43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
From 09f1652f36c5c4e8a6a640ce887f9ea0f48a7958 Mon Sep 17 00:00:00 2001
|
|
From: dan <Dan Kennedy>
|
|
Date: Thu, 7 Sep 2023 13:53:09 +0000
|
|
Subject: [PATCH] Fix a buffer overread in the sessions extension that could
|
|
occur when processing a corrupt changeset.
|
|
|
|
FossilOrigin-Name: 0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
|
|
|
|
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
|
|
index 9f862f2465..0491549231 100644
|
|
--- a/ext/session/sqlite3session.c
|
|
+++ b/ext/session/sqlite3session.c
|
|
@@ -2811,15 +2811,19 @@ static int sessionReadRecord(
|
|
}
|
|
}
|
|
if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
|
|
- sqlite3_int64 v = sessionGetI64(aVal);
|
|
- if( eType==SQLITE_INTEGER ){
|
|
- sqlite3VdbeMemSetInt64(apOut[i], v);
|
|
+ if( (pIn->nData-pIn->iNext)<8 ){
|
|
+ rc = SQLITE_CORRUPT_BKPT;
|
|
}else{
|
|
- double d;
|
|
- memcpy(&d, &v, 8);
|
|
- sqlite3VdbeMemSetDouble(apOut[i], d);
|
|
+ sqlite3_int64 v = sessionGetI64(aVal);
|
|
+ if( eType==SQLITE_INTEGER ){
|
|
+ sqlite3VdbeMemSetInt64(apOut[i], v);
|
|
+ }else{
|
|
+ double d;
|
|
+ memcpy(&d, &v, 8);
|
|
+ sqlite3VdbeMemSetDouble(apOut[i], d);
|
|
+ }
|
|
+ pIn->iNext += 8;
|
|
}
|
|
- pIn->iNext += 8;
|
|
}
|
|
}
|
|
}
|
|
--
|
|
2.43.0
|
|
|