SQLite

Check-in [e098de6910]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: e098de691002a78270540430b0df1e120582b53f
User & Date: drh 2015-01-27 13:17:05.225
Context
2015-01-27
18:43
Improve the performance of fts3/4 queries that use the OR operator and at least one auxiliary fts function. (check-in: 245e873045 user: dan tags: trunk)
13:17
Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless. (check-in: e098de6910 user: drh tags: trunk)
2015-01-25
20:19
The va_list argument cannot take on a NULL value and cannot be compared with NULL on some platforms (ex: ARM). So do not attempt to do so. (check-in: 1964e656b4 user: drh tags: trunk)
Changes
Side-by-Side Diff Ignore Whitespace Patch
Changes to src/expr.c. 
128
129
130
131
132
133
134
135
136

137

138
139
140
141
142
143
144

128
129
130
131
132
133
134


135
136
137
138
139
140
141
142
143
144








-
-
+

+








      p = p->pLeft;
      continue;
    }
    if( op==TK_COLLATE || (op==TK_REGISTER && p->op2==TK_COLLATE) ){
      pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
      break;
    }
    if( p->pTab!=0
     && (op==TK_AGG_COLUMN || op==TK_COLUMN
    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
          || op==TK_REGISTER || op==TK_TRIGGER)
     && p->pTab!=0
    ){
      /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
      ** a TK_COLUMN but was previously evaluated and cached in a register */
      int j = p->iColumn;
      if( j>=0 ){
        const char *zColl = p->pTab->aCol[j].zColl;
        pColl = sqlite3FindCollSeq(db, ENC(db), zColl, 0);
Changes to test/misc1.test. 
616
617
618
619
620
621
622










623
624

616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634








+
+
+
+
+
+
+
+
+
+



  sqlite3_test_control_fault_install fault_callback
  set fault_callbacks
} {0}
do_test misc1-19.2 {
  sqlite3_test_control_fault_install
  set fault_callbacks
} {0}

# 2015-01-26:  Valgrind-detected over-read.
# Reported on sqlite-users@sqlite.org by Michal Zalewski.  Found by afl-fuzz
# presumably.
#
do_execsql_test misc1-20.1 {
  CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
  REPLACE INTO t0(x) VALUES('');
  SELECT rowid, quote(x) FROM t0;
} {1 ''}

finish_test