/ Check-in [7cac614d]
Login
Home Timeline Branches Tags Tickets Wiki More...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 7cac614d5df55eb092b863163483b6782b942b21bd15fd787576fef5619fa849
User & Date: drh 2019-01-17 14:34:46
Context
2019-01-17
15:40
Revamp the SrcList allocator routines to be methods of Parse instead of being methods of the "sqlite3" object, so that they can leave better error messages when the SrcList object grows too large. check-in: df08d472 user: drh tags: trunk
14:34
Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins. check-in: 7cac614d user: drh tags: trunk
04:40
Fix a corner-case for the logic that cause an insert of a NULL into an INTEGER PRIMARY KEY column to be converted into a valid integer key, when the NULL results from a CASE expression that lacks an ELSE clause. check-in: 9a425051 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/build.c. 

3819
3820
3821
3822
3823
3824
3825












3826
3827
3828
3829
3830
3831
3832
....
3857
3858
3859
3860
3861
3862
3863











3864
3865
3866
3867
3868
3869
3870

  if( pList==0 ) return -1;
  for(i=0; i<pList->nId; i++){
    if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
  }
  return -1;
}













/*
** Expand the space allocated for the given SrcList object by
** creating nExtra new slots beginning at iStart.  iStart is zero based.
** New slots are zeroed.
**
** For example, suppose a SrcList initially contains two entries: A,B.
** To append 3 new entries onto the end, do this:
................................................................................
  assert( iStart<=pSrc->nSrc );

  /* Allocate additional space if needed */
  if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
    SrcList *pNew;
    int nAlloc = pSrc->nSrc*2+nExtra;
    int nGot;











    pNew = sqlite3DbRealloc(db, pSrc,
               sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
    if( pNew==0 ){
      assert( db->mallocFailed );
      return pSrc;
    }
    pSrc = pNew;








>
>
>
>
>
>
>
>
>
>
>
>







 







>
>
>
>
>
>
>
>
>
>
>








3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
....
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893

  if( pList==0 ) return -1;
  for(i=0; i<pList->nId; i++){
    if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
  }
  return -1;
}

/*
** Maximum size of a SrcList object.
** The SrcList object is used to represent the FROM clause of a
** SELECT statement, and the query planner cannot deal with more
** than 64 tables in a join.  So any value larger than 64 here
** is sufficient for most uses.  Smaller values, like say 10, are
** appropriate for small and memory-limited applications.
*/
#ifndef SQLITE_MAX_SRCLIST
# define SQLITE_MAX_SRCLIST 200
#endif

/*
** Expand the space allocated for the given SrcList object by
** creating nExtra new slots beginning at iStart.  iStart is zero based.
** New slots are zeroed.
**
** For example, suppose a SrcList initially contains two entries: A,B.
** To append 3 new entries onto the end, do this:
................................................................................
  assert( iStart<=pSrc->nSrc );

  /* Allocate additional space if needed */
  if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
    SrcList *pNew;
    int nAlloc = pSrc->nSrc*2+nExtra;
    int nGot;

    if( pSrc->nSrc+nExtra>=SQLITE_MAX_SRCLIST ){
      /* FIXME: Return a better error than SQLITE_NOMEM when the size
      ** of a SrcList object gets to be too big.  To fix this will require
      ** replumbing to pass Parse* instead of sqlite3* as the first parameter
      ** to the SrcList allocators.  As this never comes up in real-world
      ** usage, the fix is a low priority. */
      sqlite3OomFault(db);
      return pSrc;
    }
    if( nAlloc>SQLITE_MAX_SRCLIST ) nAlloc = SQLITE_MAX_SRCLIST;
    pNew = sqlite3DbRealloc(db, pSrc,
               sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
    if( pNew==0 ){
      assert( db->mallocFailed );
      return pSrc;
    }
    pSrc = pNew;

Changes to test/join.test. 

667
668
669
670
671
672
673





674
675
676
677
678
679

680
681
682
683
684
685
686
687


688
689
690
691
692
693
694

jointest join-12.2 30 {0 1}
jointest join-12.3 63 {0 1}
jointest join-12.4 64 {0 1}
jointest join-12.5 65 {1 {at most 64 tables in a join}}
jointest join-12.6 66 {1 {at most 64 tables in a join}}
jointest join-12.7 127 {1 {at most 64 tables in a join}}
jointest join-12.8 128 {1 {at most 64 tables in a join}}





jointest join-12.9 1000 {1 {at most 64 tables in a join}}

# If SQLite is built with SQLITE_MEMDEBUG, then the huge number of realloc()
# calls made by the following test cases are too time consuming to run.
# Without SQLITE_MEMDEBUG, realloc() is fast enough that these are not
# a problem.

ifcapable pragma&&compileoption_diags {
  if {[lsearch [db eval {PRAGMA compile_options}] MEMDEBUG]<0} {
    jointest join-12.10 65534 {1 {at most 64 tables in a join}}
    jointest join-12.11 65535 {1 {too many references to "t14": max 65535}}
    jointest join-12.12 65536 {1 {too many references to "t14": max 65535}}
    jointest join-12.13 65537 {1 {too many references to "t14": max 65535}}
  }
}




#-------------------------------------------------------------------------
# Test a problem with reordering tables following a LEFT JOIN.
#
do_execsql_test join-13.0 {
  CREATE TABLE aa(a);








>
>
>
>
>
|
|
|
|
|
|
>
|
|
|
|
|
|
<
<
>
>








667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691


692
693
694
695
696
697
698
699
700

jointest join-12.2 30 {0 1}
jointest join-12.3 63 {0 1}
jointest join-12.4 64 {0 1}
jointest join-12.5 65 {1 {at most 64 tables in a join}}
jointest join-12.6 66 {1 {at most 64 tables in a join}}
jointest join-12.7 127 {1 {at most 64 tables in a join}}
jointest join-12.8 128 {1 {at most 64 tables in a join}}

# As of 2019-01-17, the number of elements in a SrcList is limited
# to 200.  The following tests still run, but the answer is now
# an SQLITE_NOMEM error.
#
# jointest join-12.9 1000 {1 {at most 64 tables in a join}}
#
#  If SQLite is built with SQLITE_MEMDEBUG, then the huge number of realloc()
#  calls made by the following test cases are too time consuming to run.
#  Without SQLITE_MEMDEBUG, realloc() is fast enough that these are not
#  a problem.
#
# ifcapable pragma&&compileoption_diags {
#    if {[lsearch [db eval {PRAGMA compile_options}] MEMDEBUG]<0} {
#     jointest join-12.10 65534 {1 {at most 64 tables in a join}}
#     jointest join-12.11 65535 {1 {too many references to "t14": max 65535}}
#     jointest join-12.12 65536 {1 {too many references to "t14": max 65535}}
#     jointest join-12.13 65537 {1 {too many references to "t14": max 65535}}


#   }
# }


#-------------------------------------------------------------------------
# Test a problem with reordering tables following a LEFT JOIN.
#
do_execsql_test join-13.0 {
  CREATE TABLE aa(a);

Changes to test/with1.test. 

1067
1068
1069
1070
1071
1072
1073




















1074

do_execsql_test 21.2 {
  SELECT printf('',
     EXISTS (WITH RECURSIVE Table0 AS (WITH Table0 AS (SELECT DISTINCT 1)
                                       SELECT *, * FROM Table0 ORDER BY 1 DESC)
             SELECT * FROM Table0  NATURAL JOIN  Table0));
} {{}}





















finish_test








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>


1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094

do_execsql_test 21.2 {
  SELECT printf('',
     EXISTS (WITH RECURSIVE Table0 AS (WITH Table0 AS (SELECT DISTINCT 1)
                                       SELECT *, * FROM Table0 ORDER BY 1 DESC)
             SELECT * FROM Table0  NATURAL JOIN  Table0));
} {{}}

# 2019-01-17
# Make sure crazy nexted CTE joins terminate with an error quickly.
#
do_catchsql_test 22.1 {
  WITH RECURSIVE c AS (
     WITH RECURSIVE c AS (
        WITH RECURSIVE c AS (
           WITH RECURSIVE c AS (
               WITH  c AS (VALUES(0))
               SELECT 1 FROM c LEFT JOIN c ON ltrim(1)
           )
           SELECT 1 FROM c,c,c,c,c,c,c,c,c
        )
        SELECT  2 FROM c,c,c,c,c,c,c,c,c
     )
     SELECT 3 FROM c,c,c,c,c,c,c,c,c
  )
  SELECT 4 FROM c,c,c,c,c,c,c,c,c;
} {1 {out of memory}}

finish_test

This page was generated in about 0.009s by Fossil 2.9 [cbca374c37] 2019-06-20 11:30:16