In os_unix.c and os_win.c, do not allow xFetch() to return a pointer to a page buffer that is right at the end of the mapped region - if the database is corrupted in a specific way such a page buffer might be overread by several bytes.

FossilOrigin-Name: 2684feac3bc9c5463604900d72710be861527614f4957224c74a16a3b3c702f5
author: dan <Dan Kennedy> 2024-01-23 16:09:22 +0000
committer: dan <Dan Kennedy> 2024-01-23 16:09:22 +0000
commit: bcf3df01928257644f91ead9a28b7b8487104508 (patch)
tree: d7a6da8a0ebe2df8fda318bd3ee77ac770fc2644 /src/os_unix.c
parent: 1ff9a7bc8d04487c19c15b9ae1b8398ce35c075f (diff)
download: sqlite-bcf3df01928257644f91ead9a28b7b8487104508.tar.gz
sqlite-bcf3df01928257644f91ead9a28b7b8487104508.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/src/os_unix.c b/src/os_unix.c
index 80e6f6ad9..4b3d63c2c 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -5441,11 +5441,16 @@ static int unixFetch(sqlite3_file *fd, i64 iOff, int nAmt, void **pp){
 
 #if SQLITE_MAX_MMAP_SIZE>0
   if( pFd->mmapSizeMax>0 ){
+    /* Ensure that there is always at least a 256 byte buffer of addressable
+    ** memory following the returned page. If the database is corrupt,
+    ** SQLite may overread the page slightly (in practice only a few bytes,
+    ** but 256 is safe, round, number).  */
+    const int nEofBuffer = 256;
     if( pFd->pMapRegion==0 ){
       int rc = unixMapfile(pFd, -1);
       if( rc!=SQLITE_OK ) return rc;
     }
-    if( pFd->mmapSize >= iOff+nAmt ){
+    if( pFd->mmapSize >= (iOff+nAmt+nEofBuffer) ){
       *pp = &((u8 *)pFd->pMapRegion)[iOff];
       pFd->nFetchOut++;
     }
author	dan <Dan Kennedy>	2024-01-23 16:09:22 +0000
committer	dan <Dan Kennedy>	2024-01-23 16:09:22 +0000
commit	bcf3df01928257644f91ead9a28b7b8487104508 (patch)
tree	d7a6da8a0ebe2df8fda318bd3ee77ac770fc2644 /src/os_unix.c
parent	1ff9a7bc8d04487c19c15b9ae1b8398ce35c075f (diff)
download	sqlite-bcf3df01928257644f91ead9a28b7b8487104508.tar.gz sqlite-bcf3df01928257644f91ead9a28b7b8487104508.zip