SQLite

Check-in [e098de69]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: e098de691002a78270540430b0df1e120582b53f
User & Date: drh 2015-01-27 13:17:05
Context
2015-01-27
18:43
Improve the performance of fts3/4 queries that use the OR operator and at least one auxiliary fts function. (check-in: 245e8730 user: dan tags: trunk)
13:17
Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless. (check-in: e098de69 user: drh tags: trunk)
2015-01-25
20:19
The va_list argument cannot take on a NULL value and cannot be compared with NULL on some platforms (ex: ARM). So do not attempt to do so. (check-in: 1964e656 user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/expr.c. 

128
129
130
131
132
133
134
135
136
137

138
139
140
141
142
143
144

      p = p->pLeft;
      continue;
    }
    if( op==TK_COLLATE || (op==TK_REGISTER && p->op2==TK_COLLATE) ){
      pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
      break;
    }
    if( p->pTab!=0
     && (op==TK_AGG_COLUMN || op==TK_COLUMN
          || op==TK_REGISTER || op==TK_TRIGGER)

    ){
      /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
      ** a TK_COLUMN but was previously evaluated and cached in a register */
      int j = p->iColumn;
      if( j>=0 ){
        const char *zColl = p->pTab->aCol[j].zColl;
        pColl = sqlite3FindCollSeq(db, ENC(db), zColl, 0);








<
|

>








128
129
130
131
132
133
134

135
136
137
138
139
140
141
142
143
144

      p = p->pLeft;
      continue;
    }
    if( op==TK_COLLATE || (op==TK_REGISTER && p->op2==TK_COLLATE) ){
      pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
      break;
    }

    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
          || op==TK_REGISTER || op==TK_TRIGGER)
     && p->pTab!=0
    ){
      /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
      ** a TK_COLUMN but was previously evaluated and cached in a register */
      int j = p->iColumn;
      if( j>=0 ){
        const char *zColl = p->pTab->aCol[j].zColl;
        pColl = sqlite3FindCollSeq(db, ENC(db), zColl, 0);

Changes to test/misc1.test. 

616
617
618
619
620
621
622










623
624

  sqlite3_test_control_fault_install fault_callback
  set fault_callbacks
} {0}
do_test misc1-19.2 {
  sqlite3_test_control_fault_install
  set fault_callbacks
} {0}











finish_test








>
>
>
>
>
>
>
>
>
>



616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634

  sqlite3_test_control_fault_install fault_callback
  set fault_callbacks
} {0}
do_test misc1-19.2 {
  sqlite3_test_control_fault_install
  set fault_callbacks
} {0}

# 2015-01-26:  Valgrind-detected over-read.
# Reported on sqlite-users@sqlite.org by Michal Zalewski.  Found by afl-fuzz
# presumably.
#
do_execsql_test misc1-20.1 {
  CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
  REPLACE INTO t0(x) VALUES('');
  SELECT rowid, quote(x) FROM t0;
} {1 ''}

finish_test