto finish_scan;
+      }
     }
     isFirstTerm = 0;
     zCsr += fts3GetVarint32(zCsr, &nSuffix);