Hi, I'm experiencing a crash when loading a database with a corrupt journal file. The error occurs in readMasterJournal in the following code:
│48741 if( SQLITE_OK!=(rc = sqlite3OsFileSize(pJrnl, &szJ)) │48742 || szJ<16 │48743 || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-16, &len)) │48744 || len>=nMaster │48745 || len==0 │48746 || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-12, &cksum)) │48747 || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, aMagic, 8, szJ-8)) │ │48748 || memcmp(aMagic, aJournalMagic, 8) │48749 || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, zMaster, len, szJ-16-len)) if len is longer than the file size szJ, szJ-16-len on line 48749 will be a very large number, that will then be converted to a very negative number when passed to unixRead. This will cause the check: if( offset<pFile->mmapSize ){ to succeed even though pFile->mmapSize is null, leading to a crash. I don't believe this is a security issue, because len can only be between 0 and 512 on most systems, but it can get an app that relies on SQLite stuck in a reset loop. A journal that causes this issue is attached. To reproduce, copy the attached files into the same folder, and open the database, for example: sqlitebrowser EmailProviderBody.db Thanks, Natalie _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users