Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Add code to enforce the MAX_EXPR_DEPTH limit. (CVS 3968) |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
2c9c94a24d52a1c9f5d1b32cbdff794a |
User & Date: | danielk1977 2007-05-10 10:46:56.000 |
Context
2007-05-10
| ||
11:43 | Another test for overflow in strftime(). It was not broken. (CVS 3969) (check-in: 5800d0327e user: danielk1977 tags: trunk) | |
10:46 | Add code to enforce the MAX_EXPR_DEPTH limit. (CVS 3968) (check-in: 2c9c94a24d user: danielk1977 tags: trunk) | |
2007-05-09
| ||
22:56 | Make sure compound queries inside a subquery only return a single result column. Ticket #2347. (CVS 3967) (check-in: 66954bdd81 user: drh tags: trunk) | |
Changes
Changes to src/expr.c.
︙ | |||
8 9 10 11 12 13 14 | 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | - + | ** May you find forgiveness for yourself and forgive others. ** May you share freely, never taking more than you give. ** ************************************************************************* ** This file contains routines used for analyzing expressions and ** for generating VDBE code that evaluates expressions in SQLite. ** |
︙ | |||
243 244 245 246 247 248 249 250 251 252 253 254 255 256 | 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 | + + | } } if( pLeft->flags & EP_ExpCollate ){ pNew->flags |= EP_ExpCollate; pNew->pColl = pLeft->pColl; } } sqlite3ExprSetHeight(pNew); return pNew; } /* ** Works like sqlite3Expr() but frees its pLeft and pRight arguments ** if it fails due to a malloc problem. */ |
︙ | |||
339 340 341 342 343 344 345 346 347 348 349 350 351 352 | 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 | + + | return 0; } pNew->op = TK_FUNCTION; pNew->pList = pList; assert( pToken->dyn==0 ); pNew->token = *pToken; pNew->span = pNew->token; sqlite3ExprSetHeight(pNew); return pNew; } /* ** Assign a variable number to an expression that encodes a wildcard ** in the original SQL statement. ** |
︙ | |||
474 475 476 477 478 479 480 481 482 483 484 485 486 487 | 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 | + + + | } pNew->span.z = 0; pNew->pLeft = sqlite3ExprDup(p->pLeft); pNew->pRight = sqlite3ExprDup(p->pRight); pNew->pList = sqlite3ExprListDup(p->pList); pNew->pSelect = sqlite3SelectDup(p->pSelect); pNew->pTab = p->pTab; #if SQLITE_MAX_EXPR_DEPTH>0 pNew->nHeight = p->nHeight; #endif return pNew; } void sqlite3TokenCopy(Token *pTo, Token *pFrom){ if( pTo->dyn ) sqliteFree((char*)pTo->z); if( pFrom->z ){ pTo->n = pFrom->n; pTo->z = (u8*)sqliteStrNDup((char*)pFrom->z, pFrom->n); |
︙ | |||
667 668 669 670 671 672 673 674 675 676 677 678 679 680 | 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + | const char *zObject ){ if( pEList && pEList->nExpr>iLimit ){ sqlite3ErrorMsg(pParse, "too many columns in %s", zObject); } } #if SQLITE_MAX_EXPR_DEPTH>0 /* The following three functions, heightOfExpr(), heightOfExprList() ** and heightOfSelect(), are used to determine the maximum height ** of any expression tree referenced by the structure passed as the ** first argument. ** ** If this maximum height is greater than the current value pointed ** to by pnHeight, the second parameter, then set *pnHeight to that ** value. */ static void heightOfExpr(Expr *p, int *pnHeight){ if( p ){ if( p->nHeight>*pnHeight ){ *pnHeight = p->nHeight; } } } static void heightOfExprList(ExprList *p, int *pnHeight){ if( p ){ int i; for(i=0; i<p->nExpr; i++){ heightOfExpr(p->a[i].pExpr, pnHeight); } } } static void heightOfSelect(Select *p, int *pnHeight){ if( p ){ heightOfExpr(p->pWhere, pnHeight); heightOfExpr(p->pHaving, pnHeight); heightOfExpr(p->pLimit, pnHeight); heightOfExpr(p->pOffset, pnHeight); heightOfExprList(p->pEList, pnHeight); heightOfExprList(p->pGroupBy, pnHeight); heightOfExprList(p->pOrderBy, pnHeight); heightOfSelect(p->pPrior, pnHeight); } } /* ** Set the Expr.nHeight variable in the structure passed as an ** argument. An expression with no children, Expr.pList or ** Expr.pSelect member has a height of 1. Any other expression ** has a height equal to the maximum height of any other ** referenced Expr plus one. */ void sqlite3ExprSetHeight(Expr *p){ int nHeight = 0; heightOfExpr(p->pLeft, &nHeight); heightOfExpr(p->pRight, &nHeight); heightOfExprList(p->pList, &nHeight); heightOfSelect(p->pSelect, &nHeight); p->nHeight = nHeight + 1; } /* ** Return the maximum height of any expression tree referenced ** by the select statement passed as an argument. */ int sqlite3SelectExprHeight(Select *p){ int nHeight = 0; heightOfSelect(p, &nHeight); return nHeight; } #endif /* ** Delete an entire expression list. */ void sqlite3ExprListDelete(ExprList *pList){ int i; struct ExprList_item *pItem; if( pList==0 ) return; |
︙ | |||
1331 1332 1333 1334 1335 1336 1337 | 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 | - + + + + + + + + + + + + + + | ** usage. Make sure all function names are recognized and all functions ** have the correct number of arguments. Leave an error message ** in pParse->zErrMsg if anything is amiss. Return the number of errors. ** ** If the expression contains aggregate functions then set the EP_Agg ** property on the expression. */ |
︙ | |||
1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 | 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 | + | ** operator or subquery. */ #ifndef SQLITE_OMIT_SUBQUERY void sqlite3CodeSubselect(Parse *pParse, Expr *pExpr){ int testAddr = 0; /* One-time test address */ Vdbe *v = sqlite3GetVdbe(pParse); if( v==0 ) return; /* This code must be run in its entirety every time it is encountered ** if any of the following is true: ** ** * The right-hand side is a correlated subquery ** * The right-hand side is an expression list containing variables ** * We are inside a trigger |
︙ | |||
1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 | 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 | + | break; } } if( testAddr ){ sqlite3VdbeJumpHere(v, testAddr); } return; } #endif /* SQLITE_OMIT_SUBQUERY */ /* ** Generate an instruction that will put the integer describe by ** text z[0..n-1] on the stack. |
︙ |
Changes to src/limits.h.
︙ | |||
8 9 10 11 12 13 14 | 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | - + | ** May you find forgiveness for yourself and forgive others. ** May you share freely, never taking more than you give. ** ************************************************************************* ** ** This file defines various limits of what SQLite can process. ** |
︙ | |||
52 53 54 55 56 57 58 | 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | - - - - + + + + + - - + + | ** The hard limit here is the same as SQLITE_MAX_LENGTH. */ #ifndef SQLITE_MAX_SQL_LENGTH # define SQLITE_MAX_SQL_LENGTH 1000000 #endif /* |
︙ |
Changes to src/parse.y.
︙ | |||
10 11 12 13 14 15 16 | 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | - + | ** ************************************************************************* ** This file contains SQLite's grammar for SQL. Process this file ** using the lemon parser generator to generate C code that runs ** the parser. Lemon will also generate a header file containing ** numeric codes for all of the tokens. ** |
︙ | |||
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 | 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 | + + + + + + | %type in_op {int} in_op(A) ::= IN. {A = 0;} in_op(A) ::= NOT IN. {A = 1;} expr(A) ::= expr(X) in_op(N) LP exprlist(Y) RP(E). [IN] { A = sqlite3Expr(TK_IN, X, 0, 0); if( A ){ A->pList = Y; sqlite3ExprSetHeight(A); }else{ sqlite3ExprListDelete(Y); } if( N ) A = sqlite3Expr(TK_NOT, A, 0, 0); sqlite3ExprSpan(A,&X->span,&E); } expr(A) ::= LP(B) select(X) RP(E). { A = sqlite3Expr(TK_SELECT, 0, 0, 0); if( A ){ A->pSelect = X; sqlite3ExprSetHeight(A); }else{ sqlite3SelectDelete(X); } sqlite3ExprSpan(A,&B,&E); } expr(A) ::= expr(X) in_op(N) LP select(Y) RP(E). [IN] { A = sqlite3Expr(TK_IN, X, 0, 0); if( A ){ A->pSelect = Y; sqlite3ExprSetHeight(A); }else{ sqlite3SelectDelete(Y); } if( N ) A = sqlite3Expr(TK_NOT, A, 0, 0); sqlite3ExprSpan(A,&X->span,&E); } expr(A) ::= expr(X) in_op(N) nm(Y) dbnm(Z). [IN] { SrcList *pSrc = sqlite3SrcListAppend(0,&Y,&Z); A = sqlite3Expr(TK_IN, X, 0, 0); if( A ){ A->pSelect = sqlite3SelectNew(0,pSrc,0,0,0,0,0,0,0); sqlite3ExprSetHeight(A); }else{ sqlite3SrcListDelete(pSrc); } if( N ) A = sqlite3Expr(TK_NOT, A, 0, 0); sqlite3ExprSpan(A,&X->span,Z.z?&Z:&Y); } expr(A) ::= EXISTS(B) LP select(Y) RP(E). { Expr *p = A = sqlite3Expr(TK_EXISTS, 0, 0, 0); if( p ){ p->pSelect = Y; sqlite3ExprSpan(p,&B,&E); sqlite3ExprSetHeight(A); }else{ sqlite3SelectDelete(Y); } } %endif SQLITE_OMIT_SUBQUERY /* CASE expressions */ expr(A) ::= CASE(C) case_operand(X) case_exprlist(Y) case_else(Z) END(E). { A = sqlite3Expr(TK_CASE, X, Z, 0); if( A ){ A->pList = Y; sqlite3ExprSetHeight(A); }else{ sqlite3ExprListDelete(Y); } sqlite3ExprSpan(A, &C, &E); } %type case_exprlist {ExprList*} %destructor case_exprlist {sqlite3ExprListDelete($$);} |
︙ |
Changes to src/select.c.
︙ | |||
8 9 10 11 12 13 14 | 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | - + | ** May you find forgiveness for yourself and forgive others. ** May you share freely, never taking more than you give. ** ************************************************************************* ** This file contains C code routines that are called by the parser ** to handle SELECT statements in SQLite. ** |
︙ | |||
2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 | 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 | + + + + + + + + + + + + + | if( pItem->zName!=0 ){ zSavedAuthContext = pParse->zAuthContext; pParse->zAuthContext = pItem->zName; needRestoreContext = 1; }else{ needRestoreContext = 0; } #if SQLITE_MAX_EXPR_DEPTH>0 /* Increment Parse.nHeight by the height of the largest expression ** tree refered to by this, the parent select. The child select ** may contain expression trees of at most ** (SQLITE_MAX_EXPR_DEPTH-Parse.nHeight) height. This is a bit ** more conservative than necessary, but much easier than enforcing ** an exact limit. */ pParse->nHeight += sqlite3SelectExprHeight(p); #endif sqlite3Select(pParse, pItem->pSelect, SRT_EphemTab, pItem->iCursor, p, i, &isAgg, 0); #if SQLITE_MAX_EXPR_DEPTH>0 pParse->nHeight -= sqlite3SelectExprHeight(p); #endif if( needRestoreContext ){ pParse->zAuthContext = zSavedAuthContext; } pTabList = p->pSrc; pWhere = p->pWhere; if( !IgnorableOrderby(eDest) ){ pOrderBy = p->pOrderBy; |
︙ |
Changes to src/sqliteInt.h.
1 2 3 4 5 6 7 8 9 10 11 12 13 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | - + | /* ** 2001 September 15 ** ** The author disclaims copyright to this source code. In place of ** a legal notice, here is a blessing: ** ** May you do good and not evil. ** May you find forgiveness for yourself and forgive others. ** May you share freely, never taking more than you give. ** ************************************************************************* ** Internal interface definitions for SQLite. ** |
︙ | |||
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 | 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 | + + + | AggInfo *pAggInfo; /* Used by TK_AGG_COLUMN and TK_AGG_FUNCTION */ int iAgg; /* Which entry in pAggInfo->aCol[] or ->aFunc[] */ int iRightJoinTable; /* If EP_FromJoin, the right table of the join */ Select *pSelect; /* When the expression is a sub-select. Also the ** right side of "<expr> IN (<select>)" */ Table *pTab; /* Table for OP_Column expressions. */ Schema *pSchema; #if SQLITE_MAX_EXPR_DEPTH>0 int nHeight; /* Height of the tree headed by this node */ #endif }; /* ** The following are the meanings of bits in the Expr.flags field. */ #define EP_FromJoin 0x01 /* Originated in ON or USING clause of a join */ #define EP_Agg 0x02 /* Contains one or more aggregate functions */ |
︙ | |||
1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 | 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 | + + + | TriggerStack *trigStack; /* Trigger actions being coded */ const char *zAuthContext; /* The 6th parameter to db->xAuth callbacks */ #ifndef SQLITE_OMIT_VIRTUALTABLE Token sArg; /* Complete text of a module argument */ u8 declareVtab; /* True if inside sqlite3_declare_vtab() */ Table *pVirtualLock; /* Require virtual table lock on this table */ #endif #if SQLITE_MAX_EXPR_DEPTH>0 int nHeight; /* Expression tree height of current sub-select */ #endif }; #ifdef SQLITE_OMIT_VIRTUALTABLE #define IN_DECLARE_VTAB 0 #else #define IN_DECLARE_VTAB (pParse->declareVtab) #endif |
︙ | |||
1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 | 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 | + + + + + + + | int sqlite3VtabCallConnect(Parse*, Table*); int sqlite3VtabCallDestroy(sqlite3*, int, const char *); int sqlite3VtabBegin(sqlite3 *, sqlite3_vtab *); FuncDef *sqlite3VtabOverloadFunction(FuncDef*, int nArg, Expr*); void sqlite3InvalidFunction(sqlite3_context*,int,sqlite3_value**); int sqlite3Reprepare(Vdbe*); void sqlite3ExprListCheckLength(Parse*, ExprList*, int, const char*); #if SQLITE_MAX_EXPR_DEPTH>0 void sqlite3ExprSetHeight(Expr *); int sqlite3SelectExprHeight(Select *); #else #define sqlite3ExprSetHeight(x) #endif u32 sqlite3Get2byte(const u8*); u32 sqlite3Get4byte(const u8*); void sqlite3Put2byte(u8*, u32); void sqlite3Put4byte(u8*, u32); #ifdef SQLITE_SSE |
︙ |
Changes to src/test_config.c.
︙ | |||
12 13 14 15 16 17 18 | 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | - + | ** ** This file contains code used for testing the SQLite system. ** None of the code in this file goes into a deliverable build. ** ** The focus of this file is providing the TCL testing layer ** access to compile-time constants. ** |
︙ | |||
378 379 380 381 382 383 384 | 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 | - - - + + + | } { static int sqlite_max_sql_length = SQLITE_MAX_SQL_LENGTH; Tcl_LinkVar(interp, "SQLITE_MAX_SQL_LENGTH", (char*)&sqlite_max_sql_length, TCL_LINK_INT|TCL_LINK_READ_ONLY); } { |
︙ |
Changes to test/sqllimits1.test.
︙ | |||
8 9 10 11 12 13 14 | 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | - + - + | # May you share freely, never taking more than you give. # #*********************************************************************** # # This file contains tests to verify that the limits defined in # sqlite source file limits.h are enforced. # |
︙ | |||
233 234 235 236 237 238 239 | 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 | - + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + | lappend cols "c$i" } catchsql "CREATE TABLE t2([join $cols ,])" catchsql "CREATE VIEW v1 AS SELECT *, c1 AS o FROM t2;" } {1 {too many columns in result set}} #-------------------------------------------------------------------- |
︙ |