193c829c1Sdanielk1977# 2009 June 3 293c829c1Sdanielk1977# 393c829c1Sdanielk1977# The author disclaims copyright to this source code. In place of 493c829c1Sdanielk1977# a legal notice, here is a blessing: 593c829c1Sdanielk1977# 693c829c1Sdanielk1977# May you do good and not evil. 793c829c1Sdanielk1977# May you find forgiveness for yourself and forgive others. 893c829c1Sdanielk1977# May you share freely, never taking more than you give. 993c829c1Sdanielk1977# 1093c829c1Sdanielk1977#*********************************************************************** 1193c829c1Sdanielk1977# 12dda70fe3Sdrh# $Id: corruptD.test,v 1.2 2009/06/05 17:09:12 drh Exp $ 1393c829c1Sdanielk1977 1493c829c1Sdanielk1977set testdir [file dirname $argv0] 1593c829c1Sdanielk1977source $testdir/tester.tcl 1693c829c1Sdanielk1977 17ae23162eSshaneh# Do not use a codec for tests in this file, as the database file is 18ae23162eSshaneh# manipulated directly using tcl scripts (using the [hexio_write] command). 19ae23162eSshaneh# 20ae23162eSshanehdo_not_use_codec 21ae23162eSshaneh 2209fe6143Sdrh# These tests deal with corrupt database files 2309fe6143Sdrh# 2409fe6143Sdrhdatabase_may_be_corrupt 2509fe6143Sdrh 2693c829c1Sdanielk1977#-------------------------------------------------------------------------- 2793c829c1Sdanielk1977# OVERVIEW 2893c829c1Sdanielk1977# 2993c829c1Sdanielk1977# This test file attempts to verify that SQLite does not read past the 3093c829c1Sdanielk1977# end of any in-memory buffers as a result of corrupted database page 3193c829c1Sdanielk1977# images. Usually this happens because a field within a database page 3293c829c1Sdanielk1977# that contains an offset to some other structure within the same page 3393c829c1Sdanielk1977# is set to too large a value. A database page contains the following 3493c829c1Sdanielk1977# such fields: 3593c829c1Sdanielk1977# 3693c829c1Sdanielk1977# 1. The page header field that contains the offset to the first 3793c829c1Sdanielk1977# free block of space. 3893c829c1Sdanielk1977# 3993c829c1Sdanielk1977# 2. The first two bytes of all but the last free block on the free-block 4093c829c1Sdanielk1977# list (the offset to the next free block). 4193c829c1Sdanielk1977# 4293c829c1Sdanielk1977# 3. The page header field containing the number of cells on the page 4393c829c1Sdanielk1977# (implicitly defines the offset to the final element in the cell offset 4493c829c1Sdanielk1977# array, which could potentially be off the end of the page). 4593c829c1Sdanielk1977# 4693c829c1Sdanielk1977# 4. The page header field containing the offset to the start of the cell 4793c829c1Sdanielk1977# content area. 4893c829c1Sdanielk1977# 4993c829c1Sdanielk1977# 5. The contents of the cell offset array. 5093c829c1Sdanielk1977# 5193c829c1Sdanielk1977# 6. The first few bytes of each cell determine the size of the cell 5293c829c1Sdanielk1977# stored within the page, and hence the offset to the final byte of 5393c829c1Sdanielk1977# the cell. 5493c829c1Sdanielk1977# 5593c829c1Sdanielk1977# If any of the above fields are set to too large a value, then a buffer 5693c829c1Sdanielk1977# overread may occur. This test script creates and operates on various 5793c829c1Sdanielk1977# strategically corrupted database files to attempt to provoke such buffer 5893c829c1Sdanielk1977# overreads. 5993c829c1Sdanielk1977# 6093c829c1Sdanielk1977# Very often, a buffer overread passes unnoticed, particularly in workstation 6193c829c1Sdanielk1977# environments. For this reason, this test script should be run using valgrind 6293c829c1Sdanielk1977# (or similar) in order to verify that no overreads occur. 6393c829c1Sdanielk1977# 6493c829c1Sdanielk1977# TEST PLAN 6593c829c1Sdanielk1977# 6693c829c1Sdanielk1977# Test cases corruptD-1.* are white-box tests. They attempt to corrupt 6793c829c1Sdanielk1977# one of the above fields, then exercise each part of the code in btree.c 6893c829c1Sdanielk1977# that uses said field. 6993c829c1Sdanielk1977# 7093c829c1Sdanielk1977# Offset variables 1, 2, 3 and 4 are all checked to make sure they 7193c829c1Sdanielk1977# will not result in buffer overruns as part of page initialization in 7293c829c1Sdanielk1977# sqlite3BtreeInitPage(). Offsets 5 and 6 cannot be tested as part of 7393c829c1Sdanielk1977# page initialization, as trying to do so causes a performance hit. 7493c829c1Sdanielk1977# 7593c829c1Sdanielk1977 7693c829c1Sdanielk1977do_test corruptD-1.0 { 7793c829c1Sdanielk1977 execsql { 7893c829c1Sdanielk1977 PRAGMA auto_vacuum = 0; 7993c829c1Sdanielk1977 PRAGMA page_size = 1024; 8093c829c1Sdanielk1977 CREATE TABLE t1(a, b); 8193c829c1Sdanielk1977 CREATE INDEX i1 ON t1(a, b); 8293c829c1Sdanielk1977 } 8393c829c1Sdanielk1977 for {set ii 1} {$ii < 50} {incr ii} { 8493c829c1Sdanielk1977 execsql { INSERT INTO t1 VALUES($ii, $ii * $ii) } 8593c829c1Sdanielk1977 } 8693c829c1Sdanielk1977 execsql { 8793c829c1Sdanielk1977 DELETE FROM t1 WHERE a = 10; 8893c829c1Sdanielk1977 DELETE FROM t1 WHERE a = 20; 8993c829c1Sdanielk1977 DELETE FROM t1 WHERE a = 30; 9093c829c1Sdanielk1977 DELETE FROM t1 WHERE a = 40; 9193c829c1Sdanielk1977 } 92fda06befSmistachkin forcecopy test.db test.bu 9393c829c1Sdanielk1977} {} 9493c829c1Sdanielk1977 9593c829c1Sdanielk1977proc incr_change_counter {} { 9693c829c1Sdanielk1977 hexio_write test.db 24 [ 9793c829c1Sdanielk1977 hexio_render_int32 [expr [hexio_get_int [hexio_read test.db 24 4]] + 1] 9893c829c1Sdanielk1977 ] 9993c829c1Sdanielk1977} 10093c829c1Sdanielk1977 10193c829c1Sdanielk1977proc restore_file {} { 10293c829c1Sdanielk1977 db close 103fda06befSmistachkin forcecopy test.bu test.db 10493c829c1Sdanielk1977 sqlite3 db test.db 10593c829c1Sdanielk1977} 10693c829c1Sdanielk1977 10793c829c1Sdanielk1977#------------------------------------------------------------------------- 10893c829c1Sdanielk1977# The following tests, corruptD-1.1.*, focus on the page header field 10993c829c1Sdanielk1977# containing the offset of the first free block in a page. 11093c829c1Sdanielk1977# 11193c829c1Sdanielk1977do_test corruptD-1.1.1 { 11293c829c1Sdanielk1977 incr_change_counter 11393c829c1Sdanielk1977 hexio_write test.db [expr 1024+1] FFFF 114*68133509Sdrh catchsql { PRAGMA quick_check } 115*68133509Sdrh} {0 {{*** in database main *** 116*68133509SdrhPage 2: free space corruption}}} 11793c829c1Sdanielk1977do_test corruptD-1.1.2 { 11893c829c1Sdanielk1977 incr_change_counter 11993c829c1Sdanielk1977 hexio_write test.db [expr 1024+1] [hexio_render_int32 1021] 1203f4d1d1bSdrh catchsql { SELECT * FROM t1 ORDER BY rowid } 12193c829c1Sdanielk1977} {1 {database disk image is malformed}} 12293c829c1Sdanielk1977 12393c829c1Sdanielk1977#------------------------------------------------------------------------- 12493c829c1Sdanielk1977# The following tests, corruptD-1.2.*, focus on the offsets contained 12593c829c1Sdanielk1977# in the first 2 byte of each free-block on the free-list. 12693c829c1Sdanielk1977# 12793c829c1Sdanielk1977do_test corruptD-1.2.1 { 12893c829c1Sdanielk1977 restore_file 12993c829c1Sdanielk1977} {} 13093c829c1Sdanielk1977do_test corruptD-1.2.2 { 13193c829c1Sdanielk1977} {} 13293c829c1Sdanielk1977 13393c829c1Sdanielk1977#------------------------------------------------------------------------- 13493c829c1Sdanielk1977# The following tests, corruptD-1.4.*, ... 13593c829c1Sdanielk1977# 13693c829c1Sdanielk1977 13793c829c1Sdanielk1977 13893c829c1Sdanielk1977#------------------------------------------------------------------------- 13993c829c1Sdanielk1977# The following tests, corruptD-1.5.*, focus on the offsets contained 14093c829c1Sdanielk1977# in the cell offset array. 14193c829c1Sdanielk1977# 14293c829c1Sdanielk1977# defragmentPage 14393c829c1Sdanielk1977# 14493c829c1Sdanielk1977 14593c829c1Sdanielk1977finish_test 146