-
Victor Costan authored
Before this CL, DatabasePageReader::ReadPage() computed `read_offset`, which is a byte offset in a SQLite database file, by multiplying two ints, a page ID and a page size. The multiplication result is an int, which may overflow. Even on 64-bit Unix platforms, int is 32-bit wide. The overflow may produce a negative offset, which breaks the API preconditions of SQLite's low-level reading functions. On Unix platforms, the xRead() function called by ReadPage() is implemented by unixRead(). When SQLite's mmap support is enabled (it is in Chrome), passing a negative offset to xRead() causes it to memcpy() from an invalid memory address. This CL fixes the overflow by casting one of the multiplication inputs to int64_t, which causes the multiplication result to be an int64_t. This CL is likely to fix the attached bug, because a few sample crash dumps are consistent with the hypothesis of a memcpy() from an invalid offset. Bug: 1015800 Change-Id: Ibc8e8dab52eef447acdb65d0ee9ddaeab1e160df Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605970 Auto-Submit: Victor Costan <pwnall@chromium.org> Reviewed-by:
Darwin Huang <huangdarwin@chromium.org> Commit-Queue: Darwin Huang <huangdarwin@chromium.org> Cr-Commit-Position: refs/heads/master@{#841034}
e7cd3589
