Hi,

I'm experiencing a crash when loading a database with a corrupt journal
file. The error occurs in readMasterJournal in the following code:

│48741     if( SQLITE_OK!=(rc = sqlite3OsFileSize(pJrnl, &szJ))

│48742      || szJ<16

│48743      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-16, &len))

│48744      || len>=nMaster

│48745      || len==0

│48746      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-12, &cksum))

│48747      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, aMagic, 8, szJ-8))
                                        │
│48748      || memcmp(aMagic, aJournalMagic, 8)

│48749      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, zMaster, len,
szJ-16-len))

if len is longer than the file size szJ, szJ-16-len on line 48749 will be a
very large number, that will then be converted to a very negative number
when passed to unixRead. This will cause the check:

 if( offset<pFile->mmapSize ){

to succeed even though pFile->mmapSize is null, leading to a crash.

I don't believe this is a security issue, because len can only be between 0
and 512 on most systems, but it can get an app that relies on SQLite stuck
in a reset loop.

A journal that causes this issue is attached.

To reproduce, copy the attached files into the same folder, and open the
database, for example:

sqlitebrowser EmailProviderBody.db

Thanks,

Natalie
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to