/ Check-in [3d7327fd]
Login
Home Timeline Branches Tags Tickets Wiki More...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a problem in vdbe.c that could cause a double-free of memory if the SQLITE_LIMIT_LENGTH is changed after a statement is prepared but before it is run. Also remove debugging statements from tkt3841.test. (CVS 6777)
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:3d7327fd6af983d5ce9bc9a2ba869b23c44cc8e6
User & Date: drh 2009-06-17 21:42:34
Context
2009-06-17
22:50
Avoid an assertion fault if an out-of-memory error occurs while trying to run the string-concatentation operator on a zero-blob. (This is an absurd thing to do, but even so, we still should not fault.) (CVS 6778) check-in: 0def0b76 user: drh tags: trunk
21:42
Fix a problem in vdbe.c that could cause a double-free of memory if the SQLITE_LIMIT_LENGTH is changed after a statement is prepared but before it is run. Also remove debugging statements from tkt3841.test. (CVS 6777) check-in: 3d7327fd user: drh tags: trunk
16:20
Use caution to avoid integer overflow when doing real to integer affinity operations. Ticket #3922. (CVS 6776) check-in: 39255946 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/vdbe.c. 

39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
...
904
905
906
907
908
909
910
911

912
913


914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934

**
** Various scripts scan this source file in order to generate HTML
** documentation, headers files, or other derived files.  The formatting
** of the code in this file is, therefore, important.  See other comments
** in this file for details.  If in doubt, do not deviate from existing
** commenting and indentation practices when changing or adding code.
**
** $Id: vdbe.c,v 1.852 2009/06/17 16:20:04 drh Exp $
*/
#include "sqliteInt.h"
#include "vdbeInt.h"

/*
** The following global variable is incremented every time a cursor
** moves, either by the OP_SeekXX, OP_Next, or OP_Prev opcodes.  The test
................................................................................
case OP_String8: {         /* same as TK_STRING, out2-prerelease */
  assert( pOp->p4.z!=0 );
  pOp->opcode = OP_String;
  pOp->p1 = sqlite3Strlen30(pOp->p4.z);

#ifndef SQLITE_OMIT_UTF16
  if( encoding!=SQLITE_UTF8 ){
    sqlite3VdbeMemSetStr(pOut, pOp->p4.z, -1, SQLITE_UTF8, SQLITE_STATIC);

    if( SQLITE_OK!=sqlite3VdbeChangeEncoding(pOut, encoding) ) goto no_mem;
    if( SQLITE_OK!=sqlite3VdbeMemMakeWriteable(pOut) ) goto no_mem;


    pOut->zMalloc = 0;
    pOut->flags |= MEM_Static;
    pOut->flags &= ~MEM_Dyn;
    if( pOp->p4type==P4_DYNAMIC ){
      sqlite3DbFree(db, pOp->p4.z);
    }
    pOp->p4type = P4_DYNAMIC;
    pOp->p4.z = pOut->z;
    pOp->p1 = pOut->n;
    if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){
      goto too_big;
    }
    UPDATE_MAX_BLOBSIZE(pOut);
    break;
  }
#endif
  if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){
    goto too_big;
  }
  /* Fall through to the next case, OP_String */
}








|







 







|
>

<
>
>









<
<
<
<
<








39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
...
904
905
906
907
908
909
910
911
912
913

914
915
916
917
918
919
920
921
922
923
924





925
926
927
928
929
930
931

**
** Various scripts scan this source file in order to generate HTML
** documentation, headers files, or other derived files.  The formatting
** of the code in this file is, therefore, important.  See other comments
** in this file for details.  If in doubt, do not deviate from existing
** commenting and indentation practices when changing or adding code.
**
** $Id: vdbe.c,v 1.853 2009/06/17 21:42:34 drh Exp $
*/
#include "sqliteInt.h"
#include "vdbeInt.h"

/*
** The following global variable is incremented every time a cursor
** moves, either by the OP_SeekXX, OP_Next, or OP_Prev opcodes.  The test
................................................................................
case OP_String8: {         /* same as TK_STRING, out2-prerelease */
  assert( pOp->p4.z!=0 );
  pOp->opcode = OP_String;
  pOp->p1 = sqlite3Strlen30(pOp->p4.z);

#ifndef SQLITE_OMIT_UTF16
  if( encoding!=SQLITE_UTF8 ){
    rc = sqlite3VdbeMemSetStr(pOut, pOp->p4.z, -1, SQLITE_UTF8, SQLITE_STATIC);
    if( rc==SQLITE_TOOBIG ) goto too_big;
    if( SQLITE_OK!=sqlite3VdbeChangeEncoding(pOut, encoding) ) goto no_mem;

    assert( pOut->zMalloc==pOut->z );
    assert( pOut->flags & MEM_Dyn );
    pOut->zMalloc = 0;
    pOut->flags |= MEM_Static;
    pOut->flags &= ~MEM_Dyn;
    if( pOp->p4type==P4_DYNAMIC ){
      sqlite3DbFree(db, pOp->p4.z);
    }
    pOp->p4type = P4_DYNAMIC;
    pOp->p4.z = pOut->z;
    pOp->p1 = pOut->n;





  }
#endif
  if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){
    goto too_big;
  }
  /* Fall through to the next case, OP_String */
}

Changes to test/tkt3841.test. 

32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

    INSERT INTO list VALUES ("a", 1);
    INSERT INTO list VALUES ("a", 2);
    INSERT INTO list VALUES ("a", 3);
    INSERT INTO list VALUES ("b", 4);
    INSERT INTO list VALUES ("b", 5);
    INSERT INTO list VALUES ("b", 6);

pragma vdbe_listing=on; pragma vdbe_trace=on;  
    SELECT
      table2.x,
      (SELECT group_concat(list.value)
        FROM list
        WHERE list.key = table2.key)
    FROM table2;
  }
} {alist 1,2,3 blist 4,5,6}

finish_test








<











32
33
34
35
36
37
38

39
40
41
42
43
44
45
46
47
48

    INSERT INTO list VALUES ("a", 1);
    INSERT INTO list VALUES ("a", 2);
    INSERT INTO list VALUES ("a", 3);
    INSERT INTO list VALUES ("b", 4);
    INSERT INTO list VALUES ("b", 5);
    INSERT INTO list VALUES ("b", 6);


    SELECT
      table2.x,
      (SELECT group_concat(list.value)
        FROM list
        WHERE list.key = table2.key)
    FROM table2;
  }
} {alist 1,2,3 blist 4,5,6}

finish_test

This page was generated in about 0.023s by Fossil 2.8 [7b0dbe8079] 2019-02-20 22:28:24