/ Check-in [d49047c1]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix an OOB read in the INSTR() function introduced yesterday by check-in [3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: d49047c1b59bbfd05204af9973cdb0fab51b4d2661b550aec10d917fff94dc9b
User & Date: drh 2019-09-18 11:16:46
Context
2019-09-18
11:46
Fix a "jump depends on unititialized value" valgrind error in fts5 triggered by corrupt database records. check-in: 6b6751cd user: dan tags: trunk
11:16
Fix an OOB read in the INSTR() function introduced yesterday by check-in [3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3. check-in: d49047c1 user: drh tags: trunk
2019-09-17
21:28
Do not change the OP_String8 opcode into OP_String until *after* any necessary encoding conversions are accomplished. Otherwise, a rerun of the prepared statement after an OOM can result in errors. Test case in TH3. check-in: 8efd6259 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/func.c.

220
221
222
223
224
225
226


227
228


229
230
231
232
233
234
235
236
237
238
239
240
241
...
244
245
246
247
248
249
250




251
252
253
254
255
256
257
    }else if( typeHaystack!=SQLITE_BLOB && typeNeedle!=SQLITE_BLOB ){
      zHaystack = sqlite3_value_text(argv[0]);
      zNeedle = sqlite3_value_text(argv[1]);
      isText = 1;
    }else{
      pC1 = sqlite3_value_dup(argv[0]);
      zHaystack = sqlite3_value_text(pC1);


      pC2 = sqlite3_value_dup(argv[1]);
      zNeedle = sqlite3_value_text(pC2);


      isText = 1;
    }
    if( zNeedle==0 || (nHaystack && zHaystack==0) ){
      sqlite3_result_error_nomem(context);
      goto endInstr;
    }
    firstChar = zNeedle[0];
    while( nNeedle<=nHaystack
       && (zHaystack[0]!=firstChar || memcmp(zHaystack, zNeedle, nNeedle)!=0)
    ){
      N++;
      do{
        nHaystack--;
................................................................................
    }
    if( nNeedle>nHaystack ) N = 0;
  }
  sqlite3_result_int(context, N);
endInstr:
  sqlite3_value_free(pC1);
  sqlite3_value_free(pC2);




}

/*
** Implementation of the printf() function.
*/
static void printfFunc(
  sqlite3_context *context,







>
>


>
>


|
<
<
<







 







>
>
>
>







220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235



236
237
238
239
240
241
242
...
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
    }else if( typeHaystack!=SQLITE_BLOB && typeNeedle!=SQLITE_BLOB ){
      zHaystack = sqlite3_value_text(argv[0]);
      zNeedle = sqlite3_value_text(argv[1]);
      isText = 1;
    }else{
      pC1 = sqlite3_value_dup(argv[0]);
      zHaystack = sqlite3_value_text(pC1);
      if( zHaystack==0 ) goto endInstrOOM;
      nHaystack = sqlite3_value_bytes(pC1);
      pC2 = sqlite3_value_dup(argv[1]);
      zNeedle = sqlite3_value_text(pC2);
      if( zNeedle==0 ) goto endInstrOOM;
      nNeedle = sqlite3_value_bytes(pC2);
      isText = 1;
    }
    if( zNeedle==0 || (nHaystack && zHaystack==0) ) goto endInstrOOM;



    firstChar = zNeedle[0];
    while( nNeedle<=nHaystack
       && (zHaystack[0]!=firstChar || memcmp(zHaystack, zNeedle, nNeedle)!=0)
    ){
      N++;
      do{
        nHaystack--;
................................................................................
    }
    if( nNeedle>nHaystack ) N = 0;
  }
  sqlite3_result_int(context, N);
endInstr:
  sqlite3_value_free(pC1);
  sqlite3_value_free(pC2);
  return;
endInstrOOM:
  sqlite3_result_error_nomem(context);
  goto endInstr;
}

/*
** Implementation of the printf() function.
*/
static void printfFunc(
  sqlite3_context *context,