[sqlite] Crash in Rtree

Tue, 16 Feb 2010 01:30:50 -0800 

Hi,

I think I have run into a crashing bug in the Rtree module, triggered by
changing the database page size.

The summary is that I create a database with an Rtree, populate it with
data, change the page size, and then crash when querying the Rtree.


The sequence is:

  - Database is created, page size is 1024 bytes
  - rtreeInit initialises iNodeSize to 1024-64, or 960 bytes
  - Data is stored in the database
  - Database page size increased to 32768 bytes

The database is then queried:

  - rtreeInit initialises iNodeSize to 32768-64, or 32704 bytes
  - rtreeInit tests against RTREE_MAXCELLS, adjusts iNodeSize to 1228 bytes
  - A query is performed, and nodeAcquire fetches data for a node

The crash is in nodeAcquire:

    pNode = (RtreeNode *) sqlite3_malloc(sizeof(RtreeNode) +
                                         pRtree->iNodeSize);
    ...
    if( rc==SQLITE_ROW ){
        const u8 *zBlob = sqlite3_column_blob( pRtree->pReadNode, 0);
        int blobSize    = sqlite3_column_bytes(pRtree->pReadNode, 0);
        memcpy(pNode->zData, zBlob, pRtree->iNodeSize);

The 'blobSize' line was inserted to confirm what's happening; the actual
crash happens in the memcpy.

Immediately prior to the memcpy we have:

     blobSize          = 960  (iNodeSize when the table was populated)
     pRtree->iNodeSize = 1228 (iNodeSize when the table was queried)
     pNode             = pointer to [sizeof(RtreeNode) + 1228] bytes
     pNode->zData      = pointer to [                    1228] bytes

This will attempt to read 1228 bytes from zBlob into pNode->zData, however
zBlob only holds 960 bytes of data.

If zBlob was allocated such that some of the trailing 268 bytes happened to
be on an unmapped VM page, this will crash.

One fix would be to memcpy only the actual size of the blob into the node,
however I'm not sure if this is the best fix or if there are wider issues
with the iNodeSize on disk (for a given blob) being larger/smaller than the
iNodeSize calculated by rtreeInit.


-dair
___________________________________________________
d...@refnum.com              http://www.refnum.com/


_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to