Hi,
I'm experiencing a crash when loading a database with a corrupt journal
file. The error occurs in readMasterJournal in the following code:
│48741 if( SQLITE_OK!=(rc = sqlite3OsFileSize(pJrnl, &szJ))
│48742 || szJ<16
│48743 || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-16, &len))
│48744 || len>=nMaster
│48745 || len==0
│48746 || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-12, &cksum))
│48747 || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, aMagic, 8, szJ-8))
│
│48748 || memcmp(aMagic, aJournalMagic, 8)
│48749 || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, zMaster, len,
szJ-16-len))
if len is longer than the file size szJ, szJ-16-len on line 48749 will be a
very large number, that will then be converted to a very negative number
when passed to unixRead. This will cause the check:
if( offset<pFile->mmapSize ){
to succeed even though pFile->mmapSize is null, leading to a crash.
I don't believe this is a security issue, because len can only be between 0
and 512 on most systems, but it can get an app that relies on SQLite stuck
in a reset loop.
A journal that causes this issue is attached.
To reproduce, copy the attached files into the same folder, and open the
database, for example:
sqlitebrowser EmailProviderBody.db
Thanks,
Natalie
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
