SQLite: Check-in [e098de69]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Comment:	Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless.
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA1:	e098de691002a78270540430b0df1e120582b53f
User & Date:	drh 2015-01-27 13:17:05

Context

2015-01-27
18:43		Improve the performance of fts3/4 queries that use the OR operator and at least one auxiliary fts function. check-in: 245e8730 user: dan tags: trunk
13:17		Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless. check-in: e098de69 user: drh tags: trunk
2015-01-25
20:19		The va_list argument cannot take on a NULL value and cannot be compared with NULL on some platforms (ex: ARM). So do not attempt to do so. check-in: 1964e656 user: drh tags: trunk

Changes

Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/expr.c.

   128    128         p = p->pLeft;
   129    129         continue;
   130    130       }
   131    131       if( op==TK_COLLATE || (op==TK_REGISTER && p->op2==TK_COLLATE) ){
   132    132         pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
   133    133         break;
   134    134       }
   135         -    if( p->pTab!=0
   136         -     && (op==TK_AGG_COLUMN || op==TK_COLUMN
          135  +    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
   137    136             || op==TK_REGISTER || op==TK_TRIGGER)
          137  +     && p->pTab!=0
   138    138       ){
   139    139         /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
   140    140         ** a TK_COLUMN but was previously evaluated and cached in a register */
   141    141         int j = p->iColumn;
   142    142         if( j>=0 ){
   143    143           const char *zColl = p->pTab->aCol[j].zColl;
   144    144           pColl = sqlite3FindCollSeq(db, ENC(db), zColl, 0);

Changes to test/misc1.test.

   616    616     sqlite3_test_control_fault_install fault_callback
   617    617     set fault_callbacks
   618    618   } {0}
   619    619   do_test misc1-19.2 {
   620    620     sqlite3_test_control_fault_install
   621    621     set fault_callbacks
   622    622   } {0}
          623  +
          624  +# 2015-01-26:  Valgrind-detected over-read.
          625  +# Reported on sqlite-users@sqlite.org by Michal Zalewski.  Found by afl-fuzz
          626  +# presumably.
          627  +#
          628  +do_execsql_test misc1-20.1 {
          629  +  CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
          630  +  REPLACE INTO t0(x) VALUES('');
          631  +  SELECT rowid, quote(x) FROM t0;
          632  +} {1 ''}
   623    633   
   624    634   finish_test