Stack-overflow in fts3DeleteByRowid |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5201505573142528 Fuzzer: libFuzzer_sqlite3_fts3_lpm_fuzzer Fuzz target binary: sqlite3_fts3_lpm_fuzzer Job Type: x86_libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff105ffc Crash State: fts3DeleteByRowid sqlite3Fts3UpdateMethod fts3UpdateMethod Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5201505573142528 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 16
(6 days ago)
Looks like an infinite recursion to do with triggers and deletions. Dr. Hipp, can you please take a look?
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 DEFAULT VALUES ;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
CREATE TRIGGER Trigger0 DELETE ON Table0_content BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir DEFAULT VALUES;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
CREATE VIRTUAL TABLE Table1 USING fts3();
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
DELETE FROM Table0 AS Table0 ;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE temp.Table0 USING fts3();
INSERT INTO Table0(Table0) VALUES('optimize');
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
INSERT INTO Table0_segdir(blockid, root, blockid, blockid) VALUES(1, 1, 1, 0, temp.Col0);
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 FOR EACH ROW BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0(Table0) VALUES('optimize');
DELETE FROM Table0 AS Table0 ;
CREATE TRIGGER main Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0 AS Table0 ;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table1 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; ; END;
DELETE FROM Table0_segdir;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE temp.Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0_segments;
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0_segdir;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
INSERT INTO Table0(Table0) VALUES('optimize');
DELETE FROM Table0 AS Table0 ;
INSERT INTO Schema0.Table0 AS Table0_content VALUES (1) ;
INSERT INTO Table0_segdir DEFAULT VALUES;
DELETE FROM Table0 AS Table0 ;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table1 USING fts3();
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
CREATE VIRTUAL TABLE Table0 USING fts3();
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
INSERT INTO Table0 DEFAULT VALUES ;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0 AS Table0 ;
INSERT INTO Table0(Table0) VALUES('optimize');
INSERT INTO Table0_segdir DEFAULT VALUES;
UPDATE Table0_segdir SET start_block = 1;
INSERT INTO Table0(Table0) VALUES('optimize');
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=simple);
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 AS Table0 ; END;
CREATE TRIGGER main Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0_segdir;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 DEFAULT VALUES ;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir start_block = 0;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN WITH Table0 AS () DELETE FROM Table0 ; END;
INSERT INTO Table0(Table0) VALUES('optimize');
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
WITH Table0 AS () INSERT INTO Table0 DEFAULT VALUES ;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 DEFAULT VALUES ;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
DELETE FROM Table0 AS Table0 ;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir(blockid) VALUES(1, 1);
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir(blockid, root, blockid, blockid) VALUES(1, 1, 1, 0, temp.Col0);
CREATE TRIGGER Trigger0 DELETE ON Table0_content BEGIN DELETE FROM Table0 INDEXED BY Index0 ; END;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
CREATE VIRTUAL TABLE Table0 USING fts3(tokenize=porter);
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0_segdir;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table1 USING fts3();
INSERT INTO Table0(Table0) VALUES('optimize');
INSERT INTO Table0 DEFAULT VALUES ;
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=simple);
CREATE TRIGGER main Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
UPDATE Table0_segdir SET start_block = 1;
DELETE FROM Table0_segdir;
INSERT INTO Table0 (rowid) DEFAULT VALUES ;
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0(Table0) VALUES('optimize');
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3(Col0, Col0);
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table1 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0(Table0) VALUES('optimize');
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0(Table0) VALUES('optimize');
UPDATE Table0_segdir SET start_block = 1;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3(tokenize=porter);
DELETE FROM Table0_segdir;
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table1 USING fts3();
CREATE VIRTUAL TABLE Table1 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 AS Table0 ; END;
INSERT INTO Table0_segdir DEFAULT VALUES;
INSERT INTO Table0 AS Table0_content VALUES (1) ;
DELETE FROM Table0_segdir;
CREATE VIRTUAL TABLE temp.Table0 USING fts3();
DELETE FROM Table0 AS Table0 ;
INSERT INTO Table0_segments(blockid) VALUES(like(1, 1, 0) , like(1, 1, 0) );
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0_segdir;
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
CREATE VIRTUAL TABLE temp.Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table1 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE TRIGGER main Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0 AS Table0_content VALUES (1) ;
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
INSERT INTO Table0 DEFAULT VALUES ;
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
DELETE FROM Table0_segdir;
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
DELETE FROM Table0_segments;
CREATE TRIGGER main Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
SELECT * FROM Table0 WHERE Col0 MATCH 'Col17:a';
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
DELETE FROM Table0 AS Table0 ;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table1 USING fts3();
UPDATE Table0_segdir SET start_block = 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
CREATE TRIGGER Trigger0 DELETE ON Table0 FOR EACH ROW BEGIN DELETE FROM Table0 ; END;
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE IF NOT EXISTS Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
INSERT INTO Table0_segdir DEFAULT VALUES;
INSERT INTO Table0_segdir DEFAULT VALUES;
INSERT INTO Table0 VALUES (1), (CURRENT_TIMESTAMP) ;
CREATE VIRTUAL TABLE temp.Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table0 USING fts3();
INSERT INTO Table0_segdir DEFAULT VALUES;
UPDATE Table0_segdir SET start_block = 1;
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE VIRTUAL TABLE Table1 USING fts3();
INSERT INTO Table0(Table0) VALUES('optimize');
UPDATE Table0_segdir SET start_block = 1;
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 ; END;
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
INSERT INTO Table0_segdir(blockid) VALUES(x'ffffff94', x'ffffff94');
CREATE VIRTUAL TABLE Table0 USING fts3();
CREATE TRIGGER Trigger0 DELETE ON Table0 BEGIN DELETE FROM Table0 AS Table0 ; END;
UPDATE Table0_segdir SET start_block = 1 WHERE block || 1;
INSERT INTO Table0_segdir DEFAULT VALUES;
,
Jan 16
(6 days ago)
,
Jan 16
(6 days ago)
,
Jan 17
(6 days ago)
Fixed by check-in https://sqlite.org/src/info/da587d18575ac06a
,
Jan 17
(6 days ago)
Thank you very much for the quick fix, Richard! The fix seems to be a non-trivial patch that changes the SQLite API as well. Setting to P2 because I don't think it's the end of the world that an application can stack-overflow the renderer with a malicious sequence of queries. mpdenton@: I think that at some point we'll need to draw a line and say we did all we could for this release. After https://crrev.com/c/1416399 lands, we'll have 23 bugfixes (on top of 7 other patches) on top of SQLite. I'm starting to think this is where we draw the line and wait for the next SQLite release (presumably SQLite 3.27). After we adopt that and can get back to 6 patches, we can backporting more changes. Objections to any of my two claims in this comment?
,
Jan 17
(6 days ago)
I agree with the first statement, we don't need to backport this. As for the second, I think that may be good, I'm just worried that the dbfuzz2 bug fixes won't get us enough without a bunch of followup fixes, and we'll just see crashes with slightly different queries, and maybe we should wait until the bugs dry up a little bit. But maybe they have already; in any case, it's totally your decision when you want to cut off the dbfuzz2 fixes. I'm still optimistic about the backports of fixes here :). (as a tangent, what do we do when sqlite reports the database is corrupt? Do we try to recover? If we do try to recover, what happens if that fails?) For the LPM fuzzer bugs, we should ignore NULL-ptr dereferences and stack-overflows for now. For any security bugs (UAFs, overflow, use-after-scope, integer overflows, etc.), we should try to get the backports in as long as possible before stable, if that works for you (the volume of these is quite low--many were just occurring in the ASSERTIONs as well). For ASSERTION bugs, we should run them without asserts, under ASAN and MSAN, and test whether they can be leveraged as security bugs or not. I can also judge exploitability if there are too many. The ASSERTion bugs typically come under 4ish categories: 1. Actually null-ptr dereferences 2. Bugs in the assertion 3. Logic bugs in sqlite 4. ASAN/MSAN bugs #1 and #2 we can ignore, #3 you can judge the severity of (and we'll probably ignore), and #4 we should backport as soon as possible. How does that sound?
,
Jan 17
(6 days ago)
To be clear, I wasn't suggesting ignoring dbfuzz2 bugs indefinitely. I was only thinking that we'd pause the current process (backport fix, wait for new errors) until the next SQLite release comes out. I really like all the fixes that clusterfuzz is finding... I think that M73 will be the most stable Chrome we've put out, at least w.r.t. SQLite. So, in the long run, I definitely do want to go through all the problems. The part I'm concerned about is piling up a lot of backports. This means our tree deviating significantly from SQLite's, so it'll be difficult to reason about any problem in beta/stable. The pile of backports resets every time we adopt a SQLite upgrade, so we'd be open for business again once 3.27 comes out :) --- Chrome-specific answer to how we handle corruption -- barring feature-level bugs, we immediately stop using the SQLite database. For a few features, we use a Chrome-specific SQLite extension (recover.c) that we hope to upstream or kill off. Most features raze the DB (while trying to maintain schema and settings) and start over. Our current setup is overly complicated. Eventually, I hope to have enough resources to put together a better framework in //sql. In that case, we'd simply delete a bad DB and run application code to rebuild it from scratch.
,
Jan 17
(6 days ago)
Right, I just was wondering whether the pile of backports would be useful without a couple extra. I really have no idea, and possibly piling up more backports will be more problematic than leaving them out, for sure. :) So yeah, let's pause dbfuzz2 stuff. For the security bugs, that whole process sound good? --- I'm surprised, is there no information in the sqlite database that isn't duplicated elsewhere, and that would be important not to lose? Don't we use sqlite for bookmarks and history or something? Do those go through the recovery extension?
,
Jan 18
(4 days ago)
ClusterFuzz has detected this issue as fixed in range 624100:624101. Detailed report: https://clusterfuzz.com/testcase?key=5201505573142528 Fuzzer: libFuzzer_sqlite3_fts3_lpm_fuzzer Fuzz target binary: sqlite3_fts3_lpm_fuzzer Job Type: x86_libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff676ffc Crash State: fts3DeleteByRowid sqlite3Fts3UpdateMethod fts3UpdateMethod Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=x86_libfuzzer_chrome_asan_debug&range=624100:624101 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5201505573142528 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18
(4 days ago)
ClusterFuzz testcase 5201505573142528 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 18
(4 days ago)
The fix range has nothing to do with SQLite. We haven't picked up the fix yet.
,
Yesterday
(31 hours ago)
,
Today
(9 hours ago)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/846fd43e9412f97c0f0732807537fa3981c38ee3 commit 846fd43e9412f97c0f0732807537fa3981c38ee3 Author: Victor Costan <pwnall@chromium.org> Date: Tue Jan 22 21:15:35 2019 sqlite: Backport a fourth round of bugfixes. Bug: 914028 , 914614 , 917075, 917786, 921417 , 921684, 922399, 922844, 922849, 923196 , 923715 , 923743 , 923902 Change-Id: Id642f518153293afa8787b70692a97560dc4691b Reviewed-on: https://chromium-review.googlesource.com/c/1424164 Reviewed-by: Chris Mumford <cmumford@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Auto-Submit: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#624921} [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/rename_exports.h [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/amalgamation/sqlite3.h [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0028-Fix-deleting-a-B-tree-entry-in-a-corrupt-database.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0029-Fix-sorting-results-with-SRT_EphemTab-and-a-LIMIT-cl.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0030-Fix-detection-of-orphaned-and-malformed-autoindexes.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0031-Fix-potential-buffer-overread.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0032-Fix-handling-negative-number-of-pages-database-field.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0033-Fix-corner-case-in-inserting-null-into-integer-prima.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0034-Fix-insert-infinite-recursion-on-some-corrupted-data.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0035-Fix-null-pointer-dereference-in-sqlite3ExprCompare.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0036-Fix-NEVER-that-is-sometimes-true.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0037-Initialize-extra-bytes-allocated-for-saved-cursor-po.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0038-Fix-leaks-caused-by-circular-references-in-vtable-sh.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0039-Fix-overly-large-malloc-on-btree-corruption.patch [add] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/patches/0040-Fix-null-pointer-access-on-corrupted-index-key.patch [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts3/fts3_write.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_index.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/fts5/fts5_storage.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/ext/rtree/rtree.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/btree.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/build.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/expr.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/insert.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/pcache1.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/prepare.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqlite.h.in [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/sqliteInt.h [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/trigger.c [modify] https://crrev.com/846fd43e9412f97c0f0732807537fa3981c38ee3/third_party/sqlite/src/src/vdbeaux.c |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 16 (6 days ago)Labels: ClusterFuzz-Auto-CC