database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-11-18 10:21:03 +03:00
Code Activity

Make sure the translateColumnToCopy() routine in the query planner does not

Browse Source 
try to access an array that failed to be fully allocated due to a prior OOM.
This fixes an issue discovered by OSSFuzz.

FossilOrigin-Name: 3299a26160c239255608d1e2b15a221e28b18a3d
This commit is contained in:
drh
2017-03-11 13:02:59 +00:00
parent 891d6b4e9e
commit 202230ef5c
3 changed files with 16 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/where.c
View File

@@ -517,14 +517,16 @@ static LogEst estLog(LogEst N){
** value stored in its output register.
*/
static void translateColumnToCopy(
Vdbe *v, /* The VDBE containing code to translate */
Parse *pParse, /* Parsing context */
int iStart, /* Translate from this opcode to the end */
int iTabCur, /* OP_Column/OP_Rowid references to this table */
int iRegister, /* The first column is in this register */
int bIncrRowid /* If non-zero, transform OP_rowid to OP_AddImm(1) */
){
Vdbe *v = pParse->pVdbe;
VdbeOp *pOp = sqlite3VdbeGetOp(v, iStart);
int iEnd = sqlite3VdbeCurrentAddr(v);
if( pParse->db->mallocFailed ) return;
for(; iStart<iEnd; iStart++, pOp++){
if( pOp->p1!=iTabCur ) continue;
if( pOp->opcode==OP_Column ){
@@ -802,7 +804,9 @@ static void constructAutomaticIndex(
if( pPartial ) sqlite3VdbeResolveLabel(v, iContinue);
if( pTabItem->fg.viaCoroutine ){
sqlite3VdbeChangeP2(v, addrCounter, regBase+n);
translateColumnToCopy(v, addrTop, pLevel->iTabCur, pTabItem->regResult, 1);
testcase( pParse->db->mallocFailed );
translateColumnToCopy(pParse, addrTop, pLevel->iTabCur,
pTabItem->regResult, 1);
sqlite3VdbeGoto(v, addrTop);
pTabItem->fg.viaCoroutine = 0;
}else{
@@ -4920,8 +4924,9 @@ void sqlite3WhereEnd(WhereInfo *pWInfo){
** the co-routine into OP_Copy of result contained in a register.
** OP_Rowid becomes OP_Null.
*/
if( pTabItem->fg.viaCoroutine && !db->mallocFailed ){
translateColumnToCopy(v, pLevel->addrBody, pLevel->iTabCur,
if( pTabItem->fg.viaCoroutine ){
testcase( pParse->db->mallocFailed );
translateColumnToCopy(pParse, pLevel->addrBody, pLevel->iTabCur,
pTabItem->regResult, 0);
continue;
}