1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 11:49:51 -0800
Subject: [PATCH 12/25] Fix buffer overread
Backports https://www.sqlite.org/src/info/e01fdbf9f700e1bd
Bug: 1028722, 1029027, 1029210, 1029506
---
third_party/sqlite/patched/ext/fts3/fts3_write.c | 6 +++++-
third_party/sqlite/patched/test/fts3corrupt4.test | 13 +++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/third_party/sqlite/patched/ext/fts3/fts3_write.c b/third_party/sqlite/patched/ext/fts3/fts3_write.c
index 953b9d86959e..47692c52c882 100644
--- a/third_party/sqlite/patched/ext/fts3/fts3_write.c
+++ b/third_party/sqlite/patched/ext/fts3/fts3_write.c
@@ -4844,13 +4844,17 @@ static int fts3IncrmergeHintPop(Blob *pHint, i64 *piAbsLevel, int *pnInput){
const int nHint = pHint->n;
int i;
- i = pHint->n-2;
+ i = pHint->n-1;
+ if( (pHint->a[i] & 0x80) ) return FTS_CORRUPT_VTAB;
while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
+ if( i==0 ) return FTS_CORRUPT_VTAB;
+ i--;
while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
pHint->n = i;
i += sqlite3Fts3GetVarint(&pHint->a[i], piAbsLevel);
i += fts3GetVarint32(&pHint->a[i], pnInput);
+ assert( i<=nHint );
if( i!=nHint ) return FTS_CORRUPT_VTAB;
return SQLITE_OK;
diff --git a/third_party/sqlite/patched/test/fts3corrupt4.test b/third_party/sqlite/patched/test/fts3corrupt4.test
index 7f1a59619b51..b5d9c138a5ea 100644
--- a/third_party/sqlite/patched/test/fts3corrupt4.test
+++ b/third_party/sqlite/patched/test/fts3corrupt4.test
@@ -5546,4 +5546,17 @@ do_catchsql_test 30.2 {
SELECT (matchinfo(null)) FROM t1 WHERE t1 MATCH 'ee*e*e*e*e*e*e*Re*e*e*e**'
} {1 {database disk image is malformed}}
+#-------------------------------------------------------------------------
+#
+reset_db
+do_catchsql_test 32.0 {
+ CREATE VIRTUAL TABLE f USING fts3(a,b,tokenize=icu);
+ CREATE TABLE 'f_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
+ CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
+ INSERT INTO f VALUES (1, '1234');
+ INSERT INTO f_stat VALUES (1,x'0000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003bc502fffffffffb8b2afbfb6565f0740100650000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003b8b00c5c5c5c5c5bfc5');
+ INSERT INTO f(f) VALUES ('merge=198,49');
+} {1 {database disk image is malformed}}
+
+
finish_test
--
2.25.0.rc1.283.g88dfdc4193-goog
|