SQLite

View Ticket
Login
Ticket Hash: f50af3e8a565776b1dd3248dfa2d4a87d60e4153
Title: OOB memory access on a table rename
Status: Fixed Type: Code_Defect
Severity: Important Priority: Low
Subsystem: Unknown Resolution: Fixed
Last Modified: 2020-02-23 17:38:04
Version Found In: 3.31.1
User Comments:
drh added on 2020-02-23 16:09:56: (text/x-fossil-wiki)
The ALTER TABLE statement in the following SQL causes an out-of-bounds
memory access:

<blockquote><verbatim>
CREATE TABLE t1(x);
CREATE VIEW t2 AS SELECT 1 FROM t1, (t1 AS a0, t1);
ALTER TABLE t1 RENAME TO t3;
</verbatim></blockquote>

This problem was discovered and reported by
sakura(@eternalsakura13) of Alpha Team, Qihoo 360

drh added on 2020-02-23 16:16:40: (text/x-fossil-wiki)
The OOB memory access occurs inside the 
[https://www.sqlite.org/src/artifact/f48a4423c8f198d7?ln=668-679|renameTokenCheckAll()]
procedure, which is a debugging procedure
that only exists for debugging builds.
It is unclear whether or not
this problem exists in release builds.

drh added on 2020-02-23 17:38:04: (text/x-fossil-wiki)
The test case shown above is indeed harmless for release builds.  However,
Sakura provides another more complex test case (not shown here) that does
cause an OOB memory access on release builds due to the two-size lookaside
memory allocator added in version 3.31.0.  It is the same problem in both
cases, and is fixed by check-in [c431b3fd8fd0f6a6].