42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 536bdac3ff692d5ebf13d6b7ff129721444f281b Mon Sep 17 00:00:00 2001
|
|
From: Dan Kennedy <danielk1977@gmail.com>
|
|
Date: Thu, 31 Jan 2019 14:37:18 +0000
|
|
Subject: [PATCH 0878/1009] Fix another buffer overrun that could occur when
|
|
quering a corrupt database using an fts5vocab table.
|
|
|
|
https://github.com/mackyle/sqlite/commit/536bdac3ff692d5ebf13d6b7ff129721444f281b
|
|
|
|
---
|
|
ext/fts5/fts5_index.c | 2 +-
|
|
ext/fts5/fts5_vocab.c | 1 +
|
|
1 files changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
|
|
index 32732b9..bb87714 100644
|
|
--- a/ext/fts5/fts5_index.c
|
|
+++ b/ext/fts5/fts5_index.c
|
|
@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
|
|
int nNew; /* Bytes of new data */
|
|
|
|
iOff += fts5GetVarint32(&a[iOff], nNew);
|
|
- if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){
|
|
+ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n || nNew==0 ){
|
|
p->rc = FTS5_CORRUPT;
|
|
return;
|
|
}
|
|
diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c
|
|
index bfb6821..2550c9d 100644
|
|
--- a/ext/fts5/fts5_vocab.c
|
|
+++ b/ext/fts5/fts5_vocab.c
|
|
@@ -484,6 +484,7 @@ static int fts5VocabNextMethod(sqlite3_vtab_cursor *pCursor){
|
|
int nTerm;
|
|
|
|
zTerm = sqlite3Fts5IterTerm(pCsr->pIter, &nTerm);
|
|
+ assert( nTerm>=0 );
|
|
if( pCsr->nLeTerm>=0 ){
|
|
int nCmp = MIN(nTerm, pCsr->nLeTerm);
|
|
int bCmp = memcmp(pCsr->zLeTerm, zTerm, nCmp);
|
|
--
|
|
1.8.3.1
|
|
|