third_party/sqlite/patches/0009-fts3-Interior-node-corruption-detection.patch

   1 From ce5e0e867ac54738b813c800cf1a0545258189bc Mon Sep 17 00:00:00 2001
   2 From: Scott Hess <shess@chromium.org>
   3 Date: Thu, 26 May 2011 18:44:46 +0000
   4 Subject: [PATCH 09/16] [fts3] Interior node corruption detection.
   5
   6 In auditing as part of a previous import, I noticed this case which
   7 seemed to allow for buffer overrun.  The nPrefix check was commented out
   8 because nBuffer wasn't always initialized, and I never circled back to
   9 resolve that.
  10
  11 It may be appropriate to just drop this patch, for now leaving it for
  12 consistency.
  13
  14 BUG=84057, 83946
  15
  16 Original review URLs:
  17 http://codereview.chromium.org/7075014
  18 http://codereview.chromium.org/6990047 (3.7.6.3 SQLite import)
  19 ---
  20  third_party/sqlite/src/ext/fts3/fts3.c | 10 ++++++++--
  21  1 file changed, 8 insertions(+), 2 deletions(-)
  22
  23 diff --git a/third_party/sqlite/src/ext/fts3/fts3.c b/third_party/sqlite/src/ext/fts3/fts3.c
  24 index dbd2835..3a1152d 100644
  25 --- a/third_party/sqlite/src/ext/fts3/fts3.c
  26 +++ b/third_party/sqlite/src/ext/fts3/fts3.c
  27 @@ -1773,8 +1773,14 @@ static int fts3ScanInteriorNode(
  28      isFirstTerm = 0;
  29      zCsr += fts3GetVarint32(zCsr, &nSuffix);
  30
  31 -    if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){
  32 -      rc = FTS_CORRUPT_VTAB;
  33 +    /* NOTE(shess): Previous code checked for negative nPrefix and
  34 +    ** nSuffix and suffix overrunning zEnd.  Additionally corrupt if
  35 +    ** the prefix is longer than the previous term, or if the suffix
  36 +    ** causes overflow.
  37 +    */
  38 +    if( nPrefix<0 || nSuffix<0 /* || nPrefix>nBuffer */
  39 +     || &zCsr[nSuffix]<zCsr || &zCsr[nSuffix]>zEnd ){
  40 +      rc = SQLITE_CORRUPT;
  41        goto finish_scan;
  42      }
  43      if( nPrefix+nSuffix>nAlloc ){
  44 --
  45 2.2.1
  46