34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From 2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 Mon Sep 17 00:00:00 2001
|
|
From: "D. Richard Hipp" <drh@hwaci.com>
|
|
Date: Mon, 1 Oct 2018 13:54:30 +0000
|
|
Subject: [PATCH 0435/1009] Fix a potential crash that can occur while reading
|
|
an index from a corrupt database file. The corruption is a
|
|
record-header-size that is larger than 0x7fffffff. Problem detected by
|
|
OSSFuzz against GDAL and reported to us (with a suggested fix) by Even
|
|
Rouault. The test case is in TH3.
|
|
|
|
https://github.com/mackyle/sqlite/commit/2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88
|
|
|
|
---
|
|
src/vdbeaux.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
|
|
index 5ec3d13..99df435 100644
|
|
--- a/src/vdbeaux.c
|
|
+++ b/src/vdbeaux.c
|
|
@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){
|
|
(void)getVarint32((u8*)m.z, szHdr);
|
|
testcase( szHdr==3 );
|
|
testcase( szHdr==m.n );
|
|
- if( unlikely(szHdr<3 || (int)szHdr>m.n) ){
|
|
+ testcase( szHdr>0x7fffffff );
|
|
+ assert( m.n>=0 );
|
|
+ if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){
|
|
goto idx_rowid_corruption;
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|