summaryrefslogtreecommitdiff
path: root/chromium/third_party/sqlite/patches/0012-Fix-buffer-overread.patch
blob: faea332557f78f0b852446788eab39c65a3541ae (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 11:49:51 -0800
Subject: [PATCH 12/25] Fix buffer overread

Backports https://www.sqlite.org/src/info/e01fdbf9f700e1bd

Bug: 1028722, 1029027, 1029210, 1029506
---
 third_party/sqlite/patched/ext/fts3/fts3_write.c  |  6 +++++-
 third_party/sqlite/patched/test/fts3corrupt4.test | 13 +++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/third_party/sqlite/patched/ext/fts3/fts3_write.c b/third_party/sqlite/patched/ext/fts3/fts3_write.c
index 953b9d86959e..47692c52c882 100644
--- a/third_party/sqlite/patched/ext/fts3/fts3_write.c
+++ b/third_party/sqlite/patched/ext/fts3/fts3_write.c
@@ -4844,13 +4844,17 @@ static int fts3IncrmergeHintPop(Blob *pHint, i64 *piAbsLevel, int *pnInput){
   const int nHint = pHint->n;
   int i;
 
-  i = pHint->n-2;
+  i = pHint->n-1;
+  if( (pHint->a[i] & 0x80) ) return FTS_CORRUPT_VTAB;
   while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
+  if( i==0 ) return FTS_CORRUPT_VTAB;
+  i--;
   while( i>0 && (pHint->a[i-1] & 0x80) ) i--;
 
   pHint->n = i;
   i += sqlite3Fts3GetVarint(&pHint->a[i], piAbsLevel);
   i += fts3GetVarint32(&pHint->a[i], pnInput);
+  assert( i<=nHint );
   if( i!=nHint ) return FTS_CORRUPT_VTAB;
 
   return SQLITE_OK;
diff --git a/third_party/sqlite/patched/test/fts3corrupt4.test b/third_party/sqlite/patched/test/fts3corrupt4.test
index 7f1a59619b51..b5d9c138a5ea 100644
--- a/third_party/sqlite/patched/test/fts3corrupt4.test
+++ b/third_party/sqlite/patched/test/fts3corrupt4.test
@@ -5546,4 +5546,17 @@ do_catchsql_test 30.2 {
   SELECT (matchinfo(null)) FROM t1 WHERE t1 MATCH 'ee*e*e*e*e*e*e*Re*e*e*e**'
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+#
+reset_db
+do_catchsql_test 32.0 {
+  CREATE VIRTUAL TABLE f USING fts3(a,b,tokenize=icu);
+  CREATE TABLE 'f_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
+  CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
+  INSERT INTO f VALUES (1, '1234');
+  INSERT INTO f_stat VALUES (1,x'0000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003bc502fffffffffb8b2afbfb6565f0740100650000000165656565db6569746565c5c52bc5c5c53e3a003bc502ffffffffc5c5c53e3a003b8b00c5c5c5c5c5bfc5');
+  INSERT INTO f(f) VALUES ('merge=198,49');
+} {1 {database disk image is malformed}}
+
+
 finish_test
-- 
2.25.0.rc1.283.g88dfdc4193-goog
View Lorry Controller Status