Fix a potential use-after-free error during parsing of malformed

CREATE TABLE statement. FossilOrigin-Name: c5dbc599b910c02a961675b12b273b8df6d29450
2025-08-08 14:02:16 +03:00 · 2016-11-14 20:08:00 +00:00
parent 362b66f051
commit 588429a87d
4 changed files with 12 additions and 12 deletions
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2947,15 +2947,15 @@ struct Parse {
  } aColCache[SQLITE_N_COLCACHE];  /* One for each column cache entry */
  int aTempReg[8];        /* Holding area for temporary registers */
  Token sNameToken;       /* Token with unqualified schema object name */
-  Token sLastToken;       /* The last token parsed */

  /************************************************************************
  ** Above is constant between recursions.  Below is reset before and after
  ** each recursion.  The boundary between these two regions is determined
-  ** using offsetof(Parse,nVar) so the nVar field must be the first field
-  ** in the recursive region.
+  ** using offsetof(Parse,sLastToken) so the sLastToken field must be the
+  ** first field in the recursive region.
  ************************************************************************/

+  Token sLastToken;       /* The last token parsed */
  ynVar nVar;               /* Number of '?' variables seen in the SQL so far */
  int nzVar;                /* Number of available slots in azVar[] */
  u8 iPkSortOrder;          /* ASC or DESC for INTEGER PRIMARY KEY */
@@ -2989,7 +2989,7 @@ struct Parse {
 ** Sizes and pointers of various parts of the Parse object.
 */
 #define PARSE_HDR_SZ offsetof(Parse,aColCache) /* Recursive part w/o aColCache*/
-#define PARSE_RECURSE_SZ offsetof(Parse,nVar)  /* Recursive part */
+#define PARSE_RECURSE_SZ offsetof(Parse,sLastToken)    /* Recursive part */
 #define PARSE_TAIL_SZ (sizeof(Parse)-PARSE_RECURSE_SZ) /* Non-recursive part */
 #define PARSE_TAIL(X) (((char*)(X))+PARSE_RECURSE_SZ)  /* Pointer to tail */