Fix a potential buffer overread in fts5 triggered by a corrupt databa…

…se record.
timerz98 · Jul 25, 2019 · f03c9c6 · f03c9c6
1 parent d238a9c
commit f03c9c6
Show file tree

Hide file tree

Showing 2 changed files with 208 additions and 0 deletions.
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
@@ -690,6 +690,7 @@ static Fts5Data *fts5DataRead(Fts5Index *p, i64 iRowid){
       }else{
         /* TODO1: Fix this */
         pRet->p[nByte] = 0x00;
+        pRet->p[nByte+1] = 0x00;
         pRet->szLeaf = fts5GetU16(&pRet->p[2]);
       }
     }

diff --git a/ext/fts5/test/fts5corrupt3.test b/ext/fts5/test/fts5corrupt3.test
@@ -9161,6 +9161,213 @@ do_catchsql_test 62.1 {
     INSERT INTO t1(a) SELECT randomblob(2829) FROM c;
 } {0 {}}
 
+#---------------------------------------------------------------------------
+do_test 63.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+.open --hexdb
+| size 24576 pagesize 4096 filename crash-8230e6c3b368f5.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 00   .....@  ........
+|     96: 00 00 00 00 0d 00 00 00 06 0e 0f 00 0f aa 0f 53   ...............S
+|    112: 0e e8 0e 8b 0e 33 0e 0f 00 00 00 00 00 00 00 00   .....3..........
+|   3584: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22   ................
+|   3600: 06 06 17 11 11 01 31 74 61 62 7c 65 62 63 62 62   ......1tab|ebcbb
+|   3616: 06 43 52 45 41 54 45 20 54 41 42 4c 45 20 62 62   .CREATE TABLE bb
+|   3632: 28 61 29 56 05 06 17 1f 1f 01 7d 74 61 62 6c 65   (a)V.......table
+|   3648: 74 31 5f 63 6f 6e 66 69 67 74 31 5f 63 6f 6e 66   t1_configt1_conf
+|   3664: 69 67 05 43 52 45 41 54 45 20 54 41 42 4c 45 20   ig.CREATE TABLE 
+|   3680: 27 74 31 5f 63 6f 6e 66 69 67 27 28 6b 20 50 52   't1_config'(k PR
+|   3696: 49 4d 41 52 59 20 4b 45 59 2c 20 76 29 20 57 49   IMARY KEY, v) WI
+|   3712: 54 48 4f 55 54 20 52 4f 57 49 44 5b 04 07 17 21   THOUT ROWID[...!
+|   3728: 21 01 81 01 74 61 62 6c 65 74 31 5f 64 6f 63 73   !...tablet1_docs
+|   3744: 69 7a 65 74 31 5f 64 6f 63 73 69 7a 65 04 43 52   izet1_docsize.CR
+|   3760: 45 41 54 45 20 54 41 42 4c 45 20 27 74 31 5f 9d   EATE TABLE 't1_.
+|   3776: 6f 63 73 69 7a 65 27 28 69 64 20 49 4e 54 45 47   ocsize'(id INTEG
+|   3792: 45 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20   ER PRIMARY KEY, 
+|   3808: 73 7a 20 42 4c 4f 42 29 69 03 07 17 19 19 01 81   sz BLOB)i.......
+|   3824: 2d 74 61 62 6c 65 74 31 5f 69 64 78 74 31 5f 69   -tablet1_idxt1_i
+|   3840: 64 78 03 43 52 45 41 54 45 20 54 41 42 4c 45 20   dx.CREATE TABLE 
+|   3856: 27 74 31 5f 69 64 78 27 28 73 65 67 69 64 2c 20   't1_idx'(segid, 
+|   3872: 74 65 72 6d 2c 20 70 67 6e 6f 2c 20 50 52 49 4d   term, pgno, PRIM
+|   3888: 41 52 59 20 4b 45 59 28 73 65 67 69 64 2c 20 74   ARY KEY(segid, t
+|   3904: 65 72 6d 29 29 20 57 49 54 48 4f 55 54 20 52 4f   erm)) WITHOUT RO
+|   3920: 57 49 44 55 02 07 17 1b 1b 01 81 01 74 61 62 6c   WIDU........tabl
+|   3936: 65 64 31 5f 64 61 74 61 74 31 5f 64 61 74 61 02   ed1_datat1_data.
+|   3952: 43 52 45 41 54 45 20 54 41 42 4c 45 20 27 74 31   CREATE TABLE 't1
+|   3968: 5f 64 61 74 61 27 28 69 64 20 49 4e 54 45 47 45   _data'(id INTEGE
+|   3984: 52 20 50 52 49 4d 41 52 59 20 4b 45 59 2c 20 62   R PRIMARY KEY, b
+|   4000: 6c 6f 63 6b 20 42 4c 4f 42 29 54 01 07 17 10 11   lock BLOB)T.....
+|   4016: 08 81 15 74 61 62 6c 65 74 31 74 31 43 52 45 41   ...tablet1t1CREA
+|   4032: 54 45 20 56 49 52 54 55 41 4c 20 54 41 42 4c 45   TE VIRTUAL TABLE
+|   4048: 20 74 31 20 55 53 49 4e 47 20 66 74 73 35 28 61    t1 USING fts5(a
+|   4064: 2c 62 2c 70 72 65 66 69 78 3d 22 31 2c 32 2c 33   ,b,prefix=.1,2,3
+|   4080: 2c 34 22 2c 20 63 6f 6e 74 65 6e 74 3d 22 22 29   ,4., content=..)
+| page 2 offset 4096
+|      0: 0d 0b 6a 00 37 09 4c 02 0f e7 09 4c 0f c6 0f a4   ..j.7.L....L....
+|     16: 0f 88 0f 6d 0f 4b 0f 2c 0f 0e 0e ec 0e cd 0e ad   ...m.K.,........
+|     32: 0e 8e 0e 6c 0e 4b 0e 29 0e 08 0d e6 0d c4 0d b5   ...l.K.)........
+|     48: 0d 97 0d 76 0d 54 0d 31 0d 15 0c f3 0c d3 0c b5   ...v.T.1........
+|     64: 0c 95 0c 73 0c 54 0c 32 0c 10 0b ee 0b cc 0b b0   ...s.T.2........
+|     80: 0b 8d 0b 7e 0b 48 0b 2e 0b 0b 0a ef 0a cc 0a ad   ...~.H..........
+|     96: 0a 8c 0a 6d 0a 4d 0a 2b 0a 0c 09 ec 09 ca 09 a8   ...m.M.+........
+|    112: 09 86 09 63 0f f1 00 00 00 00 00 00 00 00 00 00   ...c............
+|   2368: 00 00 00 00 00 00 00 00 00 00 00 00 15 0a 03 00   ................
+|   2384: 30 00 00 00 01 01 03 35 00 03 01 01 12 02 01 12   0......5........
+|   2400: 03 01 11 1c 8c 80 80 80 80 10 03 00 3e 00 00 00   ............>...
+|   2416: 17 01 05 05 34 74 61 62 6c 03 02 03 01 04 77 68   ....4tabl.....wh
+|   2432: 65 72 03 02 06 09 1b 8c 80 80 80 80 0f 03 00 3c   er.............<
+|   2448: 00 00 00 16 05 34 66 74 73 34 03 02 02 01 04 6e   .....4fts4.....n
+|   2464: 75 6d 62 03 06 01 04 09 1b 8c 80 80 80 80 0e 03   umb.............
+|   2480: 00 3c 00 00 00 16 04 33 74 68 65 13 06 01 01 04   .<.....3the.....
+|   2496: 01 03 77 68 65 03 02 04 04 0a 1b 8c 80 80 80 80   ..whe...........
+|   2512: 0d 03 00 3c 00 00 00 16 04 33 6e 75 6d 03 06 01   ...<.....3num...
+|   2528: 01 05 01 03 75 61 62 03 02 03 04 0a 19 8c 80 80   ....uab.........
+|   2544: 80 80 0c 03 00 38 00 00 00 14 03 32 ec 68 03 02   .....8.....2.h..
+|   2560: 04 00 04 33 66 74 73 03 02 02 04 07 18 8c 80 80   ...3fts.........
+|   2576: 80 80 0b 03 00 36 00 00 00 13 03 32 74 61 03 02   .....6.....2ta..
+|   2592: 03 02 01 68 03 06 01 01 04 04 17 1b 8c 80 80 80   ...h............
+|   2608: 80 0a 03 00 3c 00 00 00 16 03 32 6e 75 03 06 01   ....<.....2nu...
+|   2624: 01 05 01 02 6f 66 03 06 01 01 06 04 09 19 8c 80   ....of..........
+|   2640: 80 80 80 09 03 00 38 00 00 00 14 03 32 66 74 03   ......8.....2ft.
+|   2656: 02 02 01 02 69 73 03 06 01 01 03 04 07 18 8c 80   ....is..........
+|   2672: 80 80 80 08 03 00 36 00 00 00 13 02 31 74 03 08   ......6.....1t..
+|   2688: 03 01 01 04 01 01 77 03 02 04 04 09 1a 8c 80 80   ......w.........
+|   2704: 80 80 07 03 00 3a 00 00 00 15 02 31 6e 03 08 01   .....:.....1n...
+|   2720: 01 02 05 01 01 6f 03 06 01 01 06 04 09 18 8c 80   .....o..........
+|   2736: 80 80 80 06 03 00 36 00 00 00 13 04 02 31 66 03   ......6......1f.
+|   2752: 02 02 01 01 69 03 06 01 01 03 05 06 1c 8c 80 80   ....i...........
+|   2768: 80 80 05 03 00 3e 00 00 00 17 04 30 74 68 65 03   .....>.....0the.
+|   2784: 06 01 01 04 01 05 77 68 65 72 65 03 02 04 0a 15   ......where.....
+|   2800: 8c 80 80 80 80 04 03 00 30 00 00 00 11 01 01 06   ........0.......
+|   2816: 06 30 74 61 62 6c 65 03 02 03 07 1c 8c 80 80 80   .0table.........
+|   2832: 80 03 03 00 3e 00 00 00 17 07 30 6e 75 6d 62 65   ....>.....0numbe
+|   2848: 72 03 06 01 01 05 01 02 6f 66 03 06 04 0d 13 8c   r.......of......
+|   2864: 80 80 80 80 02 03 00 2c 00 00 00 0f 01 01 03 02   .......,........
+|   2880: 30 6e 03 06 01 01 02 07 1b 8c 80 80 80 80 01 03   0n..............
+|   2896: 00 3c 00 00 00 16 08 30 66 74 73 34 61 75 78 03   .<.....0fts4aux.
+|   2912: 02 02 01 02 69 73 03 06 04 0c 00 00 00 14 2a 00   ....is........*.
+|   2928: 00 00 01 01 02 24 00 02 01 01 12 02 01 12 08 88   .....$..........
+|   2944: 80 80 80 80 12 03 00 16 00 00 00 05 02 1c 88 80   ................
+|   2960: 80 80 80 11 03 00 3e 00 00 00 17 05 34 72 6f 77   ......>.....4row
+|   2976: 73 02 06 01 01 05 01 04 74 68 65 72 02 02 04 0b   s.......ther....
+|   2992: 15 88 80 80 80 80 10 03 00 30 00 00 00 11 02 01   .........0......
+|   3008: 01 07 05 34 62 65 74 77 02 02 04 08 1b 88 80 80   ...4betw........
+|   3024: 80 80 0f 03 00 3c 00 00 00 16 04 04 33 72 6f 77   .....<......3row
+|   3040: 02 06 01 01 05 01 03 74 68 64 02 08 05 0a 1b 88   .......thd......
+|   3056: 80 80 80 80 0e 03 00 3c 00 00 00 16 01 01 02 04   .......<........
+|   3072: 33 61 72 65 02 02 03 01 03 62 65 74 02 02 07 08   3are.....bet....
+|   3088: 1b 88 80 80 80 80 0d 03 00 3c 00 00 00 16 03 32   .........<.....2
+|   3104: 74 68 02 08 02 01 01 07 00 04 33 61 6e 64 02 06   th........3and..
+|   3120: 04 0a 1b 88 80 80 80 80 0c 03 00 3c 00 00 00 16   ...........<....
+|   3136: 03 32 69 6e 02 06 01 01 06 01 02 72 6f 02 06 01   .2in.......ro...
+|   3152: 01 43 04 09 18 88 80 80 80 80 0b 03 00 36 00 00   .C...........6..
+|   3168: 00 13 02 03 32 61 72 02 02 03 01 02 62 65 02 02   ....2ar.....be..
+|   3184: 04 05 07 1b 88 80 80 80 80 0a 03 00 3c 00 00 00   ............<...
+|   3200: 16 02 31 74 02 08 02 01 01 07 00 03 32 61 6e 02   ..1t........2an.
+|   3216: 06 01 01 04 09 19 88 80 80 80 80 09 03 00 38 00   ..............8.
+|   3232: 00 00 14 02 31 6e 02 06 01 01 03 01 01 72 02 06   ....1n.......r..
+|   3248: 01 01 05 04 08 17 88 80 80 80 80 08 03 00 34 00   ..............4.
+|   3264: 00 00 12 02 31 62 02 02 04 01 01 69 02 06 01 01   ....1b.....i....
+|   3280: 06 04 06 19 88 80 80 80 80 07 03 00 38 00 00 00   ............8...
+|   3296: 14 04 02 31 32 02 02 05 01 01 61 02 08 03 01 01   ...12.....a.....
+|   3312: 02 05 06 1b 88 80 80 80 80 06 03 00 3c 00 00 00   ............<...
+|   3328: 16 06 30 74 68 65 72 65 02 02 01 00 02 30 21 02   ..0there.....0!.
+|   3344: 06 01 01 04 0a 15 88 80 80 80 80 05 03 00 30 00   ..............0.
+|   3360: 00 00 11 01 01 05 04 30 74 68 65 02 06 01 01 07   .......0the.....
+|   3376: 07 1c 88 80 80 80 80 04 03 00 3e 00 00 00 17 01   ..........>.....
+|   3392: 01 06 02 30 6e 02 06 01 01 03 01 04 72 6f 77 73   ...0n.......rows
+|   3408: 02 06 07 08 1b 88 80 80 80 80 03 03 00 3c 00 51   .............<.Q
+|   3424: 00 16 08 30 62 65 74 77 65 65 6e 02 02 04 01 02   ...0between.....
+|   3440: 69 6e 02 06 04 0c 1a 88 80 80 80 80 02 03 00 3a   in.............:
+|   3456: 00 00 00 15 04 30 61 6e 64 02 06 01 01 02 02 02   .....0and.......
+|   3472: 72 65 02 02 03 04 0a 17 88 80 80 80 80 01 03 00   re..............
+|   3488: 34 00 00 00 12 02 30 31 02 06 01 01 04 01 01 32   4.....01.......2
+|   3504: 02 02 05 04 08 08 84 80 80 80 80 12 03 00 16 00   ................
+|   3520: 00 00 05 04 1b 84 80 80 80 80 11 03 00 3c 00 00   .............<..
+|   3536: 00 16 05 34 74 51 62 6c 01 06 01 01 05 02 03 65   ...4tQbl.......e
+|   3552: 72 6d 01 02 04 0b 1b 84 80 80 80 80 10 03 00 3c   rm.............<
+|   3568: 00 00 00 16 05 34 65 17 63 68 01 02 03 01 04 70   .....4e.ch.....p
+|   3584: 72 65 73 01 02 05 04 09 1a 84 80 80 80 80 0f 03   res.............
+|   3600: 00 3a 00 00 00 15 04 33 74 65 72 01 02 04 02 02   .:.....3ter.....
+|   3616: 68 65 01 06 01 01 03 04 08 1b 84 80 80 80 80 0e   he..............
+|   3632: 03 00 3c 00 00 00 16 04 33 70 72 65 01 02 05 01   ..<.....3pre....
+|   3648: 03 74 61 62 01 06 01 01 05 04 08 1a 84 80 80 80   .tab............
+|   3664: 80 0d 03 00 3a 00 00 00 15 04 33 66 6f 72 01 03   ....:.....3for..
+|   3680: 02 02 02 74 73 01 06 01 01 04 04 08 1b 84 80 80   ...ts...........
+|   3696: 80 80 0c 03 00 3c 00 00 00 16 03 32 74 68 01 06   .....<.....2th..
+|   3712: 01 01 03 00 04 33 65 61 63 01 02 03 04 09 18 84   .....3eac.......
+|   3728: 80 80 80 80 0b 03 00 36 00 00 00 13 03 32 74 61   .......6.....2ta
+|   3744: 01 06 01 01 05 02 01 65 01 02 04 04 09 19 84 80   .......e........
+|   3760: 80 80 80 0a 03 00 38 00 00 00 14 03 32 69 6e 01   ......8.....2in.
+|   3776: 06 01 01 02 01 02 70 72 01 02 05 04 09 18 84 80   ......pr........
+|   3792: 80 80 80 09 03 00 36 00 00 00 13 03 32 66 6f 01   ......6.....2fo.
+|   3808: 02 02 02 01 74 01 06 01 01 04 04 07 1b 84 80 80   ....t...........
+|   3824: 80 80 08 03 00 3c 00 00 00 16 02 31 74 01 0a 04   .....<.....1t...
+|   3840: 01 01 03 04 00 03 32 65 61 01 02 03 04 0a 17 84   ......2ea.......
+|   3856: 80 80 80 80 07 03 00 34 00 00 00 12 02 31 69 01   .......4.....1i.
+|   3872: 06 01 01 02 01 01 70 01 02 05 04 08 18 84 80 80   ......p.........
+|   3888: 80 80 06 03 00 36 00 00 00 12 02 31 65 01 02 02   .....6.....1e...
+|   3904: 01 01 66 01 08 02 01 01 04 04 06 1b 84 80 80 80   ..f.............
+|   3920: 80 05 03 00 3c 00 00 00 16 05 30 74 65 72 6d 01   ....<.....0term.
+|   3936: 02 04 02 02 68 65 01 06 01 01 03 04 09 14 84 80   ....he..........
+|   3952: 80 80 80 04 03 00 2e 00 00 00 10 06 30 74 61 62   ............0tab
+|   3968: 6c 65 01 06 01 01 05 04 15 84 80 80 80 80 03 03   le..............
+|   3984: 00 30 00 00 00 11 02 08 30 70 72 65 73 65 6e 74   .0......0present
+|   4000: 01 02 05 05 1b 84 80 80 80 80 02 03 00 3c 00 00   .............<..
+|   4016: 00 16 04 30 66 74 73 01 06 01 01 04 01 02 69 6e   ...0fts.......in
+|   4032: 01 06 01 01 04 0a 1a 84 80 80 80 80 01 03 00 3a   ...............:
+|   4048: 00 00 00 15 05 30 65 61 63 68 01 02 03 01 03 66   .....0each.....f
+|   4064: 6f 72 01 02 01 f4 09 06 01 03 00 12 03 0b 0f 00   or..............
+|   4080: 00 08 8c 80 80 80 80 11 03 00 16 00 00 00 05 04   ................
+| page 3 offset 8192
+|      0: 0a 00 00 00 32 0e 4f 00 0f fa 0f f1 0f e9 0f e1   ....2.O.........
+|     16: 0f d8 0f d1 0f c9 0f c1 0f b9 0f b1 0f a9 0f a0   ................
+|     32: 0f 98 0f 90 0f 87 0f 80 0f 78 0f 71 0f 68 0f 5f   .........x.q.h._
+|     48: 0f 56 0f 4d 0f 41 0f 38 0f 2f 0f 26 0f 1d 0f 13   .V.M.A.8./.&....
+|     64: 0f 0a 0f 01 0e f7 0e ee 0e e6 0e dd 0e d6 0e cd   ................
+|     80: 0e c3 0e ba 0e b0 0e a8 0e 9f 0e 00 00 00 00 00   ................
+|   3648: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08   ................
+|   3664: 04 01 10 01 03 34 74 20 07 04 01 0e 01 03 34 1e   .....4t ......4.
+|   3680: 09 04 01 12 01 03 33 74 68 1c 08 04 01 10 01 03   ......3th.......
+|   3696: 33 6e 1a 08 04 01 10 01 03 32 77 18 08 04 01 10   3n.......2w.....
+|   3712: 01 03 32 74 16 08 04 01 10 01 03 32 6e 14 07 04   ..2t.......2n...
+|   3728: 01 0e 01 03 32 12 08 04 01 10 01 03 31 74 10 07   ....2.......1t..
+|   3744: f4 01 10 01 03 31 6e 0e 07 04 01 0e 01 03 31 0c   .....1n.......1.
+|   3760: 09 04 01 12 01 03 30 74 68 0a 08 04 01 10 01 03   ......0th.......
+|   3776: 30 74 08 09 04 01 12 01 03 30 6e 75 06 08 04 01   0t.......0nu....
+|   3792: 10 01 03 30 6e 04 06 04 01 0c 01 03 02 08 04 01   ...0n...........
+|   3808: 10 01 02 34 73 22 07 04 01 0e 01 02 34 20 08 04   ...4s.......4 ..
+|   3824: 01 10 01 02 33 72 1e 09 04 01 12 01 02 33 61 72   ....3r.......3ar
+|   3840: 1c 08 04 01 10 01 02 32 74 1a 08 04 01 10 01 02   .......2t.......
+|   3856: 32 69 18 09 04 01 12 01 02 32 61 72 16 08 04 01   2i.......2ar....
+|   3872: 10 01 02 31 74 14 08 04 01 10 01 02 31 6e 12 08   ...1t.......1n..
+|   3888: 04 01 10 01 02 31 62 10 08 04 01 10 01 02 31 32   .....1b.......12
+|   3904: 0e 0b 04 01 16 01 02 30 74 00 00 00 00 00 00 00   .......0t.......
+| page 4 offset 12288
+|   4064: 00 00 00 00 00 00 00 00 00 00 00 05 02 03 00 10   ................
+|   4080: 03 05 05 02 03 00 10 04 06 05 01 03 00 10 04 04   ................
+| page 5 offset 16384
+|      0: 0a 00 00 00 02 0f eb 00 0f eb 0f f4 00 00 00 00   ................
+|   4064: 00 00 00 00 00 00 00 00 00 00 00 08 03 15 01 70   ...............p
+|   4080: 67 73 7a 08 0b 03 1b 01 76 65 72 73 69 6f 6e 04   gsz.....version.
+| end crash-8230e6c3b368f5.db
+}]} {}
+
+do_catchsql_test 63.1 {
+  SELECT * FROM t1 WHERE b MATCH 'thead*thead*theSt*';
+} {1 {database disk image is malformed}}
+
+do_catchsql_test 63.2 {
+  INSERT INTO t1(t1) VALUES('optimize');
+} {0 {}}
+
+breakpoint
+do_catchsql_test 63.3 {
+  SELECT * FROM t1 WHERE b MATCH 'thead*thead*theSt*';
+} {0 {}}
+
 sqlite3_fts5_may_be_corrupt 0
 finish_test