Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
7cac614d5df55eb092b863163483b678 |
| User & Date: | drh 2019-01-17 14:34:46.282 |
Context
|
2019-01-17
| ||
| 15:40 | Revamp the SrcList allocator routines to be methods of Parse instead of being methods of the "sqlite3" object, so that they can leave better error messages when the SrcList object grows too large. (check-in: df08d472b0 user: drh tags: trunk) | |
| 14:34 | Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins. (check-in: 7cac614d5d user: drh tags: trunk) | |
| 04:40 | Fix a corner-case for the logic that cause an insert of a NULL into an INTEGER PRIMARY KEY column to be converted into a valid integer key, when the NULL results from a CASE expression that lacks an ELSE clause. (check-in: 9a425051e7 user: drh tags: trunk) | |
Changes
Changes to src/build.c.
| ︙ | ︙ | |||
3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 |
if( pList==0 ) return -1;
for(i=0; i<pList->nId; i++){
if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
}
return -1;
}
/*
** Expand the space allocated for the given SrcList object by
** creating nExtra new slots beginning at iStart. iStart is zero based.
** New slots are zeroed.
**
** For example, suppose a SrcList initially contains two entries: A,B.
** To append 3 new entries onto the end, do this:
| > > > > > > > > > > > > | 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 |
if( pList==0 ) return -1;
for(i=0; i<pList->nId; i++){
if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
}
return -1;
}
/*
** Maximum size of a SrcList object.
** The SrcList object is used to represent the FROM clause of a
** SELECT statement, and the query planner cannot deal with more
** than 64 tables in a join. So any value larger than 64 here
** is sufficient for most uses. Smaller values, like say 10, are
** appropriate for small and memory-limited applications.
*/
#ifndef SQLITE_MAX_SRCLIST
# define SQLITE_MAX_SRCLIST 200
#endif
/*
** Expand the space allocated for the given SrcList object by
** creating nExtra new slots beginning at iStart. iStart is zero based.
** New slots are zeroed.
**
** For example, suppose a SrcList initially contains two entries: A,B.
** To append 3 new entries onto the end, do this:
|
| ︙ | ︙ | |||
3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 |
assert( iStart<=pSrc->nSrc );
/* Allocate additional space if needed */
if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
SrcList *pNew;
int nAlloc = pSrc->nSrc*2+nExtra;
int nGot;
pNew = sqlite3DbRealloc(db, pSrc,
sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
if( pNew==0 ){
assert( db->mallocFailed );
return pSrc;
}
pSrc = pNew;
| > > > > > > > > > > > | 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 3893 |
assert( iStart<=pSrc->nSrc );
/* Allocate additional space if needed */
if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
SrcList *pNew;
int nAlloc = pSrc->nSrc*2+nExtra;
int nGot;
if( pSrc->nSrc+nExtra>=SQLITE_MAX_SRCLIST ){
/* FIXME: Return a better error than SQLITE_NOMEM when the size
** of a SrcList object gets to be too big. To fix this will require
** replumbing to pass Parse* instead of sqlite3* as the first parameter
** to the SrcList allocators. As this never comes up in real-world
** usage, the fix is a low priority. */
sqlite3OomFault(db);
return pSrc;
}
if( nAlloc>SQLITE_MAX_SRCLIST ) nAlloc = SQLITE_MAX_SRCLIST;
pNew = sqlite3DbRealloc(db, pSrc,
sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
if( pNew==0 ){
assert( db->mallocFailed );
return pSrc;
}
pSrc = pNew;
|
| ︙ | ︙ |
Changes to test/join.test.
| ︙ | ︙ | |||
667 668 669 670 671 672 673 |
jointest join-12.2 30 {0 1}
jointest join-12.3 63 {0 1}
jointest join-12.4 64 {0 1}
jointest join-12.5 65 {1 {at most 64 tables in a join}}
jointest join-12.6 66 {1 {at most 64 tables in a join}}
jointest join-12.7 127 {1 {at most 64 tables in a join}}
jointest join-12.8 128 {1 {at most 64 tables in a join}}
| > > > > > | | | | | | > | | | | | | < < > > | 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 |
jointest join-12.2 30 {0 1}
jointest join-12.3 63 {0 1}
jointest join-12.4 64 {0 1}
jointest join-12.5 65 {1 {at most 64 tables in a join}}
jointest join-12.6 66 {1 {at most 64 tables in a join}}
jointest join-12.7 127 {1 {at most 64 tables in a join}}
jointest join-12.8 128 {1 {at most 64 tables in a join}}
# As of 2019-01-17, the number of elements in a SrcList is limited
# to 200. The following tests still run, but the answer is now
# an SQLITE_NOMEM error.
#
# jointest join-12.9 1000 {1 {at most 64 tables in a join}}
#
# If SQLite is built with SQLITE_MEMDEBUG, then the huge number of realloc()
# calls made by the following test cases are too time consuming to run.
# Without SQLITE_MEMDEBUG, realloc() is fast enough that these are not
# a problem.
#
# ifcapable pragma&&compileoption_diags {
# if {[lsearch [db eval {PRAGMA compile_options}] MEMDEBUG]<0} {
# jointest join-12.10 65534 {1 {at most 64 tables in a join}}
# jointest join-12.11 65535 {1 {too many references to "t14": max 65535}}
# jointest join-12.12 65536 {1 {too many references to "t14": max 65535}}
# jointest join-12.13 65537 {1 {too many references to "t14": max 65535}}
# }
# }
#-------------------------------------------------------------------------
# Test a problem with reordering tables following a LEFT JOIN.
#
do_execsql_test join-13.0 {
CREATE TABLE aa(a);
|
| ︙ | ︙ |
Changes to test/with1.test.
| ︙ | ︙ | |||
1067 1068 1069 1070 1071 1072 1073 1074 |
do_execsql_test 21.2 {
SELECT printf('',
EXISTS (WITH RECURSIVE Table0 AS (WITH Table0 AS (SELECT DISTINCT 1)
SELECT *, * FROM Table0 ORDER BY 1 DESC)
SELECT * FROM Table0 NATURAL JOIN Table0));
} {{}}
finish_test
| > > > > > > > > > > > > > > > > > > > > | 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 |
do_execsql_test 21.2 {
SELECT printf('',
EXISTS (WITH RECURSIVE Table0 AS (WITH Table0 AS (SELECT DISTINCT 1)
SELECT *, * FROM Table0 ORDER BY 1 DESC)
SELECT * FROM Table0 NATURAL JOIN Table0));
} {{}}
# 2019-01-17
# Make sure crazy nexted CTE joins terminate with an error quickly.
#
do_catchsql_test 22.1 {
WITH RECURSIVE c AS (
WITH RECURSIVE c AS (
WITH RECURSIVE c AS (
WITH RECURSIVE c AS (
WITH c AS (VALUES(0))
SELECT 1 FROM c LEFT JOIN c ON ltrim(1)
)
SELECT 1 FROM c,c,c,c,c,c,c,c,c
)
SELECT 2 FROM c,c,c,c,c,c,c,c,c
)
SELECT 3 FROM c,c,c,c,c,c,c,c,c
)
SELECT 4 FROM c,c,c,c,c,c,c,c,c;
} {1 {out of memory}}
finish_test
|