/ Check-in [901d0b8f]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Changes to avoid undefined behavior in memset() and memcpy() and in the comparisons of pointers from different allocations. All problems are found by analysis tools - none have been seen in the wild.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 901d0b8f3b72e96ffa8e9436993a12980f5ebd51
User & Date: drh 2015-12-08 16:58:45
Context
2015-12-09
16:26
Simplification of the DROP TRIGGER logic using sqlite3NestedParse() instead of hand-coded VDBE code. This is a manual cherry-pick of the key change from check-in [c80bbf14b365d]. check-in: 8021b4c8 user: drh tags: trunk
16:04
Merge unrelated fixes from trunk. check-in: 362615b4 user: drh tags: snapshot-get
08:13
Merge latest trunk with this branch. check-in: dc236f11 user: dan tags: onepass-delete-or
2015-12-08
16:58
Changes to avoid undefined behavior in memset() and memcpy() and in the comparisons of pointers from different allocations. All problems are found by analysis tools - none have been seen in the wild. check-in: 901d0b8f user: drh tags: trunk
16:08
Avoid doing comparisons with pointers that might have been previously been passed to realloc() and/or free(). check-in: f20396ad user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/btree.c.

  7517   7517         ** was either part of sibling page iOld (possibly an overflow cell), 
  7518   7518         ** or else the divider cell to the left of sibling page iOld. So,
  7519   7519         ** if sibling page iOld had the same page number as pNew, and if
  7520   7520         ** pCell really was a part of sibling page iOld (not a divider or
  7521   7521         ** overflow cell), we can skip updating the pointer map entries.  */
  7522   7522         if( iOld>=nNew
  7523   7523          || pNew->pgno!=aPgno[iOld]
         7524  +#ifdef HAVE_STDINT_H
         7525  +       || (intptr_t)pCell<(intptr_t)aOld
         7526  +       || (intptr_t)pCell>=(intptr_t)&aOld[usableSize]
         7527  +#else
  7524   7528          || pCell<aOld
  7525   7529          || pCell>=&aOld[usableSize]
         7530  +#endif
  7526   7531         ){
  7527   7532           if( !leafCorrection ){
  7528   7533             ptrmapPut(pBt, get4byte(pCell), PTRMAP_BTREE, pNew->pgno, &rc);
  7529   7534           }
  7530   7535           if( cachedCellSize(&b,i)>pNew->minLocal ){
  7531   7536             ptrmapPutOvflPtr(pNew, pCell, &rc);
  7532   7537           }

Changes to src/expr.c.

   849    849   ** to store the copy of expression p, the copies of p->u.zToken
   850    850   ** (if applicable), and the copies of the p->pLeft and p->pRight expressions,
   851    851   ** if any. Before returning, *pzBuffer is set to the first byte past the
   852    852   ** portion of the buffer copied into by this function.
   853    853   */
   854    854   static Expr *exprDup(sqlite3 *db, Expr *p, int flags, u8 **pzBuffer){
   855    855     Expr *pNew = 0;                      /* Value to return */
          856  +  assert( flags==0 || flags==EXPRDUP_REDUCE );
   856    857     if( p ){
   857    858       const int isReduced = (flags&EXPRDUP_REDUCE);
   858    859       u8 *zAlloc;
   859    860       u32 staticFlag = 0;
   860    861   
   861    862       assert( pzBuffer==0 || isReduced );
   862    863   
................................................................................
   885    886         }
   886    887         if( isReduced ){
   887    888           assert( ExprHasProperty(p, EP_Reduced)==0 );
   888    889           memcpy(zAlloc, p, nNewSize);
   889    890         }else{
   890    891           int nSize = exprStructSize(p);
   891    892           memcpy(zAlloc, p, nSize);
   892         -        memset(&zAlloc[nSize], 0, EXPR_FULLSIZE-nSize);
          893  +        if( nSize<EXPR_FULLSIZE ){ 
          894  +          memset(&zAlloc[nSize], 0, EXPR_FULLSIZE-nSize);
          895  +        }
   893    896         }
   894    897   
   895    898         /* Set the EP_Reduced, EP_TokenOnly, and EP_Static flags appropriately. */
   896    899         pNew->flags &= ~(EP_Reduced|EP_TokenOnly|EP_Static|EP_MemToken);
   897    900         pNew->flags |= nStructSize & (EP_Reduced|EP_TokenOnly);
   898    901         pNew->flags |= staticFlag;
   899    902   
................................................................................
   975    978   **
   976    979   ** The flags parameter contains a combination of the EXPRDUP_XXX flags.
   977    980   ** If the EXPRDUP_REDUCE flag is set, then the structure returned is a
   978    981   ** truncated version of the usual Expr structure that will be stored as
   979    982   ** part of the in-memory representation of the database schema.
   980    983   */
   981    984   Expr *sqlite3ExprDup(sqlite3 *db, Expr *p, int flags){
          985  +  assert( flags==0 || flags==EXPRDUP_REDUCE );
   982    986     return exprDup(db, p, flags, 0);
   983    987   }
   984    988   ExprList *sqlite3ExprListDup(sqlite3 *db, ExprList *p, int flags){
   985    989     ExprList *pNew;
   986    990     struct ExprList_item *pItem, *pOldItem;
   987    991     int i;
   988    992     if( p==0 ) return 0;

Changes to src/vdbeaux.c.

  3233   3233     }
  3234   3234   
  3235   3235     /* String or blob */
  3236   3236     if( serial_type>=12 ){
  3237   3237       assert( pMem->n + ((pMem->flags & MEM_Zero)?pMem->u.nZero:0)
  3238   3238                == (int)sqlite3VdbeSerialTypeLen(serial_type) );
  3239   3239       len = pMem->n;
  3240         -    memcpy(buf, pMem->z, len);
         3240  +    if( len>0 ) memcpy(buf, pMem->z, len);
  3241   3241       return len;
  3242   3242     }
  3243   3243   
  3244   3244     /* NULL or constants 0 or 1 */
  3245   3245     return 0;
  3246   3246   }
  3247   3247