I'm experiencing a crash when loading a database with a corrupt journal
file. The error occurs in readMasterJournal in the following code:

│48741     if( SQLITE_OK!=(rc = sqlite3OsFileSize(pJrnl, &szJ))

│48742      || szJ<16

│48743      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-16, &len))

│48744      || len>=nMaster

│48745      || len==0

│48746      || SQLITE_OK!=(rc = read32bits(pJrnl, szJ-12, &cksum))

│48747      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, aMagic, 8, szJ-8))
│48748      || memcmp(aMagic, aJournalMagic, 8)

│48749      || SQLITE_OK!=(rc = sqlite3OsRead(pJrnl, zMaster, len,

if len is longer than the file size szJ, szJ-16-len on line 48749 will be a
very large number, that will then be converted to a very negative number
when passed to unixRead. This will cause the check:

 if( offset<pFile->mmapSize ){

to succeed even though pFile->mmapSize is null, leading to a crash.

I don't believe this is a security issue, because len can only be between 0
and 512 on most systems, but it can get an app that relies on SQLite stuck
in a reset loop.

A journal that causes this issue is attached.

To reproduce, copy the attached files into the same folder, and open the
database, for example:

sqlitebrowser EmailProviderBody.db


sqlite-users mailing list

Reply via email to