The code generator for EXISTS and SELECT expressions was storing the
number of the register that holds the result in the Expr.iColumn field.
However, Expr.iColumn is a 16-bit signed integer. Hence, for very complex
statements that use more than 32768 registers prior to running the EXISTS
or SELECT, the register number will overflow and possibly result in using
a negative number for an array index and causing a subsequent malfunction
or crash.
Solutions to this problem include:
1. Make the Expr.iColumn field a 32-bit signed integer. (Version 3.6.16.1)
2. Do not store the result register number in Expr but instead return the
result register number as a function return value from the code
generator routines that evaluate EXISTS and SELECT. (Version 3.6.20)
<hr><i>drh added on 2009-10-30 14:05:23:</i><br>
Fixed by check-in [65a1f1334d] on the 3.6.16 branch.
Fixed by check-in [7253f8fad1] on the trunk.
|