SQLite: fix fuzzer discovered crash in recovery module

The header size which is encoded as a varint should include the size of the varint encoding. Therefore if this number is smaller than the size of the varint encoding the record must be corrupt. For example (the only example I can think of, given the implementation of ParseVarint) the number is 0 and the encoding for 0 is 1 byte long. Bug: 1468734 Change-Id: I24d4b353e8932cb1e609577c8f4e22ee09895fd7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4794001 Commit-Queue: Evan Stade <estade@chromium.org> Reviewed-by: Austin Sullivan <asully@chromium.org> Cr-Commit-Position: refs/heads/main@{#1185547}
chromium · Aug 19, 2023 · 3d187d2 · 3d187d2
1 parent b78c183
commit 3d187d2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/sql/recover_module/record.cc b/sql/recover_module/record.cc
@@ -309,6 +309,10 @@ int64_t RecordReader::InitializeHeaderBuffer() {
 
   // The header size varint is included in the header size computation.
   const int64_t header_data_size = header_size - header_size_size;
+  if (header_data_size < 0) {
+    return 0;
+  }
+
   header_buffer_.resize(header_data_size);
   if (!payload_reader_->ReadPayload(header_size_size, header_data_size,
                                     header_buffer_.data())) {