Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
c422afb507dc875751e6a72e4ba5f4f0 |
User & Date: | drh 2019-10-26 12:27:55.016 |
Context
2019-10-26
| ||
15:40 | Minor changes to help ensure the pointer returned by sqlite3VdbeGetOp() is not used after it becomes invalid. (check-in: 346bdd49fb user: drh tags: trunk) | |
12:27 | Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in yesterdays changes, involving continued use of a pointer after the memory pointed to had been realloc()-ed. Thanks Google. (check-in: c422afb507 user: drh tags: trunk) | |
01:43 | Add missing VdbeCoverage() macro. Fix an off-by-one error in partial index handling. New test cases. Ticket [c1e19e12046d23fe] (check-in: 41cc8e3dab user: drh tags: trunk) | |
Changes
Changes to src/insert.c.
︙ | ︙ | |||
1885 1886 1887 1888 1889 1890 1891 | sqlite3MultiWrite(pParse); nReplaceTrig++; } sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur, regR, nPkField, 0, OE_Replace, (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur); if( regTrigCnt ){ | < < < > > > > > > > | | | | | < | < | | | | 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 | sqlite3MultiWrite(pParse); nReplaceTrig++; } sqlite3GenerateRowDelete(pParse, pTab, pTrigger, iDataCur, iIdxCur, regR, nPkField, 0, OE_Replace, (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur); if( regTrigCnt ){ int addrBypass; /* Jump destination to bypass recheck logic */ sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */ addrBypass = sqlite3VdbeAddOp0(v, OP_Goto); /* Bypass recheck */ VdbeComment((v, "bypass recheck")); /* Here we insert code that will be invoked after all constraint ** checks have run, if and only if one or more replace triggers ** fired. */ sqlite3VdbeResolveLabel(v, lblRecheckOk); lblRecheckOk = sqlite3VdbeMakeLabel(pParse); if( pIdx->pPartIdxWhere ){ /* Bypass the recheck if this partial index is not defined ** for the current row */ sqlite3VdbeAddOp2(v, OP_IsNull, regIdx-1, lblRecheckOk); VdbeCoverage(v); } /* Copy the constraint check code from above, except change ** the constraint-ok jump destination to be the address of ** the next retest block */ while( nConflictCk>0 && !db->mallocFailed ){ VdbeOp x; /* Conflict check opcode to copy */ /* The sqlite3VdbeAddOp4() call might reallocate the opcode array. ** Hence, make a complete copy of the opcode, rather than using ** a pointer to the opcode. */ x = *sqlite3VdbeGetOp(v, addrConflictCk); if( x.opcode!=OP_IdxRowid ){ int p2; /* New P2 value for copied conflict check opcode */ if( sqlite3OpcodeProperty[x.opcode]&OPFLG_JUMP ){ p2 = lblRecheckOk; }else{ p2 = x.p2; } sqlite3VdbeAddOp4(v, x.opcode, x.p1, p2, x.p3, x.p4.z, x.p4type); sqlite3VdbeChangeP5(v, x.p5); VdbeCoverageIf(v, p2!=x.p2); } nConflictCk--; addrConflictCk++; } /* If the retest fails, issue an abort */ sqlite3UniqueConstraint(pParse, OE_Abort, pIdx); sqlite3VdbeJumpHere(v, addrBypass); /* Terminate the recheck bypass */ } seenReplace = 1; |
︙ | ︙ |