/ Check-in [f41a0391]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix a buffer overrun in the code for handling IN(...) operators when the LHS of the operator contains indexed columns or expressions.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | rowvalue
Files: files | file ages | folders
SHA1: f41a0391b732a8c4ad188163f34a0f4a22237bb5
User & Date: dan 2016-08-24 12:22:17
Context
2016-08-24
15:37
Add a NEVER() on an unreachable branch in comparisonAffinity(). check-in: 505a2f20 user: drh tags: rowvalue
12:22
Fix a buffer overrun in the code for handling IN(...) operators when the LHS of the operator contains indexed columns or expressions. check-in: f41a0391 user: dan tags: rowvalue
00:51
The previous OOM fix was bad. Back it out and replace it with a better one. check-in: 1e3bc369 user: drh tags: rowvalue
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/wherecode.c.

   467    467       pLevel->u.in.aInLoop =
   468    468          sqlite3DbReallocOrFree(pParse->db, pLevel->u.in.aInLoop,
   469    469                                 sizeof(pLevel->u.in.aInLoop[0])*pLevel->u.in.nIn);
   470    470       pIn = pLevel->u.in.aInLoop;
   471    471       if( pIn ){
   472    472         int iMap = 0;               /* Index in aiMap[] */
   473    473         pIn += i;
   474         -      for(i=iEq;i<pLoop->nLTerm; i++, pIn++){
          474  +      for(i=iEq;i<pLoop->nLTerm; i++){
   475    475           int iOut = iReg;
   476    476           if( pLoop->aLTerm[i]->pExpr==pX ){
   477    477             if( eType==IN_INDEX_ROWID ){
   478    478               assert( nEq==1 && i==iEq );
   479    479               pIn->addrInTop = sqlite3VdbeAddOp2(v, OP_Rowid, iTab, iReg);
   480    480             }else{
   481    481               int iCol = aiMap ? aiMap[iMap++] : 0;
................................................................................
   485    485             sqlite3VdbeAddOp1(v, OP_IsNull, iOut); VdbeCoverage(v);
   486    486             if( i==iEq ){
   487    487               pIn->iCur = iTab;
   488    488               pIn->eEndLoopOp = bRev ? OP_PrevIfOpen : OP_NextIfOpen;
   489    489             }else{
   490    490               pIn->eEndLoopOp = OP_Noop;
   491    491             }
          492  +          pIn++;
   492    493           }
   493    494         }
   494    495       }else{
   495    496         pLevel->u.in.nIn = 0;
   496    497       }
   497    498       sqlite3DbFree(pParse->db, aiMap);
   498    499   #endif

Changes to test/rowvalue.test.

   215    215     2 "(a, b) > (2, 2)" {3 4 5}
   216    216     3 "(a, b) < (4, 5)" {1 2 3 4}
   217    217     4 "(a, b) < (4, 3)" {1 2 3}
   218    218   } {
   219    219     do_execsql_test 9.$tn "SELECT c FROM t2 WHERE $q" $res
   220    220   } 
   221    221   
          222  +do_execsql_test 10.0 {
          223  +  CREATE TABLE dual(dummy); INSERT INTO dual(dummy) VALUES('X');
          224  +  CREATE TABLE t3(a TEXT,b TEXT,c TEXT,d TEXT,e TEXT,f TEXT);
          225  +  CREATE INDEX t3x ON t3(b,c,d,e,f);
          226  +
          227  +  SELECT a FROM t3
          228  +    WHERE (c,d) IN (SELECT 'c','d' FROM dual)
          229  +    AND (a,b,e) IN (SELECT 'a','b','d' FROM dual);
          230  +}
   222    231   
   223    232   finish_test