diff options
| -rw-r--r-- | Android.bp | 4 | ||||
| -rw-r--r-- | OWNERS | 3 | ||||
| -rw-r--r-- | README.version | 3 | ||||
| -rw-r--r-- | android/Android.bp | 31 | ||||
| -rw-r--r-- | android/Android.mk | 33 | ||||
| -rw-r--r-- | android/sqlite3_android.cpp | 2 | ||||
| -rw-r--r-- | dist/Android.bp | 165 | ||||
| -rw-r--r-- | dist/Android.mk | 178 | ||||
| -rw-r--r-- | dist/Android.patch | 20 | ||||
| -rw-r--r-- | dist/orig/sqlite3.c | 33 | ||||
| -rw-r--r-- | dist/sqlite3.c | 34 |
11 files changed, 237 insertions, 269 deletions
diff --git a/Android.bp b/Android.bp new file mode 100644 index 0000000..7b2e7da --- /dev/null +++ b/Android.bp @@ -0,0 +1,4 @@ +subdirs = [ + "android", + "dist", +] @@ -0,0 +1,3 @@ +nnk@google.com +omakoto@google.com +fkupolov@google.com diff --git a/README.version b/README.version index bd6e8d9..6b2da55 100644 --- a/README.version +++ b/README.version @@ -1,4 +1,5 @@ +URL: https://sqlite.org/src/tarball/SQLite-8201f4e1.tar.gz?uuid=8201f4e1c566f7223c71c07e6b703d1352801f1b2daa0fd00895a18e1944cb4d +Version: 3.18.2 URL: https://www.sqlite.org/src/info/b54aa18b0fe4d683 Version: 3.18.2 b54aa18b0fe4d683c602ed2ba59ded6c33168982d14ea14a12b4e00cde8bf973 This patch fixes CVE-2019-9936,CVE-2019-5018,CVE-2019-8457 in b/140181188 b/140180629 and b/140182003 respectively -BugComponent: 24950 diff --git a/android/Android.bp b/android/Android.bp new file mode 100644 index 0000000..7c17c6a --- /dev/null +++ b/android/Android.bp @@ -0,0 +1,31 @@ +cc_library_static { + name: "libsqlite3_android", + host_supported: true, + srcs: [ + "PhoneNumberUtils.cpp", + "OldPhoneNumberUtils.cpp", + "sqlite3_android.cpp", + ], + include_dirs: ["external/sqlite/dist"], + static_libs: ["liblog"], + shared_libs: [ + "libicuuc", + "libicui18n", + ], + export_include_dirs: ["."], +} + +// The formal test for phone_number_compare() is in DataBaseGeneralTest.java +// (as of 2009-08-02), in which phone_number_compare() is tested via sqlite's custom +// function "PHONE_NUMBER_COMPARE". +cc_test { + name: "libsqlite3_phone_number_utils_test", + cflags: [ + "-Wall", + "-Werror", + ], + srcs: [ + "PhoneNumberUtils.cpp", + "PhoneNumberUtilsTest.cpp", + ], +} diff --git a/android/Android.mk b/android/Android.mk deleted file mode 100644 index 9ba06c3..0000000 --- a/android/Android.mk +++ /dev/null @@ -1,33 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -libsqlite3_android_local_src_files := \ - PhoneNumberUtils.cpp \ - OldPhoneNumberUtils.cpp \ - sqlite3_android.cpp - -libsqlite3_android_c_includes := external/sqlite/dist - -include $(CLEAR_VARS) -LOCAL_SRC_FILES:= $(libsqlite3_android_local_src_files) -LOCAL_C_INCLUDES += $(libsqlite3_android_c_includes) -LOCAL_STATIC_LIBRARIES := liblog -LOCAL_SHARED_LIBRARIES := libicuuc libicui18n -LOCAL_MODULE:= libsqlite3_android -include $(BUILD_STATIC_LIBRARY) - -include $(CLEAR_VARS) -LOCAL_SRC_FILES:= $(libsqlite3_android_local_src_files) -LOCAL_C_INCLUDES += $(libsqlite3_android_c_includes) -LOCAL_STATIC_LIBRARIES := liblog -LOCAL_SHARED_LIBRARIES := libicuuc libicui18n -LOCAL_MODULE:= libsqlite3_android -include $(BUILD_HOST_STATIC_LIBRARY) - -# The formal test for phone_number_compare() is in DataBaseGeneralTest.java -# (as of 2009-08-02), in which phone_number_compare() is tested via sqlite's custom -# function "PHONE_NUMBER_COMPARE". -include $(CLEAR_VARS) -LOCAL_MODULE:= libsqlite3_phone_number_utils_test -LOCAL_CFLAGS += -Wall -Werror -LOCAL_SRC_FILES := PhoneNumberUtils.cpp PhoneNumberUtilsTest.cpp -include $(BUILD_NATIVE_TEST) diff --git a/android/sqlite3_android.cpp b/android/sqlite3_android.cpp index 44799fd..26b22c3 100644 --- a/android/sqlite3_android.cpp +++ b/android/sqlite3_android.cpp @@ -25,7 +25,7 @@ #include <unicode/uiter.h> #include <unicode/ustring.h> #include <unicode/utypes.h> -#include <cutils/log.h> +#include <log/log.h> #include "sqlite3_android.h" #include "PhoneNumberUtils.h" diff --git a/dist/Android.bp b/dist/Android.bp new file mode 100644 index 0000000..7ad84ff --- /dev/null +++ b/dist/Android.bp @@ -0,0 +1,165 @@ +// +// +// Build the library +// +// + +cc_defaults { + name: "sqlite-minimal-defaults", + host_supported: true, + + // b/31938382, disable most clang-tidy checks to avoid segmentation fault. + tidy_checks: [ + "-*", + "google-*", + "-google-readability-*", + ], + + // NOTE the following flags, + // SQLITE_TEMP_STORE=3 causes all TEMP files to go into RAM. and thats the behavior we want + // SQLITE_ENABLE_FTS3 enables usage of FTS3 - NOT FTS1 or 2. + // SQLITE_DEFAULT_AUTOVACUUM=1 causes the databases to be subject to auto-vacuum + cflags: [ + "-DNDEBUG=1", + "-DHAVE_USLEEP=1", + "-DSQLITE_HAVE_ISNAN", + "-DSQLITE_DEFAULT_JOURNAL_SIZE_LIMIT=1048576", + "-DSQLITE_THREADSAFE=2", + "-DSQLITE_TEMP_STORE=3", + "-DSQLITE_POWERSAFE_OVERWRITE=1", + "-DSQLITE_DEFAULT_FILE_FORMAT=4", + "-DSQLITE_DEFAULT_AUTOVACUUM=1", + "-DSQLITE_ENABLE_MEMORY_MANAGEMENT=1", + "-DSQLITE_ENABLE_FTS3", + "-DSQLITE_ENABLE_FTS3_BACKWARDS", + "-DSQLITE_ENABLE_FTS4", + "-DSQLITE_OMIT_BUILTIN_TEST", + "-DSQLITE_OMIT_COMPILEOPTION_DIAGS", + "-DSQLITE_OMIT_LOAD_EXTENSION", + "-DSQLITE_DEFAULT_FILE_PERMISSIONS=0600", + "-DSQLITE_SECURE_DELETE", + ], + + target: { + linux: { + cflags: ["-DHAVE_POSIX_FALLOCATE=1"], + }, + }, +} + +cc_defaults { + name: "sqlite-defaults", + defaults: ["sqlite-minimal-defaults"], + target: { + android: { + cflags: [ + "-DSQLITE_ENABLE_ICU", + "-DUSE_PREAD64", + "-Dfdatasync=fdatasync", + "-DHAVE_MALLOC_H=1", + "-DHAVE_MALLOC_USABLE_SIZE", + ], + }, + }, +} + +cc_library { + name: "libsqlite", + defaults: ["sqlite-defaults"], + + srcs: ["sqlite3.c"], + + target: { + android: { + shared_libs: [ + "libdl", + "liblog", + "libutils", + "libicuuc", + "libicui18n", + ], + + // include android specific methods + whole_static_libs: ["libsqlite3_android"], + }, + host: { + static_libs: [ + "liblog", + "libutils", + ], + }, + not_windows: { + shared_libs: [ + "libicuuc", + "libicui18n", + ], + + // include android specific methods + whole_static_libs: ["libsqlite3_android"], + }, + windows: { + enabled: true, + }, + }, + + export_include_dirs: ["."], +} + +// +// +// Build the device command line tool sqlite3 +// +// + +cc_binary { + name: "sqlite3", + defaults: ["sqlite-defaults"], + + srcs: ["shell.c"], + + tags: ["debug"], + + target: { + android: { + shared_libs: [ + "libsqlite", + "libicuuc", + "libicui18n", + "liblog", + "libutils", + ], + static_libs: [ + "libicuandroid_utils", + ], + }, + host: { + cflags: ["-DNO_ANDROID_FUNCS=1"], + static_libs: [ + "libsqlite", + // sqlite3MemsysAlarm uses LOG() + "liblog", + ], + }, + not_windows: { + host_ldlibs: [ + "-lpthread", + "-ldl", + ], + }, + + windows: { + enabled: true, + }, + }, +} + +// Build a minimal version of sqlite3 without any android specific +// features against the NDK. This is used by libcore's JDBC related +// unit tests. +cc_library_static { + name: "libsqlite_static_minimal", + defaults: ["sqlite-minimal-defaults"], + srcs: ["sqlite3.c"], + sdk_version: "23", + export_include_dirs: ["."], +} diff --git a/dist/Android.mk b/dist/Android.mk deleted file mode 100644 index e87c30e..0000000 --- a/dist/Android.mk +++ /dev/null @@ -1,178 +0,0 @@ -## -## -## Build the library -## -## - -LOCAL_PATH:= $(call my-dir) - -# NOTE the following flags, -# SQLITE_TEMP_STORE=3 causes all TEMP files to go into RAM. and thats the behavior we want -# SQLITE_ENABLE_FTS3 enables usage of FTS3 - NOT FTS1 or 2. -# SQLITE_DEFAULT_AUTOVACUUM=1 causes the databases to be subject to auto-vacuum -minimal_sqlite_flags := \ - -DNDEBUG=1 \ - -DHAVE_USLEEP=1 \ - -DSQLITE_HAVE_ISNAN \ - -DSQLITE_DEFAULT_JOURNAL_SIZE_LIMIT=1048576 \ - -DSQLITE_THREADSAFE=2 \ - -DSQLITE_TEMP_STORE=3 \ - -DSQLITE_POWERSAFE_OVERWRITE=1 \ - -DSQLITE_DEFAULT_FILE_FORMAT=4 \ - -DSQLITE_DEFAULT_AUTOVACUUM=1 \ - -DSQLITE_ENABLE_MEMORY_MANAGEMENT=1 \ - -DSQLITE_ENABLE_FTS3 \ - -DSQLITE_ENABLE_FTS3_BACKWARDS \ - -DSQLITE_ENABLE_FTS4 \ - -DSQLITE_OMIT_BUILTIN_TEST \ - -DSQLITE_OMIT_COMPILEOPTION_DIAGS \ - -DSQLITE_OMIT_LOAD_EXTENSION \ - -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600 \ - -DSQLITE_SECURE_DELETE - -minimal_linux_flags := \ - -DHAVE_POSIX_FALLOCATE=1 \ - -device_sqlite_flags := $(minimal_sqlite_flags) \ - -DSQLITE_ENABLE_ICU \ - -DUSE_PREAD64 \ - -Dfdatasync=fdatasync \ - -DHAVE_MALLOC_H=1 \ - -DHAVE_MALLOC_USABLE_SIZE - -common_src_files := sqlite3.c - -# b/31938382, disable most clang-tidy checks to avoid segmentation fault. -common_local_tidy_checks := -*,google-*,-google-readability-* - -# the device library -include $(CLEAR_VARS) - -LOCAL_TIDY_CHECKS := $(common_local_tidy_checks) -LOCAL_SRC_FILES := $(common_src_files) - -LOCAL_CFLAGS += $(device_sqlite_flags) -LOCAL_CFLAGS_linux += $(minimal_linux_flags) - -LOCAL_SHARED_LIBRARIES := libdl - -LOCAL_MODULE:= libsqlite - -LOCAL_C_INCLUDES += $(call include-path-for, system-core)/cutils - -LOCAL_SHARED_LIBRARIES += liblog \ - libicuuc \ - libicui18n \ - libutils \ - liblog - -# include android specific methods -LOCAL_WHOLE_STATIC_LIBRARIES := libsqlite3_android -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH) - -include $(BUILD_SHARED_LIBRARY) - - -include $(CLEAR_VARS) -LOCAL_TIDY_CHECKS := $(common_local_tidy_checks) -LOCAL_SRC_FILES := $(common_src_files) -LOCAL_LDLIBS += -lpthread -ldl -LOCAL_CFLAGS += $(minimal_sqlite_flags) -LOCAL_CFLAGS_linux += $(minimal_linux_flags) -LOCAL_MODULE:= libsqlite -LOCAL_SHARED_LIBRARIES += libicuuc libicui18n -LOCAL_STATIC_LIBRARIES := liblog libutils libcutils - -# include android specific methods -LOCAL_WHOLE_STATIC_LIBRARIES := libsqlite3_android -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH) - -include $(BUILD_HOST_SHARED_LIBRARY) - -## -## -## Build the device command line tool sqlite3 -## -## -ifneq ($(SDK_ONLY),true) # SDK doesn't need device version of sqlite3 - -include $(CLEAR_VARS) - -LOCAL_SRC_FILES := shell.c - -LOCAL_C_INCLUDES := \ - $(LOCAL_PATH)/../android \ - $(call include-path-for, system-core)/cutils - -LOCAL_SHARED_LIBRARIES := libsqlite \ - libicuuc \ - libicui18n \ - liblog \ - libutils - -LOCAL_STATIC_LIBRARIES := libicuandroid_utils - -LOCAL_CFLAGS += $(device_sqlite_flags) -LOCAL_CFLAGS_linux += $(minimal_linux_flags) - -LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES) - -LOCAL_MODULE_TAGS := debug - -LOCAL_MODULE := sqlite3 - -include $(BUILD_EXECUTABLE) - -endif # !SDK_ONLY - - -## -## -## Build the host command line tool sqlite3 -## -## - -include $(CLEAR_VARS) - -LOCAL_TIDY_CHECKS := $(common_local_tidy_checks) -LOCAL_SRC_FILES := $(common_src_files) shell.c -LOCAL_CFLAGS += $(minimal_sqlite_flags) \ - -DNO_ANDROID_FUNCS=1 -LOCAL_CFLAGS_linux += $(minimal_linux_flags) - -# sqlite3MemsysAlarm uses LOG() -LOCAL_STATIC_LIBRARIES += liblog - -LOCAL_LDLIBS_darwin += -lpthread -ldl -LOCAL_LDLIBS_linux += -lpthread -ldl - -LOCAL_MODULE_HOST_OS := darwin linux windows - -LOCAL_MODULE := sqlite3 - -include $(BUILD_HOST_EXECUTABLE) - -# Build a minimal version of sqlite3 without any android specific -# features against the NDK. This is used by libcore's JDBC related -# unit tests. -include $(CLEAR_VARS) -LOCAL_TIDY_CHECKS := $(common_local_tidy_checks) -LOCAL_SRC_FILES := $(common_src_files) -LOCAL_CFLAGS += $(minimal_sqlite_flags) -LOCAL_CFLAGS_linux += $(minimal_linux_flags) -LOCAL_MODULE:= libsqlite_static_minimal -LOCAL_SDK_VERSION := 23 -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH) - -include $(BUILD_STATIC_LIBRARY) - -# Same as libsqlite_static_minimal, except that this is for the host. -include $(CLEAR_VARS) -LOCAL_TIDY_CHECKS := $(common_local_tidy_checks) -LOCAL_SRC_FILES := $(common_src_files) -LOCAL_CFLAGS += $(minimal_sqlite_flags) -LOCAL_CFLAGS_linux += $(minimal_linux_flags) -LOCAL_MODULE:= libsqlite_static_minimal -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH) - -include $(BUILD_HOST_STATIC_LIBRARY) diff --git a/dist/Android.patch b/dist/Android.patch index 3668afb..9ca7424 100644 --- a/dist/Android.patch +++ b/dist/Android.patch @@ -1,5 +1,6 @@ ---- orig/shell.c 2019-01-02 16:21:31.607029549 -0800 -+++ shell.c 2019-01-02 16:21:31.647029386 -0800 +diff -r -u -d orig/shell.c ./shell.c +--- orig/shell.c 2017-07-21 01:33:39.680803539 -0700 ++++ ./shell.c 2017-07-21 01:33:54.068697869 -0700 @@ -52,6 +52,12 @@ #endif #include <ctype.h> @@ -36,8 +37,9 @@ } } ---- orig/sqlite3.c 2019-01-02 17:05:09.420076168 -0800 -+++ sqlite3.c 2019-01-02 17:07:08.343583667 -0800 +diff -r -u -d orig/sqlite3.c ./sqlite3.c +--- orig/sqlite3.c 2017-07-21 01:33:39.908801867 -0700 ++++ ./sqlite3.c 2017-07-21 01:33:54.116697517 -0700 @@ -33501,7 +33501,7 @@ SimulateIOError( rc=1 ); if( rc!=0 ){ @@ -74,15 +76,7 @@ goto initone_error_out; } -@@ -148823,6 +148823,7 @@ - char *zErr = sqlite3_mprintf("illegal first argument to %s", zFunc); - sqlite3_result_error(pContext, zErr, -1); - sqlite3_free(zErr); -+ *ppCsr = pRet; - return SQLITE_ERROR; - } - *ppCsr = pRet; -@@ -149217,13 +149218,25 @@ +@@ -149217,13 +149217,25 @@ ** module with sqlite. */ if( SQLITE_OK==rc diff --git a/dist/orig/sqlite3.c b/dist/orig/sqlite3.c index f7c2e40..6baeb26 100644 --- a/dist/orig/sqlite3.c +++ b/dist/orig/sqlite3.c @@ -147068,7 +147068,7 @@ static int fts3ScanInteriorNode( const char *zCsr = zNode; /* Cursor to iterate through node */ const char *zEnd = &zCsr[nNode];/* End of interior node buffer */ char *zBuffer = 0; /* Buffer to load terms into */ - i64 nAlloc = 0; /* Size of allocated buffer */ + int nAlloc = 0; /* Size of allocated buffer */ int isFirstTerm = 1; /* True when processing first term on page */ sqlite3_int64 iChild; /* Block id of child node to descend to */ @@ -147105,14 +147105,14 @@ static int fts3ScanInteriorNode( isFirstTerm = 0; zCsr += fts3GetVarint32(zCsr, &nSuffix); - if( nPrefix<0 || nSuffix<0 || nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){ + if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ rc = FTS_CORRUPT_VTAB; goto finish_scan; } - if( (i64)nPrefix+nSuffix>nAlloc ){ + if( nPrefix+nSuffix>nAlloc ){ char *zNew; - nAlloc = ((i64)nPrefix+nSuffix) * 2; - zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc); + nAlloc = (nPrefix+nSuffix) * 2; + zNew = (char *)sqlite3_realloc(zBuffer, nAlloc); if( !zNew ){ rc = SQLITE_NOMEM; goto finish_scan; @@ -156713,19 +156713,15 @@ static int fts3SegReaderNext( ** safe (no risk of overread) even if the node data is corrupted. */ pNext += fts3GetVarint32(pNext, &nPrefix); pNext += fts3GetVarint32(pNext, &nSuffix); - if( nSuffix<=0 - || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix - || nPrefix>pReader->nTermAlloc + if( nPrefix<0 || nSuffix<=0 + || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] ){ return FTS_CORRUPT_VTAB; } - /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are - ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer - ** overflow - hence the (i64) casts. */ - if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){ - i64 nNew = ((i64)nPrefix+nSuffix)*2; - char *zNew = sqlite3_realloc64(pReader->zTerm, nNew); + if( nPrefix+nSuffix>pReader->nTermAlloc ){ + int nNew = (nPrefix+nSuffix)*2; + char *zNew = sqlite3_realloc(pReader->zTerm, nNew); if( !zNew ){ return SQLITE_NOMEM; } @@ -156747,7 +156743,7 @@ static int fts3SegReaderNext( ** b-tree node. And that the final byte of the doclist is 0x00. If either ** of these statements is untrue, then the data structure is corrupt. */ - if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist + if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1]) ){ return FTS_CORRUPT_VTAB; @@ -159070,9 +159066,6 @@ static int nodeReaderNext(NodeReader *p){ } p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix); - if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){ - return SQLITE_CORRUPT_VTAB; - } blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc); if( rc==SQLITE_OK ){ memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix); @@ -159080,9 +159073,6 @@ static int nodeReaderNext(NodeReader *p){ p->iOff += nSuffix; if( p->iChild==0 ){ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist); - if( (p->nNode-p->iOff)<p->nDoclist ){ - return SQLITE_CORRUPT_VTAB; - } p->aDoclist = &p->aNode[p->iOff]; p->iOff += p->nDoclist; } @@ -159090,6 +159080,7 @@ static int nodeReaderNext(NodeReader *p){ } assert( p->iOff<=p->nNode ); + return rc; } diff --git a/dist/sqlite3.c b/dist/sqlite3.c index 846e75b..98951c3 100644 --- a/dist/sqlite3.c +++ b/dist/sqlite3.c @@ -147068,7 +147068,7 @@ static int fts3ScanInteriorNode( const char *zCsr = zNode; /* Cursor to iterate through node */ const char *zEnd = &zCsr[nNode];/* End of interior node buffer */ char *zBuffer = 0; /* Buffer to load terms into */ - i64 nAlloc = 0; /* Size of allocated buffer */ + int nAlloc = 0; /* Size of allocated buffer */ int isFirstTerm = 1; /* True when processing first term on page */ sqlite3_int64 iChild; /* Block id of child node to descend to */ @@ -147105,14 +147105,14 @@ static int fts3ScanInteriorNode( isFirstTerm = 0; zCsr += fts3GetVarint32(zCsr, &nSuffix); - if( nPrefix<0 || nSuffix<0 || nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){ + if( nPrefix<0 || nSuffix<0 || &zCsr[nSuffix]>zEnd ){ rc = FTS_CORRUPT_VTAB; goto finish_scan; } - if( (i64)nPrefix+nSuffix>nAlloc ){ + if( nPrefix+nSuffix>nAlloc ){ char *zNew; - nAlloc = ((i64)nPrefix+nSuffix) * 2; - zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc); + nAlloc = (nPrefix+nSuffix) * 2; + zNew = (char *)sqlite3_realloc(zBuffer, nAlloc); if( !zNew ){ rc = SQLITE_NOMEM; goto finish_scan; @@ -148823,7 +148823,6 @@ static int fts3FunctionArg( char *zErr = sqlite3_mprintf("illegal first argument to %s", zFunc); sqlite3_result_error(pContext, zErr, -1); sqlite3_free(zErr); - *ppCsr = pRet; return SQLITE_ERROR; } *ppCsr = pRet; @@ -156726,19 +156725,15 @@ static int fts3SegReaderNext( ** safe (no risk of overread) even if the node data is corrupted. */ pNext += fts3GetVarint32(pNext, &nPrefix); pNext += fts3GetVarint32(pNext, &nSuffix); - if( nSuffix<=0 - || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix - || nPrefix>pReader->nTermAlloc + if( nPrefix<0 || nSuffix<=0 + || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] ){ return FTS_CORRUPT_VTAB; } - /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are - ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer - ** overflow - hence the (i64) casts. */ - if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){ - i64 nNew = ((i64)nPrefix+nSuffix)*2; - char *zNew = sqlite3_realloc64(pReader->zTerm, nNew); + if( nPrefix+nSuffix>pReader->nTermAlloc ){ + int nNew = (nPrefix+nSuffix)*2; + char *zNew = sqlite3_realloc(pReader->zTerm, nNew); if( !zNew ){ return SQLITE_NOMEM; } @@ -156760,7 +156755,7 @@ static int fts3SegReaderNext( ** b-tree node. And that the final byte of the doclist is 0x00. If either ** of these statements is untrue, then the data structure is corrupt. */ - if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist + if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1]) ){ return FTS_CORRUPT_VTAB; @@ -159083,9 +159078,6 @@ static int nodeReaderNext(NodeReader *p){ } p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix); - if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){ - return SQLITE_CORRUPT_VTAB; - } blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc); if( rc==SQLITE_OK ){ memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix); @@ -159093,9 +159085,6 @@ static int nodeReaderNext(NodeReader *p){ p->iOff += nSuffix; if( p->iChild==0 ){ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist); - if( (p->nNode-p->iOff)<p->nDoclist ){ - return SQLITE_CORRUPT_VTAB; - } p->aDoclist = &p->aNode[p->iOff]; p->iOff += p->nDoclist; } @@ -159103,6 +159092,7 @@ static int nodeReaderNext(NodeReader *p){ } assert( p->iOff<=p->nNode ); + return rc; } |