/ Check-in [c422afb5]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: c422afb507dc875751e6a72e4ba5f4f0793097c0de4533c1600311f689e76ed7
User & Date: drh 2019-10-26 12:27:55
Context
2019-10-26
15:40
Minor changes to help ensure the pointer returned by sqlite3VdbeGetOp() is not used after it becomes invalid. check-in: 346bdd49 user: drh tags: trunk
12:27
Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google. check-in: c422afb5 user: drh tags: trunk
01:43
Add missing VdbeCoverage() macro. Fix an off-by-one error in partial index handling. New test cases. Ticket [c1e19e12046d23fe] check-in: 41cc8e3d user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/insert.c.

1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
....
1907
1908
1909
1910
1911
1912
1913
1914
1915







1916
1917
1918
1919
1920
1921
1922
1923

1924
1925
1926
1927
1928

1929
1930
1931
1932
1933
1934
1935
          sqlite3MultiWrite(pParse);
          nReplaceTrig++;
        }
        sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur,
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        if( regTrigCnt ){
          VdbeOp *pOp;     /* Conflict check opcode to copy */
          int p2;          /* New P2 value for copied conflict check opcode */
          int addrBypass;  /* Jump destination to bypass recheck logic */

          sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */
          addrBypass = sqlite3VdbeAddOp0(v, OP_Goto);  /* Bypass recheck */
          VdbeComment((v, "bypass recheck"));

          /* Here we insert code that will be invoked after all constraint
................................................................................
            ** for the current row */
            sqlite3VdbeAddOp2(v, OP_IsNull, regIdx-1, lblRecheckOk);
            VdbeCoverage(v);
          }
          /* Copy the constraint check code from above, except change
          ** the constraint-ok jump destination to be the address of
          ** the next retest block */
          pOp = sqlite3VdbeGetOp(v, addrConflictCk);
          while( nConflictCk>0 && !db->mallocFailed ){







            if( sqlite3OpcodeProperty[pOp->opcode]&OPFLG_JUMP ){
              p2 = lblRecheckOk;
            }else{
              p2 = pOp->p2;
            }
            if( pOp->opcode!=OP_IdxRowid ){
              sqlite3VdbeAddOp4(v, pOp->opcode, pOp->p1, p2, pOp->p3,
                                pOp->p4.z, pOp->p4type);

              sqlite3VdbeChangeP5(v, pOp->p5);
              VdbeCoverageIf(v, p2!=pOp->p2 );
            }
            nConflictCk--;
            pOp++;

          }
          /* If the retest fails, issue an abort */
          sqlite3UniqueConstraint(pParse, OE_Abort, pIdx);

          sqlite3VdbeJumpHere(v, addrBypass); /* Terminate the recheck bypass */
        }
        seenReplace = 1;







<
<







 







<

>
>
>
>
>
>
>
|
|
|
|
|
<
<
<
>
|
|


<
>







1885
1886
1887
1888
1889
1890
1891


1892
1893
1894
1895
1896
1897
1898
....
1905
1906
1907
1908
1909
1910
1911

1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924



1925
1926
1927
1928
1929

1930
1931
1932
1933
1934
1935
1936
1937
          sqlite3MultiWrite(pParse);
          nReplaceTrig++;
        }
        sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur,
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        if( regTrigCnt ){


          int addrBypass;  /* Jump destination to bypass recheck logic */

          sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */
          addrBypass = sqlite3VdbeAddOp0(v, OP_Goto);  /* Bypass recheck */
          VdbeComment((v, "bypass recheck"));

          /* Here we insert code that will be invoked after all constraint
................................................................................
            ** for the current row */
            sqlite3VdbeAddOp2(v, OP_IsNull, regIdx-1, lblRecheckOk);
            VdbeCoverage(v);
          }
          /* Copy the constraint check code from above, except change
          ** the constraint-ok jump destination to be the address of
          ** the next retest block */

          while( nConflictCk>0 && !db->mallocFailed ){
            VdbeOp x;    /* Conflict check opcode to copy */
            /* The sqlite3VdbeAddOp4() call might reallocate the opcode array.
            ** Hence, make a complete copy of the opcode, rather than using
            ** a pointer to the opcode. */
            x = *sqlite3VdbeGetOp(v, addrConflictCk);
            if( x.opcode!=OP_IdxRowid ){
              int p2;      /* New P2 value for copied conflict check opcode */
              if( sqlite3OpcodeProperty[x.opcode]&OPFLG_JUMP ){
                p2 = lblRecheckOk;
              }else{
                p2 = x.p2;
              }



              sqlite3VdbeAddOp4(v, x.opcode, x.p1, p2, x.p3, x.p4.z, x.p4type);
              sqlite3VdbeChangeP5(v, x.p5);
              VdbeCoverageIf(v, p2!=x.p2);
            }
            nConflictCk--;

            addrConflictCk++;
          }
          /* If the retest fails, issue an abort */
          sqlite3UniqueConstraint(pParse, OE_Abort, pIdx);

          sqlite3VdbeJumpHere(v, addrBypass); /* Terminate the recheck bypass */
        }
        seenReplace = 1;