Fix a case where a corrupt stat4 record could go unrecognized due to integer overflow.

danielk-1977 · danielk-1977 · commit c660e9c0bc04 · 2024-04-24T14:18:20.000Z
diff --git a/src/vdbemem.c b/src/vdbemem.c
@@ -1949,10 +1949,10 @@ int sqlite3Stat4Column(
   sqlite3_value **ppVal           /* OUT: Extracted value */
 ){
   u32 t = 0;                      /* a column type code */
-  int nHdr;                       /* Size of the header in the record */
-  int iHdr;                       /* Next unread header byte */
-  int iField;                     /* Next unread data byte */
-  int szField = 0;                /* Size of the current data field */
+  u32 nHdr;                       /* Size of the header in the record */
+  u32 iHdr;                       /* Next unread header byte */
+  i64 iField;                     /* Next unread data byte */
+  u32 szField = 0;                /* Size of the current data field */
   int i;                          /* Column index */
   u8 *a = (u8*)pRec;              /* Typecast byte array */
   Mem *pMem = *ppVal;             /* Write result into this Mem object */
diff --git a/test/corruptL.test b/test/corruptL.test
@@ -1505,4 +1505,89 @@ do_catchsql_test 19.4 {
   PRAGMA integrity_check;
 } {1 {database disk image is malformed}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_test 18.0 {
+  sqlite3 db {}
+  db deserialize [decode_hexdb {
+.open --hexdb
+| size 20480 pagesize 4096 filename crash-a4150b729051e4.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 00 00 00 00 05   .....@  ........
+|     32: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|     64: 00 00 00 00 00 00 00 00 00 00 ff f0 00 00 00 00   ................
+|     96: 00 00 00 00 0d 00 00 00 04 0e e5 00 0f c2 0f 75   ...............u
+|    112: 0f 19 0e e5 00 00 00 00 00 00 00 01 00 00 00 00   ................
+|   3808: 00 00 00 00 00 32 04 06 17 17 11 01 4b 69 6e 64   .....2......Kind
+|   3824: 65 78 74 31 61 62 63 74 31 05 43 52 45 41 54 45   ext1abct1.CREATE
+|   3840: 20 49 4e 44 45 58 20 74 31 61 62 63 20 4f 4e 20    INDEX t1abc ON 
+|   3856: 74 31 28 61 2c 62 2c 63 29 5a 03 06 17 25 25 01   t1(a,b,c)Z...%%.
+|   3872: 79 74 61 62 6c 65 73 71 6c 69 74 65 5f 73 74 61   ytablesqlite_sta
+|   3888: 74 34 73 71 6c 69 74 65 5f 73 74 61 74 34 04 43   t4sqlite_stat4.C
+|   3904: 52 45 41 54 45 20 54 41 42 4c 45 20 73 71 6c 69   REATE TABLE sqli
+|   3920: 74 65 5f 73 74 61 74 34 28 74 62 6c 2c 69 64 78   te_stat4(tbl,idx
+|   3936: 2c 6e 65 71 2c 6e 6c 74 2c 6e 64 6c 74 2c 73 61   ,neq,nlt,ndlt,sa
+|   3952: 6d 70 6c 65 29 4b 02 06 17 25 25 01 5b 74 61 62   mple)K...%%.[tab
+|   3968: 6c 65 73 71 6c 69 74 65 5f 73 74 61 74 31 73 71   lesqlite_stat1sq
+|   3984: 6c 69 74 65 5f 73 74 61 74 31 03 43 52 45 41 54   lite_stat1.CREAT
+|   4000: 45 20 54 41 42 4c 45 20 73 71 6c 69 74 65 5f 73   E TABLE sqlite_s
+|   4016: 74 61 74 31 28 74 62 6c 2c 69 64 78 2c 73 74 61   tat1(tbl,idx,sta
+|   4032: 74 29 3c 01 06 17 11 11 01 65 74 61 62 6c 65 74   t)<......etablet
+|   4048: 31 74 31 02 43 52 45 41 54 45 20 54 41 42 4c 45   1t1.CREATE TABLE
+|   4064: 20 74 31 28 61 20 54 45 58 54 2c 20 62 20 49 4e    t1(a TEXT, b IN
+|   4080: 54 2c 20 63 20 49 4e 54 2c 20 64 20 49 4e 54 29   T, c INT, d INT)
+| page 2 offset 4096
+|      0: 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   4000: 0b 07 05 13 01 01 01 62 63 64 64 06 0b 0c 06 05   .......bcdd.....
+|   4016: 13 02 01 01 64 65 66 01 59 09 0a 0c 05 05 13 03   ....def.Y.......
+|   4032: 01 01 64 65 66 02 6f 08 09 0c 04 05 13 02 01 01   ..def.o.........
+|   4048: 61 62 63 01 59 07 08 0c 03 05 13 02 01 01 87 62   abc.Y..........b
+|   4064: 63 00 ea 06 07 0c 02 05 13 02 01 01 61 62 63 00   c...........abc.
+|   4080: ea 06 06 0b 01 05 13 01 01 01 61 62 63 7b 04 04   ..........abc...
+| page 3 offset 8192
+|      0: 0d 00 00 00 01 0f e0 00 0f e1 00 00 00 00 00 00   ................
+|   4064: 00 1d 01 04 11 17 31 74 31 74 31 61 62 63 31 30   ......1t1t1abc10
+|   4080: 30 30 30 20 35 30 30 30 20 32 30 30 30 20 31 30   000 5000 2000 10
+| page 4 offset 12288
+|      0: 0d 00 00 00 07 0e ac 00 0f d1 0f a0 0f 6f 0f 3e   .............o.>
+|     16: 0f 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|   3744: 00 00 00 00 00 00 00 00 00 00 00 00 2f 07 07 11   ............/...
+|   3760: 17 1b 1b 1b 24 74 31 74 31 61 62 63 32 20 31 20   ....$t1t1abc2 1 
+|   3776: 31 20 31 35 20 36 20 36 20 36 32 20 35 20 36 20   1 15 6 6 62 5 6 
+|   3792: 36 05 13 02 01 01 64 65 66 02 37 08 05 2f 06 07   6.....def.7../..
+|   3808: 11 17 1b 1b 1b 24 74 41 74 31 61 62 63 32 20 31   .....$tAt1abc2 1
+|   3824: 20 31 20 31 35 20 35 20 55 20 35 32 20 34 20 35    1 15 5 U 52 4 5
+|   3840: 20 35 05 13 02 01 01 64 65 66 01 59 09 06 2e 05    5.....def.Y....
+|   3856: 07 11 17 1b 1b 1b 22 74 31 74 31 61 62 63 31 20   .......t1t1abc1 
+|   3872: 31 20 31 20 31 34 20 34 20 34 20 34 31 20 33 20   1 1 14 4 4 41 3 
+|   3888: 34 20 34 08 b3 cd f0 f1 62 63 64 64 06 07 2f 05   4 4.....bcdd../.
+|   3904: 07 11 17 1b 1b 1b 24 74 37 74 31 61 62 63 34 20   ......$t7t1abc4 
+|   3920: 31 20 31 20 31 30 20 33 20 33 20 33 30 20 32 20   1 1 10 3 3 30 2 
+|   3936: 33 20 33 05 13 02 01 01 61 62 63 01 59 07 04 2f   3 3.....abc.Y../
+|   3952: 03 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63 34   .......$t1t1abc4
+|   3968: 20 32 20 31 20 31 30 20 31 20 32 20 32 30 20 31    2 1 10 1 2 20 1
+|   3984: 20 32 20 32 05 13 02 01 01 61 62 63 00 ea 06 03    2 2.....abc....
+|   4000: 2f 02 07 11 17 1b 1b 1b 24 74 31 74 31 61 62 63   /.......$t1t1abc
+|   4016: 34 20 32 20 31 20 31 30 20 31 20 31 20 31 30 20   4 2 1 10 1 1 10 
+|   4032: 31 20 31 20 31 05 13 02 01 01 61 62 63 00 ea 05   1 1 1.....abc...
+|   4048: 02 2d 01 07 11 17 1b 1b 1b 20 74 31 74 31 61 62   .-....... t1t1ab
+|   4064: 63 34 20 31 20 31 20 31 30 20 30 20 30 1f 30 30   c4 1 1 10 0 0.00
+|   4080: 20 30 20 30 20 30 05 13 01 01 09 61 62 63 7b 04    0 0 0.....abc..
+| page 5 offset 16384
+|      0: 0a 00 00 00 07 0f a8 00 0f f5 00 00 00 00 00 00   ................
+|   4000: 00 00 00 00 00 00 00 00 0c 05 13 02 01 01 64 65   ..............de
+|   4016: 66 02 37 08 05 0c 05 13 02 01 01 64 65 66 01 59   f.7........def.Y
+|   4032: 09 06 0b 05 12 01 01 01 62 63 64 64 06 07 0c 05   ........bcdd....
+|   4048: 13 02 01 01 61 62 63 01 59 07 01 2c 05 13 02 01   ....abc.Y..,....
+|   4064: 01 61 62 63 00 ea 06 03 0c 05 13 02 01 01 61 62   .abc..........ab
+|   4080: 63 00 ea 05 00 00 00 00 00 00 00 00 00 00 00 00   c...............
+| end crash-a4150b729051e4.db
+}]} {}
+
+do_catchsql_test 18.1 {
+  SELECT a FROM t1 WHERE b GLOB b AND b GLOB '0^x]␅6␚xz]';
+} {1 {database disk image is malformed}}
+
 finish_test
