database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-05 15:55:57 +03:00
Code Activity

Fix a potential segfault following a malloc() failure during a call

Browse Source 
to sqlite3_prepare() where the nBytes parameter is positive but less than
the length of the input SQL string. (CVS 3888)

FossilOrigin-Name: 27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097
This commit is contained in:
drh
2007-04-30 21:39:16 +00:00
parent f055154108
commit 276fdbfd61
5 changed files with 160 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
manifest
View File

@@ -1,5 +1,5 @@
C Lift\sdocListMerge()\scall\sout\sof\sloadSegmentLeavesInt()\sfor\sprefix\nsearch.\s\sDoclists\sfrom\smultiple\sprefix\smatches\swill\sneed\sa\sunion\smerge\nfunction,\swhich\swill\shave\sto\slogically\shappen\sacross\sa\ssegment\sbefore\ndoclists\sare\smerged\sbetween\ssegments.\s(CVS\s3887) C Fix\sa\spotential\ssegfault\sfollowing\sa\smalloc()\sfailure\sduring\sa\scall\nto\ssqlite3_prepare()\swhere\sthe\snBytes\sparameter\sis\spositive\sbut\sless\sthan\nthe\slength\sof\sthe\sinput\sSQL\sstring.\s(CVS\s3888)
D 2007-04-30T17:52:52 D 2007-04-30T21:39:16
F Makefile.in 8cab54f7c9f5af8f22fd97ddf1ecfd1e1860de62 F Makefile.in 8cab54f7c9f5af8f22fd97ddf1ecfd1e1860de62
F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935 F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028 F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
@@ -91,7 +91,7 @@ F src/pager.c 48b1ebe8c9bcd8a9544ebef13c85547f28e8bb6b
F src/pager.h d652ddf092d2318d00e41f8539760fe8e57c157c F src/pager.h d652ddf092d2318d00e41f8539760fe8e57c157c
F src/parse.y a3940369e12c69c4968aa580cdc74cf73a664980 F src/parse.y a3940369e12c69c4968aa580cdc74cf73a664980
F src/pragma.c 4fdefc03c3fd0ee87f8aad82bf80ba9bf1cdf416 F src/pragma.c 4fdefc03c3fd0ee87f8aad82bf80ba9bf1cdf416
F src/prepare.c 4cb9c9eb926e8baf5652ca4b4f2416f53f5b5370 F src/prepare.c 03277063bc4f5860efbf23548fa0123ac0f6eaec
F src/printf.c 0c6f40648770831341ac45ab32423a80b4c87f05 F src/printf.c 0c6f40648770831341ac45ab32423a80b4c87f05
F src/random.c 6119474a6f6917f708c1dee25b9a8e519a620e88 F src/random.c 6119474a6f6917f708c1dee25b9a8e519a620e88
F src/select.c b914abca0ba28893e7fb7c7fb97a05e240e2ce8b F src/select.c b914abca0ba28893e7fb7c7fb97a05e240e2ce8b
@@ -275,7 +275,8 @@ F test/malloc4.test 59cd02f71b363302a04c4e77b97c0a1572eaa210
F test/malloc5.test f228cb7101ae403327824d327a1f5651d83ef0f2 F test/malloc5.test f228cb7101ae403327824d327a1f5651d83ef0f2
F test/malloc6.test 025ae0b78542e0ddd000d23f79d93e9be9ba0f15 F test/malloc6.test 025ae0b78542e0ddd000d23f79d93e9be9ba0f15
F test/malloc7.test 1cf52834509eac7ebeb92105dacd4669f9ca9869 F test/malloc7.test 1cf52834509eac7ebeb92105dacd4669f9ca9869
F test/malloc8.test ede3231e1d9359b3c618357e49cb1c62267382e7 F test/malloc8.test c46bb15d03370a6740be49cb6cb5403ce711ff19
F test/malloc9.test 8381041fd89c31fba60c8a1a1c776bb022108572
F test/manydb.test 8de36b8d33aab5ef295b11d9e95310aeded31af8 F test/manydb.test 8de36b8d33aab5ef295b11d9e95310aeded31af8
F test/memdb.test a67bda4ff90a38f2b19f6c7f95aa7289e051d893 F test/memdb.test a67bda4ff90a38f2b19f6c7f95aa7289e051d893
F test/memleak.test d2d2a1ff7105d32dc3fdf691458cf6cba58c7217 F test/memleak.test d2d2a1ff7105d32dc3fdf691458cf6cba58c7217
@@ -465,7 +466,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5 F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
P 8cccec68bd9073b2b19d3d31cf0b77b0ce76172e P 7ddb82668906e33e2d6a796f2da1795032e036d5
R 7069672da6b54cde9af80d1ef9e46049 R 6c84bdbf40bcc10c544725efed0e51c5
U shess U drh
Z 8a2908873a8cd6c0a742806cb3215c42 Z dbcc6f5007a9724aa47f910a6b885e46

2
manifest.uuid
View File

@@ -1 +1 @@
7ddb82668906e33e2d6a796f2da1795032e036d5 27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097

10
src/prepare.c
View File

@@ -13,7 +13,7 @@
** interface, and routines that contribute to loading the database schema ** interface, and routines that contribute to loading the database schema
** from disk. ** from disk.
** **
** $Id: prepare.c,v 1.46 2007/04/19 11:09:01 danielk1977 Exp $ ** $Id: prepare.c,v 1.47 2007/04/30 21:39:16 drh Exp $
*/ */
#include "sqliteInt.h" #include "sqliteInt.h"
#include "os.h" #include "os.h"
@@ -491,9 +491,11 @@ int sqlite3Prepare(
sParse.db = db; sParse.db = db;
if( nBytes>=0 && zSql[nBytes]!=0 ){ if( nBytes>=0 && zSql[nBytes]!=0 ){
char *zSqlCopy = sqlite3StrNDup(zSql, nBytes); char *zSqlCopy = sqlite3StrNDup(zSql, nBytes);
sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg); if( zSqlCopy ){
sParse.zTail += zSql - zSqlCopy; sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg);
sqliteFree(zSqlCopy); sqliteFree(zSqlCopy);
}
sParse.zTail = &zSql[nBytes];
}else{ }else{
sqlite3RunParser(&sParse, zSql, &zErrMsg); sqlite3RunParser(&sParse, zSql, &zErrMsg);
} }

4
test/malloc8.test
View File

@@ -1,4 +1,4 @@
# 2006 July 26 # 2007 April 25
# #
# The author disclaims copyright to this source code. In place of # The author disclaims copyright to this source code. In place of
# a legal notice, here is a blessing: # a legal notice, here is a blessing:
@@ -11,7 +11,7 @@
# This file contains additional out-of-memory checks (see malloc.tcl) # This file contains additional out-of-memory checks (see malloc.tcl)
# added to expose a bug in out-of-memory handling for sqlite3_value_text() # added to expose a bug in out-of-memory handling for sqlite3_value_text()
# #
# $Id: malloc8.test,v 1.1 2007/04/25 18:23:53 drh Exp $ # $Id: malloc8.test,v 1.2 2007/04/30 21:39:16 drh Exp $
set testdir [file dirname $argv0] set testdir [file dirname $argv0]
source $testdir/tester.tcl source $testdir/tester.tcl

142
test/malloc9.test Normal file
View File

@@ -0,0 +1,142 @@
# 2007 April 30
#
# The author disclaims copyright to this source code. In place of
# a legal notice, here is a blessing:
#
# May you do good and not evil.
# May you find forgiveness for yourself and forgive others.
# May you share freely, never taking more than you give.
#
#***********************************************************************
# This file contains additional out-of-memory checks (see malloc.tcl)
# added to expose a bug in out-of-memory handling for sqlite3_prepare().
#
# $Id: malloc9.test,v 1.1 2007/04/30 21:39:16 drh Exp $
set testdir [file dirname $argv0]
source $testdir/tester.tcl
# Only run these tests if memory debugging is turned on.
#
if {[info command sqlite_malloc_stat]==""} {
puts "Skipping malloc tests: not compiled with -DSQLITE_MEMDEBUG..."
finish_test
return
}
# Usage: do_malloc_test <test number> <options...>
#
# The first argument, <test number>, is an integer used to name the
# tests executed by this proc. Options are as follows:
#
# -tclprep TCL script to run to prepare test.
# -sqlprep SQL script to run to prepare test.
# -tclbody TCL script to run with malloc failure simulation.
# -sqlbody TCL script to run with malloc failure simulation.
# -cleanup TCL script to run after the test.
#
# This command runs a series of tests to verify SQLite's ability
# to handle an out-of-memory condition gracefully. It is assumed
# that if this condition occurs a malloc() call will return a
# NULL pointer. Linux, for example, doesn't do that by default. See
# the "BUGS" section of malloc(3).
#
# Each iteration of a loop, the TCL commands in any argument passed
# to the -tclbody switch, followed by the SQL commands in any argument
# passed to the -sqlbody switch are executed. Each iteration the
# Nth call to sqliteMalloc() is made to fail, where N is increased
# each time the loop runs starting from 1. When all commands execute
# successfully, the loop ends.
#
proc do_malloc_test {tn args} {
array unset ::mallocopts
array set ::mallocopts $args
set ::go 1
for {set ::n 1} {$::go && $::n < 50000} {incr ::n} {
do_test malloc9-$tn.$::n {
sqlite_malloc_fail 0
catch {db close}
catch {file delete -force test.db}
catch {file delete -force test.db-journal}
sqlite3 db test.db
set ::DB [sqlite3_connection_pointer db]
# Execute any -tclprep and -sqlprep scripts.
#
if {[info exists ::mallocopts(-tclprep)]} {
eval $::mallocopts(-tclprep)
}
if {[info exists ::mallocopts(-sqlprep)]} {
execsql $::mallocopts(-sqlprep)
}
# Now set the ${::n}th malloc() to fail and execute the -tclbody and
# -sqlbody scripts.
#
sqlite_malloc_fail $::n
set ::mallocbody {}
if {[info exists ::mallocopts(-tclbody)]} {
append ::mallocbody "$::mallocopts(-tclbody)\n"
}
if {[info exists ::mallocopts(-sqlbody)]} {
append ::mallocbody "db eval {$::mallocopts(-sqlbody)}"
}
set v [catch $::mallocbody msg]
# If the test fails (if $v!=0) and the database connection actually
# exists, make sure the failure code is SQLITE_NOMEM.
if {$v && [info command db]=="db" && [info exists ::mallocopts(-sqlbody)]
&& [db errorcode]!=7} {
set v 999
}
set leftover [lindex [sqlite_malloc_stat] 2]
if {$leftover>0} {
if {$leftover>1} {puts "\nLeftover: $leftover\nReturn=$v Message=$msg"}
set ::go 0
if {$v} {
puts "\nError message returned: $msg"
} else {
set v {1 1}
}
} else {
set v2 [expr {$msg=="" || [regexp {out of memory} $msg]}]
if {!$v2} {puts "\nError message returned: $msg"}
lappend v $v2
}
} {1 1}
if {[info exists ::mallocopts(-cleanup)]} {
catch [list uplevel #0 $::mallocopts(-cleanup)] msg
}
}
unset ::mallocopts
}
do_malloc_test 1 -tclprep {
set sql {CREATE TABLE t1(x)}
set sqlbytes [string length $sql]
append sql {; INSERT INTO t1 VALUES(1)}
} -tclbody {
if {[catch {sqlite3_prepare db $sql $sqlbytes TAIL} STMT]} {
set msg $STMT
set STMT {}
error $msg
}
} -cleanup {
if {$STMT!=""} {
sqlite3_finalize $STMT
}
}
# Ensure that no file descriptors were leaked.
do_test malloc-99.X {
catch {db close}
set sqlite_open_file_count
} {0}
sqlite_malloc_fail 0
finish_test