Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Ensure that sqlite3AuthRead() is only call for TK_COLUMN and TK_TRIGGER expression nodes. This fixes a harmless assert() identified by OSSFuzz. Move the assert() into a position where it is tested even if the authorizer is disabled. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
d0c3beef7cdc680c0768ddd18f766a4c |
| User & Date: | drh 2018-06-02 11:31:15 |
Context
|
2018-06-02
| ||
| 12:05 | Fix the CSV extension so that it works with single-column CSV files. (check-in: e336cf00 user: drh tags: trunk) | |
| 11:31 | Ensure that sqlite3AuthRead() is only call for TK_COLUMN and TK_TRIGGER expression nodes. This fixes a harmless assert() identified by OSSFuzz. Move the assert() into a position where it is tested even if the authorizer is disabled. (check-in: d0c3beef user: drh tags: trunk) | |
|
2018-06-01
| ||
| 13:30 | Fix a bug in the SQLITE_ENABLE_SORTER_REFERENCES code causing an out-of-bounds array reference. (check-in: 8cadaf58 user: dan tags: trunk) | |
Changes
Changes to src/auth.c.
146 146 sqlite3 *db = pParse->db; 147 147 Table *pTab = 0; /* The table being read */ 148 148 const char *zCol; /* Name of the column of the table */ 149 149 int iSrc; /* Index in pTabList->a[] of table being read */ 150 150 int iDb; /* The index of the database the expression refers to */ 151 151 int iCol; /* Index of column in table */ 152 152 153 + assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER ); 153 154 if( db->xAuth==0 ) return; 154 155 iDb = sqlite3SchemaToIndex(pParse->db, pSchema); 155 156 if( iDb<0 ){ 156 157 /* An attempt to read a column out of a subquery or other 157 158 ** temporary table. */ 158 159 return; 159 160 } 160 161 161 - assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER ); 162 162 if( pExpr->op==TK_TRIGGER ){ 163 163 pTab = pParse->pTriggerTab; 164 164 }else{ 165 165 assert( pTabList ); 166 166 for(iSrc=0; ALWAYS(iSrc<pTabList->nSrc); iSrc++){ 167 167 if( pExpr->iTable==pTabList->a[iSrc].iCursor ){ 168 168 pTab = pTabList->a[iSrc].pTab;
Changes to src/resolve.c.
71 71 sqlite3 *db; /* The database connection */ 72 72 73 73 assert( iCol>=0 && iCol<pEList->nExpr ); 74 74 pOrig = pEList->a[iCol].pExpr; 75 75 assert( pOrig!=0 ); 76 76 db = pParse->db; 77 77 pDup = sqlite3ExprDup(db, pOrig, 0); 78 - if( pDup==0 ) return; 79 - if( zType[0]!='G' ) incrAggFunctionDepth(pDup, nSubquery); 80 - if( pExpr->op==TK_COLLATE ){ 81 - pDup = sqlite3ExprAddCollateString(pParse, pDup, pExpr->u.zToken); 82 - } 83 - ExprSetProperty(pDup, EP_Alias); 84 - 85 - /* Before calling sqlite3ExprDelete(), set the EP_Static flag. This 86 - ** prevents ExprDelete() from deleting the Expr structure itself, 87 - ** allowing it to be repopulated by the memcpy() on the following line. 88 - ** The pExpr->u.zToken might point into memory that will be freed by the 89 - ** sqlite3DbFree(db, pDup) on the last line of this block, so be sure to 90 - ** make a copy of the token before doing the sqlite3DbFree(). 91 - */ 92 - ExprSetProperty(pExpr, EP_Static); 93 - sqlite3ExprDelete(db, pExpr); 94 - memcpy(pExpr, pDup, sizeof(*pExpr)); 95 - if( !ExprHasProperty(pExpr, EP_IntValue) && pExpr->u.zToken!=0 ){ 96 - assert( (pExpr->flags & (EP_Reduced|EP_TokenOnly))==0 ); 97 - pExpr->u.zToken = sqlite3DbStrDup(db, pExpr->u.zToken); 98 - pExpr->flags |= EP_MemToken; 99 - } 100 - sqlite3DbFree(db, pDup); 78 + if( pDup!=0 ){ 79 + if( zType[0]!='G' ) incrAggFunctionDepth(pDup, nSubquery); 80 + if( pExpr->op==TK_COLLATE ){ 81 + pDup = sqlite3ExprAddCollateString(pParse, pDup, pExpr->u.zToken); 82 + } 83 + ExprSetProperty(pDup, EP_Alias); 84 + 85 + /* Before calling sqlite3ExprDelete(), set the EP_Static flag. This 86 + ** prevents ExprDelete() from deleting the Expr structure itself, 87 + ** allowing it to be repopulated by the memcpy() on the following line. 88 + ** The pExpr->u.zToken might point into memory that will be freed by the 89 + ** sqlite3DbFree(db, pDup) on the last line of this block, so be sure to 90 + ** make a copy of the token before doing the sqlite3DbFree(). 91 + */ 92 + ExprSetProperty(pExpr, EP_Static); 93 + sqlite3ExprDelete(db, pExpr); 94 + memcpy(pExpr, pDup, sizeof(*pExpr)); 95 + if( !ExprHasProperty(pExpr, EP_IntValue) && pExpr->u.zToken!=0 ){ 96 + assert( (pExpr->flags & (EP_Reduced|EP_TokenOnly))==0 ); 97 + pExpr->u.zToken = sqlite3DbStrDup(db, pExpr->u.zToken); 98 + pExpr->flags |= EP_MemToken; 99 + } 100 + sqlite3DbFree(db, pDup); 101 + } 102 + ExprSetProperty(pExpr, EP_Alias); 101 103 } 102 104 103 105 104 106 /* 105 107 ** Return TRUE if the name zCol occurs anywhere in the USING clause. 106 108 ** 107 109 ** Return FALSE if the USING clause is NULL or if it does not contain ................................................................................ 345 347 if( iCol<pTab->nCol ){ 346 348 cnt++; 347 349 #ifndef SQLITE_OMIT_UPSERT 348 350 if( pExpr->iTable==2 ){ 349 351 testcase( iCol==(-1) ); 350 352 pExpr->iTable = pNC->uNC.pUpsert->regData + iCol; 351 353 eNewExprOp = TK_REGISTER; 354 + ExprSetProperty(pExpr, EP_Alias); 352 355 }else 353 356 #endif /* SQLITE_OMIT_UPSERT */ 354 357 { 355 358 #ifndef SQLITE_OMIT_TRIGGER 356 359 if( iCol<0 ){ 357 360 pExpr->affinity = SQLITE_AFF_INTEGER; 358 361 }else if( pExpr->iTable==0 ){