/ Check-in [60de5f23]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 60de5f23424552c98aa760ac89149a3d51f895be
User & Date: dan 2015-11-21 19:43:29
Context
2015-11-24
00:49
Do not try to eliminate No-ops at the end of VDBE program as this can cause problems for some DISTINCT handling algorithms, and does not improve performance. This also fixes an assertion fault found by libFuzzer. check-in: 19d9f9ce user: drh tags: trunk
2015-11-23
21:09
Add experimental support for LIKE, GLOB and REGEXP to the virtual table interface. check-in: 277a5b40 user: dan tags: vtab-like-operator
17:14
Merge latest trunk changes with this branch. check-in: 8f1ef090 user: dan tags: schemalint
2015-11-21
19:43
Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns. check-in: 60de5f23 user: dan tags: trunk
17:27
Fix over-length source code lines. No logic changes. check-in: 198d191b user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/select.c.

  1609   1609       nCol = pEList->nExpr;
  1610   1610       aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
  1611   1611       testcase( aCol==0 );
  1612   1612     }else{
  1613   1613       nCol = 0;
  1614   1614       aCol = 0;
  1615   1615     }
         1616  +  assert( nCol==(i16)nCol );
  1616   1617     *pnCol = nCol;
  1617   1618     *paCol = aCol;
  1618   1619   
  1619   1620     for(i=0, pCol=aCol; i<nCol && !db->mallocFailed; i++, pCol++){
  1620   1621       /* Get an appropriate name for the column
  1621   1622       */
  1622   1623       p = sqlite3ExprSkipCollate(pEList->a[i].pExpr);
................................................................................
  4451   4452       }
  4452   4453       sqlite3ExprListDelete(db, pEList);
  4453   4454       p->pEList = pNew;
  4454   4455     }
  4455   4456   #if SQLITE_MAX_COLUMN
  4456   4457     if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
  4457   4458       sqlite3ErrorMsg(pParse, "too many columns in result set");
         4459  +    return WRC_Abort;
  4458   4460     }
  4459   4461   #endif
  4460   4462     return WRC_Continue;
  4461   4463   }
  4462   4464   
  4463   4465   /*
  4464   4466   ** No-op routine for the parse-tree walker.

Changes to test/sqllimits1.test.

   870    870   do_test sqllimits1-16.2 {
   871    871     set ::format "[string repeat A 60][string repeat "%J" $::N]"
   872    872     catchsql {
   873    873       SELECT strftime($::format, 1);
   874    874     }
   875    875   } {1 {string or blob too big}}
   876    876   
          877  +do_catchsql_test sqllimits1.17.0 {
          878  +  SELECT *,*,*,*,*,*,*,* FROM (
          879  +  SELECT *,*,*,*,*,*,*,* FROM (
          880  +  SELECT *,*,*,*,*,*,*,* FROM (
          881  +  SELECT *,*,*,*,*,*,*,* FROM (
          882  +  SELECT *,*,*,*,*,*,*,* FROM (
          883  +    SELECT 1,2,3,4,5,6,7,8,9,10
          884  +  )
          885  +  ))))
          886  +} "1 {too many columns in result set}"
          887  +
   877    888   
   878    889   foreach {key value} [array get saved] {
   879    890     catch {set $key $value}
   880    891   }
   881    892   finish_test