SQLite: Check-in [c422afb5]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Comment:	Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google.
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA3-256:	c422afb507dc875751e6a72e4ba5f4f0793097c0de4533c1600311f689e76ed7
User & Date:	drh 2019-10-26 12:27:55

Context

2019-10-26
15:40		Minor changes to help ensure the pointer returned by sqlite3VdbeGetOp() is not used after it becomes invalid. (check-in: 346bdd49 user: drh tags: trunk)
12:27		Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google. (check-in: c422afb5 user: drh tags: trunk)
01:43		Add missing VdbeCoverage() macro. Fix an off-by-one error in partial index handling. New test cases. Ticket [c1e19e12046d23fe] (check-in: 41cc8e3d user: drh tags: trunk)

Changes

Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/insert.c.

          sqlite3MultiWrite(pParse);
          nReplaceTrig++;
        }
        sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur,
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        if( regTrigCnt ){
          VdbeOp *pOp;     /* Conflict check opcode to copy */
          int p2;          /* New P2 value for copied conflict check opcode */
          int addrBypass;  /* Jump destination to bypass recheck logic */

          sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */
          addrBypass = sqlite3VdbeAddOp0(v, OP_Goto);  /* Bypass recheck */
          VdbeComment((v, "bypass recheck"));

          /* Here we insert code that will be invoked after all constraint
................................................................................
            ** for the current row */
            sqlite3VdbeAddOp2(v, OP_IsNull, regIdx-1, lblRecheckOk);
            VdbeCoverage(v);
          }
          /* Copy the constraint check code from above, except change
          ** the constraint-ok jump destination to be the address of
          ** the next retest block */
          pOp = sqlite3VdbeGetOp(v, addrConflictCk);
          while( nConflictCk>0 && !db->mallocFailed ){







            if( sqlite3OpcodeProperty[pOp->opcode]&OPFLG_JUMP ){
              p2 = lblRecheckOk;
            }else{
              p2 = pOp->p2;
            }
            if( pOp->opcode!=OP_IdxRowid ){
              sqlite3VdbeAddOp4(v, pOp->opcode, pOp->p1, p2, pOp->p3,
                                pOp->p4.z, pOp->p4type);

              sqlite3VdbeChangeP5(v, pOp->p5);
              VdbeCoverageIf(v, p2!=pOp->p2 );
            }
            nConflictCk--;
            pOp++;

          }
          /* If the retest fails, issue an abort */
          sqlite3UniqueConstraint(pParse, OE_Abort, pIdx);

          sqlite3VdbeJumpHere(v, addrBypass); /* Terminate the recheck bypass */
        }
        seenReplace = 1;








<
<







 







<

>
>
>
>
>
>
>
|
|
|
|
|
<
<
<
>
|
|


<
>

          sqlite3MultiWrite(pParse);
          nReplaceTrig++;
        }
        sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur,
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        if( regTrigCnt ){


          int addrBypass;  /* Jump destination to bypass recheck logic */

          sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */
          addrBypass = sqlite3VdbeAddOp0(v, OP_Goto);  /* Bypass recheck */
          VdbeComment((v, "bypass recheck"));

          /* Here we insert code that will be invoked after all constraint
................................................................................
            ** for the current row */
            sqlite3VdbeAddOp2(v, OP_IsNull, regIdx-1, lblRecheckOk);
            VdbeCoverage(v);
          }
          /* Copy the constraint check code from above, except change
          ** the constraint-ok jump destination to be the address of
          ** the next retest block */

          while( nConflictCk>0 && !db->mallocFailed ){
            VdbeOp x;    /* Conflict check opcode to copy */
            /* The sqlite3VdbeAddOp4() call might reallocate the opcode array.
            ** Hence, make a complete copy of the opcode, rather than using
            ** a pointer to the opcode. */
            x = *sqlite3VdbeGetOp(v, addrConflictCk);
            if( x.opcode!=OP_IdxRowid ){
              int p2;      /* New P2 value for copied conflict check opcode */
              if( sqlite3OpcodeProperty[x.opcode]&OPFLG_JUMP ){
                p2 = lblRecheckOk;
              }else{
                p2 = x.p2;
              }



              sqlite3VdbeAddOp4(v, x.opcode, x.p1, p2, x.p3, x.p4.z, x.p4type);
              sqlite3VdbeChangeP5(v, x.p5);
              VdbeCoverageIf(v, p2!=x.p2);
            }
            nConflictCk--;

            addrConflictCk++;
          }
          /* If the retest fails, issue an abort */
          sqlite3UniqueConstraint(pParse, OE_Abort, pIdx);

          sqlite3VdbeJumpHere(v, addrBypass); /* Terminate the recheck bypass */
        }
        seenReplace = 1;