diff options
| author | dan <dan@noemail.net> | 2017-03-17 13:59:06 +0000 |
|---|---|---|
| committer | dan <dan@noemail.net> | 2017-03-17 13:59:06 +0000 |
| commit | 1f9144ed41cfd73d32347b3be47cbca2e8c3fc4e (patch) | |
| tree | afedb3880530c9a109a0a37eb87adf9d24b60704 /src | |
| parent | a3b2da9889ceb5ca041ca0eb2bc8d35190aae94c (diff) | |
| download | sqlite-1f9144ed41cfd73d32347b3be47cbca2e8c3fc4e.tar.gz sqlite-1f9144ed41cfd73d32347b3be47cbca2e8c3fc4e.zip | |
Fix a buffer overread in debugging routine sqlite3VdbeMemPrettyPrint().
Problem discovered by OSS-Fuzz.
FossilOrigin-Name: f336fba7d7d41b91a5000d01dddf785821fa79ea31dbd8d1f769d55f7e871896
Diffstat (limited to 'src')
| -rw-r--r-- | src/vdbe.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/vdbe.c b/src/vdbe.c index 20bf09e3a..7eb2b6f6f 100644 --- a/src/vdbe.c +++ b/src/vdbe.c @@ -2657,8 +2657,13 @@ case OP_Column: { ** 2. the length(X) function if X is a blob, and ** 3. if the content length is zero. ** So we might as well use bogus content rather than reading - ** content from disk. */ - static u8 aZero[8]; /* This is the bogus content */ + ** content from disk. + ** + ** Although sqlite3VdbeSerialGet() may read at most 8 bytes from the + ** buffer passed to it, debugging function VdbeMemPrettyPrint() may + ** read up to 16. So 16 bytes of bogus content is supplied. + */ + static u8 aZero[16]; /* This is the bogus content */ sqlite3VdbeSerialGet(aZero, t, pDest); }else{ rc = sqlite3VdbeMemFromBtree(pC->uc.pCursor, aOffset[p2], len, pDest); |