SQLite

Check-in [6e3e014af9]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a one byte buffer overread in fts3.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 6e3e014af91601ed1f3a9cbe23f7c4260a4d177f
User & Date: dan 2010-03-05 17:27:02.000
Context
2010-03-05
18:46
Change a condition in sqlite3VdbeMemShallowCopy() to avoid accessing an unitialized variable (doing so was not dangerous, but caused a valgrind error). (check-in: 4793c381c6 user: dan tags: trunk)
17:27
Fix a one byte buffer overread in fts3. (check-in: 6e3e014af9 user: dan tags: trunk)
16:32
Modify the vdbe so that the comparison operator opcodes do not modify the data type of operands. Fix for [aa92c76cd4]. (check-in: 8858042fa1 user: dan tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to ext/fts3/fts3.c.
1033
1034
1035
1036
1037
1038
1039
1040





1041
1042
1043
1044
1045
1046
1047
  assert( iVal-*piPrev > 0 || (*piPrev==0 && iVal==0) );
  *pp += sqlite3Fts3PutVarint(*pp, iVal-*piPrev);
  *piPrev = iVal;
}

/*
** When this function is called, *ppPoslist is assumed to point to the 
** start of a position-list.





*/
static void fts3PoslistCopy(char **pp, char **ppPoslist){
  char *pEnd = *ppPoslist;
  char c = 0;

  /* The end of a position list is marked by a zero encoded as an FTS3 
  ** varint. A single 0x00 byte. Except, if the 0x00 byte is preceded by







|
>
>
>
>
>







1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
  assert( iVal-*piPrev > 0 || (*piPrev==0 && iVal==0) );
  *pp += sqlite3Fts3PutVarint(*pp, iVal-*piPrev);
  *piPrev = iVal;
}

/*
** When this function is called, *ppPoslist is assumed to point to the 
** start of a position-list. After it returns, *ppPoslist points to the
** first byte after the position-list.
**
** If pp is not NULL, then the contents of the position list are copied
** to *pp. *pp is set to point to the first byte past the last byte copied
** before this function returns.
*/
static void fts3PoslistCopy(char **pp, char **ppPoslist){
  char *pEnd = *ppPoslist;
  char c = 0;

  /* The end of a position list is marked by a zero encoded as an FTS3 
  ** varint. A single 0x00 byte. Except, if the 0x00 byte is preceded by
2177
2178
2179
2180
2181
2182
2183

2184

2185
2186
2187
2188
2189
2190
2191
    char *pEnd = &pExpr->aDoclist[pExpr->nDoclist];
    char *pCsr = pExpr->pCurrent;

    assert( pCsr );
    while( pCsr<pEnd ){
      if( pExpr->iCurrent<iDocid ){
        fts3PoslistCopy(0, &pCsr);

        fts3GetDeltaVarint(&pCsr, &pExpr->iCurrent);

        pExpr->pCurrent = pCsr;
      }else{
        if( pExpr->iCurrent==iDocid ){
          int iThis = 0;
          if( iCol<0 ){
            /* If iCol is negative, return a pointer to the start of the
            ** position-list (instead of a pointer to the start of a list







>
|
>







2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
    char *pEnd = &pExpr->aDoclist[pExpr->nDoclist];
    char *pCsr = pExpr->pCurrent;

    assert( pCsr );
    while( pCsr<pEnd ){
      if( pExpr->iCurrent<iDocid ){
        fts3PoslistCopy(0, &pCsr);
        if( pCsr<pEnd ){
          fts3GetDeltaVarint(&pCsr, &pExpr->iCurrent);
        }
        pExpr->pCurrent = pCsr;
      }else{
        if( pExpr->iCurrent==iDocid ){
          int iThis = 0;
          if( iCol<0 ){
            /* If iCol is negative, return a pointer to the start of the
            ** position-list (instead of a pointer to the start of a list