/ Check-in [d0c3beef]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ensure that sqlite3AuthRead() is only call for TK_COLUMN and TK_TRIGGER expression nodes. This fixes a harmless assert() identified by OSSFuzz. Move the assert() into a position where it is tested even if the authorizer is disabled.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: d0c3beef7cdc680c0768ddd18f766a4ca7be822c1eb1776b2f73b7433d9962dc
User & Date: drh 2018-06-02 11:31:15
Context
2018-06-02
12:05
Fix the CSV extension so that it works with single-column CSV files. check-in: e336cf00 user: drh tags: trunk
11:31
Ensure that sqlite3AuthRead() is only call for TK_COLUMN and TK_TRIGGER expression nodes. This fixes a harmless assert() identified by OSSFuzz. Move the assert() into a position where it is tested even if the authorizer is disabled. check-in: d0c3beef user: drh tags: trunk
2018-06-01
13:30
Fix a bug in the SQLITE_ENABLE_SORTER_REFERENCES code causing an out-of-bounds array reference. check-in: 8cadaf58 user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/auth.c.

   146    146     sqlite3 *db = pParse->db;
   147    147     Table *pTab = 0;      /* The table being read */
   148    148     const char *zCol;     /* Name of the column of the table */
   149    149     int iSrc;             /* Index in pTabList->a[] of table being read */
   150    150     int iDb;              /* The index of the database the expression refers to */
   151    151     int iCol;             /* Index of column in table */
   152    152   
          153  +  assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER );
   153    154     if( db->xAuth==0 ) return;
   154    155     iDb = sqlite3SchemaToIndex(pParse->db, pSchema);
   155    156     if( iDb<0 ){
   156    157       /* An attempt to read a column out of a subquery or other
   157    158       ** temporary table. */
   158    159       return;
   159    160     }
   160    161   
   161         -  assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER );
   162    162     if( pExpr->op==TK_TRIGGER ){
   163    163       pTab = pParse->pTriggerTab;
   164    164     }else{
   165    165       assert( pTabList );
   166    166       for(iSrc=0; ALWAYS(iSrc<pTabList->nSrc); iSrc++){
   167    167         if( pExpr->iTable==pTabList->a[iSrc].iCursor ){
   168    168           pTab = pTabList->a[iSrc].pTab;

Changes to src/resolve.c.

    71     71     sqlite3 *db;           /* The database connection */
    72     72   
    73     73     assert( iCol>=0 && iCol<pEList->nExpr );
    74     74     pOrig = pEList->a[iCol].pExpr;
    75     75     assert( pOrig!=0 );
    76     76     db = pParse->db;
    77     77     pDup = sqlite3ExprDup(db, pOrig, 0);
    78         -  if( pDup==0 ) return;
    79         -  if( zType[0]!='G' ) incrAggFunctionDepth(pDup, nSubquery);
    80         -  if( pExpr->op==TK_COLLATE ){
    81         -    pDup = sqlite3ExprAddCollateString(pParse, pDup, pExpr->u.zToken);
    82         -  }
    83         -  ExprSetProperty(pDup, EP_Alias);
    84         -
    85         -  /* Before calling sqlite3ExprDelete(), set the EP_Static flag. This 
    86         -  ** prevents ExprDelete() from deleting the Expr structure itself,
    87         -  ** allowing it to be repopulated by the memcpy() on the following line.
    88         -  ** The pExpr->u.zToken might point into memory that will be freed by the
    89         -  ** sqlite3DbFree(db, pDup) on the last line of this block, so be sure to
    90         -  ** make a copy of the token before doing the sqlite3DbFree().
    91         -  */
    92         -  ExprSetProperty(pExpr, EP_Static);
    93         -  sqlite3ExprDelete(db, pExpr);
    94         -  memcpy(pExpr, pDup, sizeof(*pExpr));
    95         -  if( !ExprHasProperty(pExpr, EP_IntValue) && pExpr->u.zToken!=0 ){
    96         -    assert( (pExpr->flags & (EP_Reduced|EP_TokenOnly))==0 );
    97         -    pExpr->u.zToken = sqlite3DbStrDup(db, pExpr->u.zToken);
    98         -    pExpr->flags |= EP_MemToken;
    99         -  }
   100         -  sqlite3DbFree(db, pDup);
           78  +  if( pDup!=0 ){
           79  +    if( zType[0]!='G' ) incrAggFunctionDepth(pDup, nSubquery);
           80  +    if( pExpr->op==TK_COLLATE ){
           81  +      pDup = sqlite3ExprAddCollateString(pParse, pDup, pExpr->u.zToken);
           82  +    }
           83  +    ExprSetProperty(pDup, EP_Alias);
           84  +
           85  +    /* Before calling sqlite3ExprDelete(), set the EP_Static flag. This 
           86  +    ** prevents ExprDelete() from deleting the Expr structure itself,
           87  +    ** allowing it to be repopulated by the memcpy() on the following line.
           88  +    ** The pExpr->u.zToken might point into memory that will be freed by the
           89  +    ** sqlite3DbFree(db, pDup) on the last line of this block, so be sure to
           90  +    ** make a copy of the token before doing the sqlite3DbFree().
           91  +    */
           92  +    ExprSetProperty(pExpr, EP_Static);
           93  +    sqlite3ExprDelete(db, pExpr);
           94  +    memcpy(pExpr, pDup, sizeof(*pExpr));
           95  +    if( !ExprHasProperty(pExpr, EP_IntValue) && pExpr->u.zToken!=0 ){
           96  +      assert( (pExpr->flags & (EP_Reduced|EP_TokenOnly))==0 );
           97  +      pExpr->u.zToken = sqlite3DbStrDup(db, pExpr->u.zToken);
           98  +      pExpr->flags |= EP_MemToken;
           99  +    }
          100  +    sqlite3DbFree(db, pDup);
          101  +  }
          102  +  ExprSetProperty(pExpr, EP_Alias);
   101    103   }
   102    104   
   103    105   
   104    106   /*
   105    107   ** Return TRUE if the name zCol occurs anywhere in the USING clause.
   106    108   **
   107    109   ** Return FALSE if the USING clause is NULL or if it does not contain
................................................................................
   345    347           if( iCol<pTab->nCol ){
   346    348             cnt++;
   347    349   #ifndef SQLITE_OMIT_UPSERT
   348    350             if( pExpr->iTable==2 ){
   349    351               testcase( iCol==(-1) );
   350    352               pExpr->iTable = pNC->uNC.pUpsert->regData + iCol;
   351    353               eNewExprOp = TK_REGISTER;
          354  +            ExprSetProperty(pExpr, EP_Alias);
   352    355             }else
   353    356   #endif /* SQLITE_OMIT_UPSERT */
   354    357             {
   355    358   #ifndef SQLITE_OMIT_TRIGGER
   356    359               if( iCol<0 ){
   357    360                 pExpr->affinity = SQLITE_AFF_INTEGER;
   358    361               }else if( pExpr->iTable==0 ){