Fix a bug in the OP_MemStore operator of the VDBE. A realloc() might

occur but pointer to the old buffer were not being moved over to the new buffer. (CVS 752) FossilOrigin-Name: 29145746f34438bd830c763872c5e82572150357
2025-07-24 22:22:08 +03:00 · 2002-09-17 03:20:46 +00:00
parent 995d71b715
commit 3e56c04c4e
4 changed files with 55 additions and 11 deletions
--- a/14
+++ b/14
@ -1,5 +1,5 @@
-C Modify\sthe\ssqlite_encode_binary()\sroutine\sto\sreturn\sthe\sstrlen()\sof\sthe\nencoded\sstring.\s\sAlso\sfix\sa\sbug\sthat\soccurs\swhen\sattempting\sto\sencode\na\szero-length\sbuffer.\s(CVS\s751)
-D 2002-09-16T11:44:06
+C Fix\sa\sbug\sin\sthe\sOP_MemStore\soperator\sof\sthe\sVDBE.\s\sA\srealloc()\smight\noccur\sbut\spointer\sto\sthe\sold\sbuffer\swere\snot\sbeing\smoved\sover\sto\nthe\snew\sbuffer.\s(CVS\s752)
+D 2002-09-17T03:20:46
 F Makefile.in d6c9a85c2a5e696843201d090dcf8bf2f8716f2a
 F Makefile.linux-gcc b86a99c493a5bfb402d1d9178dcdc4bd4b32f906
 F README f1de682fbbd94899d50aca13d387d1b3fd3be2dd
@ -52,7 +52,7 @@ F src/tokenize.c 62c98842447effe92eba9622bb2f9a2a8a4b97ad
 F src/trigger.c 5ba917fc226b96065108da28186c2efaec53e481
 F src/update.c 881e4c8e7c786545da4fd2d95da19252b2e31137
 F src/util.c c70d5da5357e01b58392faebae3c3620c1d71f14
-F src/vdbe.c 8e567db1f36b2c6dda4719ebe53d565c087a5702
+F src/vdbe.c ac4ccc17d965e5754144cfec493093cf4272c126
 F src/vdbe.h b7584044223104ba7896a7f87b66daebdd6022ba
 F src/where.c 53959c9d94adaf93b409271815e26eafa6ddd515
 F test/all.test efd958d048c70a3247997c482f0b33561f7759f0
@ -80,7 +80,7 @@ F test/main.test c66b564554b770ee7fdbf6a66c0cd90329bc2c85
 F test/malloc.test 7ba32a9ebd3aeed52ae4aaa6d42ca37e444536fd
 F test/memleak.test b4f59aa44488793b00feff2011d77d0f05b22468
 F test/minmax.test 29bc5727c3e4c792d5c4745833dd4b505905819e
-F test/misc1.test 3ee14f86e00c1d5a3f3fc90b8490c398ec623e79
+F test/misc1.test 9b0fdc82756bd88da91e5d62f4c93ef6a457c1bc
 F test/misuse.test a3aa2b18a97e4c409a1fcaff5151a4dd804a0162
 F test/notnull.test b1f3e42fc475b0b5827b27b2e9b562081995ff30
 F test/null.test 5c2b57307e4b6178aae825eb65ddbee01e76b0fd
@ -149,7 +149,7 @@ F www/speed.tcl a20a792738475b68756ea7a19321600f23d1d803
 F www/sqlite.tcl ae3dcfb077e53833b59d4fcc94d8a12c50a44098
 F www/tclsqlite.tcl 1db15abeb446aad0caf0b95b8b9579720e4ea331
 F www/vdbe.tcl 2013852c27a02a091d39a766bc87cff329f21218
-P 3f253afe15d4f7392555f340a41d780d1248087f
-R ae2062ad558397dc7333045d78c8c1e1
+P f12c3a25ba5408c2a7c846a9f160416fd188cd26
+R 3c4e79bd5ec6ce7d63d34d010c5a09db
 U drh
-Z ff6d471c5e281a3e52ab81c5ecd43f4c
+Z c5560c2e0285ec66000e64e43f75e92e
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-f12c3a25ba5408c2a7c846a9f160416fd188cd26
+29145746f34438bd830c763872c5e82572150357
--- a/src/vdbe.c
+++ b/src/vdbe.c
@ -36,7 +36,7 @@
 ** in this file for details.  If in doubt, do not deviate from existing
 ** commenting and indentation practices when changing or adding code.
 **
-** $Id: vdbe.c,v 1.178 2002/09/14 13:47:32 drh Exp $
+** $Id: vdbe.c,v 1.179 2002/09/17 03:20:46 drh Exp $
 */
 #include "sqliteInt.h"
 #include <ctype.h>
@ -4759,6 +4759,14 @@ case OP_MemStore: {
    p->nMem = i + 5;
    aMem = sqliteRealloc(p->aMem, p->nMem*sizeof(p->aMem[0]));
    if( aMem==0 ) goto no_mem;
+    if( aMem!=p->aMem ){
+      int j;
+      for(j=0; j<nOld; j++){
+        if( aMem[j].z==p->aMem[j].s.z ){
+          aMem[j].z = aMem[j].s.z;
+        }
+      }
+    }
    p->aMem = aMem;
    if( nOld<p->nMem ){
      memset(&p->aMem[nOld], 0, sizeof(p->aMem[0])*(p->nMem-nOld));
--- a/test/misc1.test
+++ b/test/misc1.test
@ -13,7 +13,7 @@
 # This file implements tests for miscellanous features that were
 # left out of other test files.
 #
-# $Id: misc1.test,v 1.14 2002/08/18 22:41:22 drh Exp $
+# $Id: misc1.test,v 1.15 2002/09/17 03:20:46 drh Exp $

 set testdir [file dirname $argv0]
 source $testdir/tester.tcl
@ -398,6 +398,42 @@ do_test misc1-12.13 {
  }
 } {1 2 2 3 4 2}

-
+# There was a problem with realloc() in the OP_MemStore operation of
+# the VDBE.  A buffer was being reallocated but some pointers into 
+# the old copy of the buffer were not being moved over to the new copy.
+# The following code tests for the problem.
+#
+do_test misc1-13.1 {
+   execsql {
+     CREATE TABLE t9(x,y);
+     INSERT INTO t9 VALUES('one',1);
+     INSERT INTO t9 VALUES('two',2);
+     INSERT INTO t9 VALUES('three',3);
+     INSERT INTO t9 VALUES('four',4);
+     INSERT INTO t9 VALUES('five',5);
+     INSERT INTO t9 VALUES('six',6);
+     INSERT INTO t9 VALUES('seven',7);
+     INSERT INTO t9 VALUES('eight',8);
+     INSERT INTO t9 VALUES('nine',9);
+     INSERT INTO t9 VALUES('ten',10);
+     INSERT INTO t9 VALUES('eleven',11);
+     SELECT y FROM t9
+     WHERE x=(SELECT x FROM t9 WHERE y=1)
+        OR x=(SELECT x FROM t9 WHERE y=2)
+        OR x=(SELECT x FROM t9 WHERE y=3)
+        OR x=(SELECT x FROM t9 WHERE y=4)
+        OR x=(SELECT x FROM t9 WHERE y=5)
+        OR x=(SELECT x FROM t9 WHERE y=6)
+        OR x=(SELECT x FROM t9 WHERE y=7)
+        OR x=(SELECT x FROM t9 WHERE y=8)
+        OR x=(SELECT x FROM t9 WHERE y=9)
+        OR x=(SELECT x FROM t9 WHERE y=10)
+        OR x=(SELECT x FROM t9 WHERE y=11)
+        OR x=(SELECT x FROM t9 WHERE y=12)
+        OR x=(SELECT x FROM t9 WHERE y=13)
+        OR x=(SELECT x FROM t9 WHERE y=14)
+     ;
+   }
+} {1 2 3 4 5 6 7 8 9 10 11}

 finish_test