44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From 1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 Mon Sep 17 00:00:00 2001
|
|
From: Dan Kennedy <danielk1977@gmail.com>
|
|
Date: Fri, 28 Dec 2018 13:57:30 +0000
|
|
Subject: [PATCH 0686/1009] Fix a buffer overwrite in fts5 triggered by a
|
|
corrupt database.
|
|
|
|
https://github.com/mackyle/sqlite/commit/1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388
|
|
|
|
---
|
|
ext/fts5/fts5_index.c | 5 +-
|
|
1 files changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
|
|
index 6bd18c5..3361b19 100644
|
|
--- a/ext/fts5/fts5_index.c
|
|
+++ b/ext/fts5/fts5_index.c
|
|
@@ -3902,6 +3902,7 @@ static void fts5WriteAppendTerm(
|
|
int nPrefix; /* Bytes of prefix compression for term */
|
|
Fts5PageWriter *pPage = &pWriter->writer;
|
|
Fts5Buffer *pPgidx = &pWriter->writer.pgidx;
|
|
+ int nMin = MIN(pPage->term.n, nTerm);
|
|
|
|
assert( p->rc==SQLITE_OK );
|
|
assert( pPage->buf.n>=4 );
|
|
@@ -3943,13 +3944,13 @@ static void fts5WriteAppendTerm(
|
|
** inefficient, but still correct. */
|
|
int n = nTerm;
|
|
if( pPage->term.n ){
|
|
- n = 1 + fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
|
|
+ n = 1 + fts5PrefixCompress(nMin, pPage->term.p, pTerm);
|
|
}
|
|
fts5WriteBtreeTerm(p, pWriter, n, pTerm);
|
|
pPage = &pWriter->writer;
|
|
}
|
|
}else{
|
|
- nPrefix = fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
|
|
+ nPrefix = fts5PrefixCompress(nMin, pPage->term.p, pTerm);
|
|
fts5BufferAppendVarint(&p->rc, &pPage->buf, nPrefix);
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|