mirror of
https://github.com/sqlite/sqlite.git
synced 2025-08-05 15:55:57 +03:00
Fix a potential segfault following a malloc() failure during a call
to sqlite3_prepare() where the nBytes parameter is positive but less than the length of the input SQL string. (CVS 3888) FossilOrigin-Name: 27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097
This commit is contained in:
drh
17
manifest
17
manifest
@@ -1,5 +1,5 @@
|
||||
C Lift\sdocListMerge()\scall\sout\sof\sloadSegmentLeavesInt()\sfor\sprefix\nsearch.\s\sDoclists\sfrom\smultiple\sprefix\smatches\swill\sneed\sa\sunion\smerge\nfunction,\swhich\swill\shave\sto\slogically\shappen\sacross\sa\ssegment\sbefore\ndoclists\sare\smerged\sbetween\ssegments.\s(CVS\s3887)
|
||||
D 2007-04-30T17:52:52
|
||||
C Fix\sa\spotential\ssegfault\sfollowing\sa\smalloc()\sfailure\sduring\sa\scall\nto\ssqlite3_prepare()\swhere\sthe\snBytes\sparameter\sis\spositive\sbut\sless\sthan\nthe\slength\sof\sthe\sinput\sSQL\sstring.\s(CVS\s3888)
|
||||
D 2007-04-30T21:39:16
|
||||
F Makefile.in 8cab54f7c9f5af8f22fd97ddf1ecfd1e1860de62
|
||||
F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
|
||||
F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
|
||||
@@ -91,7 +91,7 @@ F src/pager.c 48b1ebe8c9bcd8a9544ebef13c85547f28e8bb6b
|
||||
F src/pager.h d652ddf092d2318d00e41f8539760fe8e57c157c
|
||||
F src/parse.y a3940369e12c69c4968aa580cdc74cf73a664980
|
||||
F src/pragma.c 4fdefc03c3fd0ee87f8aad82bf80ba9bf1cdf416
|
||||
F src/prepare.c 4cb9c9eb926e8baf5652ca4b4f2416f53f5b5370
|
||||
F src/prepare.c 03277063bc4f5860efbf23548fa0123ac0f6eaec
|
||||
F src/printf.c 0c6f40648770831341ac45ab32423a80b4c87f05
|
||||
F src/random.c 6119474a6f6917f708c1dee25b9a8e519a620e88
|
||||
F src/select.c b914abca0ba28893e7fb7c7fb97a05e240e2ce8b
|
||||
@@ -275,7 +275,8 @@ F test/malloc4.test 59cd02f71b363302a04c4e77b97c0a1572eaa210
|
||||
F test/malloc5.test f228cb7101ae403327824d327a1f5651d83ef0f2
|
||||
F test/malloc6.test 025ae0b78542e0ddd000d23f79d93e9be9ba0f15
|
||||
F test/malloc7.test 1cf52834509eac7ebeb92105dacd4669f9ca9869
|
||||
F test/malloc8.test ede3231e1d9359b3c618357e49cb1c62267382e7
|
||||
F test/malloc8.test c46bb15d03370a6740be49cb6cb5403ce711ff19
|
||||
F test/malloc9.test 8381041fd89c31fba60c8a1a1c776bb022108572
|
||||
F test/manydb.test 8de36b8d33aab5ef295b11d9e95310aeded31af8
|
||||
F test/memdb.test a67bda4ff90a38f2b19f6c7f95aa7289e051d893
|
||||
F test/memleak.test d2d2a1ff7105d32dc3fdf691458cf6cba58c7217
|
||||
@@ -465,7 +466,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
|
||||
F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
|
||||
F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
|
||||
F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
|
||||
P 8cccec68bd9073b2b19d3d31cf0b77b0ce76172e
|
||||
R 7069672da6b54cde9af80d1ef9e46049
|
||||
U shess
|
||||
Z 8a2908873a8cd6c0a742806cb3215c42
|
||||
P 7ddb82668906e33e2d6a796f2da1795032e036d5
|
||||
R 6c84bdbf40bcc10c544725efed0e51c5
|
||||
U drh
|
||||
Z dbcc6f5007a9724aa47f910a6b885e46
|
||||
|
||||
@@ -1 +1 @@
|
||||
7ddb82668906e33e2d6a796f2da1795032e036d5
|
||||
27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097
|
||||
@@ -13,7 +13,7 @@
|
||||
** interface, and routines that contribute to loading the database schema
|
||||
** from disk.
|
||||
**
|
||||
** $Id: prepare.c,v 1.46 2007/04/19 11:09:01 danielk1977 Exp $
|
||||
** $Id: prepare.c,v 1.47 2007/04/30 21:39:16 drh Exp $
|
||||
*/
|
||||
#include "sqliteInt.h"
|
||||
#include "os.h"
|
||||
@@ -491,9 +491,11 @@ int sqlite3Prepare(
|
||||
sParse.db = db;
|
||||
if( nBytes>=0 && zSql[nBytes]!=0 ){
|
||||
char *zSqlCopy = sqlite3StrNDup(zSql, nBytes);
|
||||
if( zSqlCopy ){
|
||||
sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg);
|
||||
sParse.zTail += zSql - zSqlCopy;
|
||||
sqliteFree(zSqlCopy);
|
||||
}
|
||||
sParse.zTail = &zSql[nBytes];
|
||||
}else{
|
||||
sqlite3RunParser(&sParse, zSql, &zErrMsg);
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# 2006 July 26
|
||||
# 2007 April 25
|
||||
#
|
||||
# The author disclaims copyright to this source code. In place of
|
||||
# a legal notice, here is a blessing:
|
||||
@@ -11,7 +11,7 @@
|
||||
# This file contains additional out-of-memory checks (see malloc.tcl)
|
||||
# added to expose a bug in out-of-memory handling for sqlite3_value_text()
|
||||
#
|
||||
# $Id: malloc8.test,v 1.1 2007/04/25 18:23:53 drh Exp $
|
||||
# $Id: malloc8.test,v 1.2 2007/04/30 21:39:16 drh Exp $
|
||||
|
||||
set testdir [file dirname $argv0]
|
||||
source $testdir/tester.tcl
|
||||
|
||||
142
test/malloc9.test
Normal file
142
test/malloc9.test
Normal file
@@ -0,0 +1,142 @@
|
||||
# 2007 April 30
|
||||
#
|
||||
# The author disclaims copyright to this source code. In place of
|
||||
# a legal notice, here is a blessing:
|
||||
#
|
||||
# May you do good and not evil.
|
||||
# May you find forgiveness for yourself and forgive others.
|
||||
# May you share freely, never taking more than you give.
|
||||
#
|
||||
#***********************************************************************
|
||||
# This file contains additional out-of-memory checks (see malloc.tcl)
|
||||
# added to expose a bug in out-of-memory handling for sqlite3_prepare().
|
||||
#
|
||||
# $Id: malloc9.test,v 1.1 2007/04/30 21:39:16 drh Exp $
|
||||
|
||||
set testdir [file dirname $argv0]
|
||||
source $testdir/tester.tcl
|
||||
|
||||
# Only run these tests if memory debugging is turned on.
|
||||
#
|
||||
if {[info command sqlite_malloc_stat]==""} {
|
||||
puts "Skipping malloc tests: not compiled with -DSQLITE_MEMDEBUG..."
|
||||
finish_test
|
||||
return
|
||||
}
|
||||
|
||||
# Usage: do_malloc_test <test number> <options...>
|
||||
#
|
||||
# The first argument, <test number>, is an integer used to name the
|
||||
# tests executed by this proc. Options are as follows:
|
||||
#
|
||||
# -tclprep TCL script to run to prepare test.
|
||||
# -sqlprep SQL script to run to prepare test.
|
||||
# -tclbody TCL script to run with malloc failure simulation.
|
||||
# -sqlbody TCL script to run with malloc failure simulation.
|
||||
# -cleanup TCL script to run after the test.
|
||||
#
|
||||
# This command runs a series of tests to verify SQLite's ability
|
||||
# to handle an out-of-memory condition gracefully. It is assumed
|
||||
# that if this condition occurs a malloc() call will return a
|
||||
# NULL pointer. Linux, for example, doesn't do that by default. See
|
||||
# the "BUGS" section of malloc(3).
|
||||
#
|
||||
# Each iteration of a loop, the TCL commands in any argument passed
|
||||
# to the -tclbody switch, followed by the SQL commands in any argument
|
||||
# passed to the -sqlbody switch are executed. Each iteration the
|
||||
# Nth call to sqliteMalloc() is made to fail, where N is increased
|
||||
# each time the loop runs starting from 1. When all commands execute
|
||||
# successfully, the loop ends.
|
||||
#
|
||||
proc do_malloc_test {tn args} {
|
||||
array unset ::mallocopts
|
||||
array set ::mallocopts $args
|
||||
|
||||
set ::go 1
|
||||
for {set ::n 1} {$::go && $::n < 50000} {incr ::n} {
|
||||
do_test malloc9-$tn.$::n {
|
||||
|
||||
sqlite_malloc_fail 0
|
||||
catch {db close}
|
||||
catch {file delete -force test.db}
|
||||
catch {file delete -force test.db-journal}
|
||||
sqlite3 db test.db
|
||||
set ::DB [sqlite3_connection_pointer db]
|
||||
|
||||
# Execute any -tclprep and -sqlprep scripts.
|
||||
#
|
||||
if {[info exists ::mallocopts(-tclprep)]} {
|
||||
eval $::mallocopts(-tclprep)
|
||||
}
|
||||
if {[info exists ::mallocopts(-sqlprep)]} {
|
||||
execsql $::mallocopts(-sqlprep)
|
||||
}
|
||||
|
||||
# Now set the ${::n}th malloc() to fail and execute the -tclbody and
|
||||
# -sqlbody scripts.
|
||||
#
|
||||
sqlite_malloc_fail $::n
|
||||
set ::mallocbody {}
|
||||
if {[info exists ::mallocopts(-tclbody)]} {
|
||||
append ::mallocbody "$::mallocopts(-tclbody)\n"
|
||||
}
|
||||
if {[info exists ::mallocopts(-sqlbody)]} {
|
||||
append ::mallocbody "db eval {$::mallocopts(-sqlbody)}"
|
||||
}
|
||||
set v [catch $::mallocbody msg]
|
||||
|
||||
# If the test fails (if $v!=0) and the database connection actually
|
||||
# exists, make sure the failure code is SQLITE_NOMEM.
|
||||
if {$v && [info command db]=="db" && [info exists ::mallocopts(-sqlbody)]
|
||||
&& [db errorcode]!=7} {
|
||||
set v 999
|
||||
}
|
||||
|
||||
set leftover [lindex [sqlite_malloc_stat] 2]
|
||||
if {$leftover>0} {
|
||||
if {$leftover>1} {puts "\nLeftover: $leftover\nReturn=$v Message=$msg"}
|
||||
set ::go 0
|
||||
if {$v} {
|
||||
puts "\nError message returned: $msg"
|
||||
} else {
|
||||
set v {1 1}
|
||||
}
|
||||
} else {
|
||||
set v2 [expr {$msg=="" || [regexp {out of memory} $msg]}]
|
||||
if {!$v2} {puts "\nError message returned: $msg"}
|
||||
lappend v $v2
|
||||
}
|
||||
} {1 1}
|
||||
|
||||
if {[info exists ::mallocopts(-cleanup)]} {
|
||||
catch [list uplevel #0 $::mallocopts(-cleanup)] msg
|
||||
}
|
||||
}
|
||||
unset ::mallocopts
|
||||
}
|
||||
|
||||
|
||||
do_malloc_test 1 -tclprep {
|
||||
set sql {CREATE TABLE t1(x)}
|
||||
set sqlbytes [string length $sql]
|
||||
append sql {; INSERT INTO t1 VALUES(1)}
|
||||
} -tclbody {
|
||||
if {[catch {sqlite3_prepare db $sql $sqlbytes TAIL} STMT]} {
|
||||
set msg $STMT
|
||||
set STMT {}
|
||||
error $msg
|
||||
}
|
||||
} -cleanup {
|
||||
if {$STMT!=""} {
|
||||
sqlite3_finalize $STMT
|
||||
}
|
||||
}
|
||||
|
||||
# Ensure that no file descriptors were leaked.
|
||||
do_test malloc-99.X {
|
||||
catch {db close}
|
||||
set sqlite_open_file_count
|
||||
} {0}
|
||||
|
||||
sqlite_malloc_fail 0
|
||||
finish_test
|
||||
Reference in New Issue
Block a user