diff options
author | Michal Klocek <michal.klocek@qt.io> | 2020-06-11 07:58:33 +0200 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-06-11 07:49:02 +0000 |
commit | 1def46aafc2173530c07a10293c5f5d7c3da8362 (patch) | |
tree | fb04378cca5d903155ab71a881895ac65cf49f67 | |
parent | 3a8febfdab725bf92b453dcd61cda85203a745e8 (diff) | |
download | qtwebengine-chromium-1def46aafc2173530c07a10293c5f5d7c3da8362.tar.gz |
[Backport] Security Bug 1070012 1/5
Improved detection of corruption in the interior
nodes of a segment btree in FTS3/4.
Backports: https://www.sqlite.org/src/info/cc99447ac9231661
Reviewed-On: https://crrev.com/c/2155486
FossilOrigin-Name: cc99447ac923166104e8a7c75088ed95279f4491b30cfa37dc3ee5e005dd9fac
(cherry picked from commit b3f0d92b918b9c79b2fbce26bf08eae10aef890f)
Bug: 1057441
Change-Id: I4c7d32720577ad106a438d87ba6ba467feeb932a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c index 4d60a82f6d7..4d2e554f1b3 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.c +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c @@ -166300,7 +166300,7 @@ static int fts3ScanInteriorNode( i64 nAlloc = 0; /* Size of allocated buffer */ int isFirstTerm = 1; /* True when processing first term on page */ sqlite3_int64 iChild; /* Block id of child node to descend to */ - + int nBuffer = 0; /* Total term size */ /* Skip over the 'height' varint that occurs at the start of every ** interior node. Then load the blockid of the left-child of the b-tree ** node into variable iChild. @@ -166324,12 +166324,15 @@ static int fts3ScanInteriorNode( int cmp; /* memcmp() result */ int nSuffix; /* Size of term suffix */ int nPrefix = 0; /* Size of term prefix */ - int nBuffer; /* Total term size */ /* Load the next term on the node into zBuffer. Use realloc() to expand ** the size of zBuffer if required. */ if( !isFirstTerm ){ zCsr += fts3GetVarint32(zCsr, &nPrefix); + if( nPrefix>nBuffer ){ + rc = FTS_CORRUPT_VTAB; + goto finish_scan; + } } isFirstTerm = 0; zCsr += fts3GetVarint32(zCsr, &nSuffix); |