SQLite: Check-in [60de5f23]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Comment:	Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns.
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA1:	60de5f23424552c98aa760ac89149a3d51f895be
User & Date:	dan 2015-11-21 19:43:29

Context

2015-11-24
00:49		Do not try to eliminate No-ops at the end of VDBE program as this can cause problems for some DISTINCT handling algorithms, and does not improve performance. This also fixes an assertion fault found by libFuzzer. (check-in: 19d9f9ce user: drh tags: trunk)
2015-11-23
21:09		Add experimental support for LIKE, GLOB and REGEXP to the virtual table interface. (check-in: 277a5b40 user: dan tags: vtab-like-operator)
17:14		Merge latest trunk changes with this branch. (check-in: 8f1ef090 user: dan tags: schemalint)
2015-11-21
19:43		Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns. (check-in: 60de5f23 user: dan tags: trunk)
17:27		Fix over-length source code lines. No logic changes. (check-in: 198d191b user: drh tags: trunk)

Changes

Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/select.c.

    nCol = pEList->nExpr;
    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
    testcase( aCol==0 );
  }else{
    nCol = 0;
    aCol = 0;
  }

  *pnCol = nCol;
  *paCol = aCol;

  for(i=0, pCol=aCol; i<nCol && !db->mallocFailed; i++, pCol++){
    /* Get an appropriate name for the column
    */
    p = sqlite3ExprSkipCollate(pEList->a[i].pExpr);
................................................................................
    }
    sqlite3ExprListDelete(db, pEList);
    p->pEList = pNew;
  }
#if SQLITE_MAX_COLUMN
  if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
    sqlite3ErrorMsg(pParse, "too many columns in result set");

  }
#endif
  return WRC_Continue;
}

/*
** No-op routine for the parse-tree walker.

    nCol = pEList->nExpr;
    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
    testcase( aCol==0 );
  }else{
    nCol = 0;
    aCol = 0;
  }
  assert( nCol==(i16)nCol );
  *pnCol = nCol;
  *paCol = aCol;

  for(i=0, pCol=aCol; i<nCol && !db->mallocFailed; i++, pCol++){
    /* Get an appropriate name for the column
    */
    p = sqlite3ExprSkipCollate(pEList->a[i].pExpr);
................................................................................
    }
    sqlite3ExprListDelete(db, pEList);
    p->pEList = pNew;
  }
#if SQLITE_MAX_COLUMN
  if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
    sqlite3ErrorMsg(pParse, "too many columns in result set");
    return WRC_Abort;
  }
#endif
  return WRC_Continue;
}

/*
** No-op routine for the parse-tree walker.

Changes to test/sqllimits1.test.

do_test sqllimits1-16.2 {
  set ::format "[string repeat A 60][string repeat "%J" $::N]"
  catchsql {
    SELECT strftime($::format, 1);
  }
} {1 {string or blob too big}}













foreach {key value} [array get saved] {
  catch {set $key $value}
}
finish_test








>
>
>
>
>
>
>
>
>
>
>

do_test sqllimits1-16.2 {
  set ::format "[string repeat A 60][string repeat "%J" $::N]"
  catchsql {
    SELECT strftime($::format, 1);
  }
} {1 {string or blob too big}}

do_catchsql_test sqllimits1.17.0 {
  SELECT *,*,*,*,*,*,*,* FROM (
  SELECT *,*,*,*,*,*,*,* FROM (
  SELECT *,*,*,*,*,*,*,* FROM (
  SELECT *,*,*,*,*,*,*,* FROM (
  SELECT *,*,*,*,*,*,*,* FROM (
    SELECT 1,2,3,4,5,6,7,8,9,10
  )
  ))))
} "1 {too many columns in result set}"


foreach {key value} [array get saved] {
  catch {set $key $value}
}
finish_test