database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-01 06:27:03 +03:00
Code Activity

Fix a crash that could occur under certain circumstances if the vectors on either side of a comparison operator were of a different size.

Browse Source 
FossilOrigin-Name: 42670935aba152ba774c2a8bdcbe72b943309d68
This commit is contained in:
dan
2016-09-05 09:44:45 +00:00
parent 80aa545337
commit 5c3340bd47
6 changed files with 42 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
manifest
View File

@ -1,5 +1,5 @@
C Fix\sa\sproblem\scausing\sthe\saffinity\sof\ssub-select\srow-value\selements\sto\sbe\signored\sin\ssome\scontextes. C Fix\sa\scrash\sthat\scould\soccur\sunder\scertain\scircumstances\sif\sthe\svectors\son\seither\sside\sof\sa\scomparison\soperator\swere\sof\sa\sdifferent\ssize.
D 2016-09-03T19:52:12.432 D 2016-09-05T09:44:45.878
F Makefile.in cfd8fb987cd7a6af046daa87daa146d5aad0e088 F Makefile.in cfd8fb987cd7a6af046daa87daa146d5aad0e088
F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
F Makefile.msc 5017381e4853b1472e01d5bb926be1268eba429c F Makefile.msc 5017381e4853b1472e01d5bb926be1268eba429c
@ -338,7 +338,7 @@ F src/ctime.c e77f3dc297b4b65c96da78b4ae4272fdfae863d7
F src/date.c 95c9a8d00767e7221a8e9a31f4e913fc8029bf6b F src/date.c 95c9a8d00767e7221a8e9a31f4e913fc8029bf6b
F src/dbstat.c 19ee7a4e89979d4df8e44cfac7a8f905ec89b77d F src/dbstat.c 19ee7a4e89979d4df8e44cfac7a8f905ec89b77d
F src/delete.c 76c084f0265f4a3cd1ecf17eee112a94f1ccbc05 F src/delete.c 76c084f0265f4a3cd1ecf17eee112a94f1ccbc05
F src/expr.c 23b595cc6e2b609d53c72343b3fe16ce8b5e446d F src/expr.c 750ed16649d655fef117c6d983c7382acd625bfd
F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb
F src/fkey.c e2be0968c1adc679c87e467aa5b4f167588f38a8 F src/fkey.c e2be0968c1adc679c87e467aa5b4f167588f38a8
F src/func.c 29cc9acb170ec1387b9f63eb52cd85f8de96c771 F src/func.c 29cc9acb170ec1387b9f63eb52cd85f8de96c771
@ -390,7 +390,7 @@ F src/shell.c 79dda477be6c96eba6e952a934957ad36f87acc7
F src/sqlite.h.in 4a030e254e204570444b34bf7d40fb4a5416089e F src/sqlite.h.in 4a030e254e204570444b34bf7d40fb4a5416089e
F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
F src/sqlite3ext.h 8648034aa702469afb553231677306cc6492a1ae F src/sqlite3ext.h 8648034aa702469afb553231677306cc6492a1ae
F src/sqliteInt.h c9e010a79ab4ed7bdc910a24d8f08f3c6d5f822c F src/sqliteInt.h e7afbfaa4033a4c1cf2aa7bbdd0eb27e4663ab3a
F src/sqliteLimit.h c0373387c287c8d0932510b5547ecde31b5da247 F src/sqliteLimit.h c0373387c287c8d0932510b5547ecde31b5da247
F src/status.c a9e66593dfb28a9e746cba7153f84d49c1ddc4b1 F src/status.c a9e66593dfb28a9e746cba7153f84d49c1ddc4b1
F src/table.c 5226df15ab9179b9ed558d89575ea0ce37b03fc9 F src/table.c 5226df15ab9179b9ed558d89575ea0ce37b03fc9
@ -468,7 +468,7 @@ F src/walker.c 2d2cc7fb0f320f7f415215d7247f3c584141ac09
F src/where.c 48d705e5196a0611a7be90698eade455ee238536 F src/where.c 48d705e5196a0611a7be90698eade455ee238536
F src/whereInt.h 14dd243e13b81cbb0a66063d38b70f93a7d6e613 F src/whereInt.h 14dd243e13b81cbb0a66063d38b70f93a7d6e613
F src/wherecode.c 8a9a53cb52dd8a75e07c85e3bc12c1604c735954 F src/wherecode.c 8a9a53cb52dd8a75e07c85e3bc12c1604c735954
F src/whereexpr.c 7f9ada866d48d15d09754ae819c1c40efe3b2aff F src/whereexpr.c 571597ac8d761505f626e597884b2a03494053cd
F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
F test/affinity2.test a6d901b436328bd67a79b41bb0ac2663918fe3bd F test/affinity2.test a6d901b436328bd67a79b41bb0ac2663918fe3bd
F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
@ -1023,7 +1023,7 @@ F test/rowid.test 5b7509f384f4f6fae1af3c8c104c8ca299fea18d
F test/rowvalue.test 7d8482dde9023973615eaaca65647f33d70c1f01 F test/rowvalue.test 7d8482dde9023973615eaaca65647f33d70c1f01
F test/rowvalue2.test 060d238b7e5639a7c5630cb5e63e311b44efef2b F test/rowvalue2.test 060d238b7e5639a7c5630cb5e63e311b44efef2b
F test/rowvalue3.test 01399b7bf150b0d41abce76c18072da777c2500c F test/rowvalue3.test 01399b7bf150b0d41abce76c18072da777c2500c
F test/rowvalue4.test 9b40c9be9bdde30fc66cddbfdf6a5af37de4ccac F test/rowvalue4.test 29494f1c66e73329d90027619ee6d22e7ffe0ebf
F test/rowvalue5.test a440d490c8c0bf606034c09d5c6bbf7840b98f95 F test/rowvalue5.test a440d490c8c0bf606034c09d5c6bbf7840b98f95
F test/rowvalue6.test d19b54feb604d5601f8614b15e214e0774c01087 F test/rowvalue6.test d19b54feb604d5601f8614b15e214e0774c01087
F test/rowvalue7.test 5d06ff19d9e6969e574a2e662a531dd0c67801a8 F test/rowvalue7.test 5d06ff19d9e6969e574a2e662a531dd0c67801a8
@ -1522,7 +1522,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P ed206048484667e4fe6aaeadd65882537d74bd35 P 7d9bd22c0715ede2592ee1fa7ebc215aded1ca1b
R ebdd3ea482059f46220cc36bb6b2e41e R 26e65ef1f9dc6647fee64756ced37096
U dan U dan
Z 13aac770e03afb07d71bee955ff12a59 Z c125d50595ea7cb48721a8bf5a5398c8

2
manifest.uuid
View File

@ -1 +1 @@
7d9bd22c0715ede2592ee1fa7ebc215aded1ca1b 42670935aba152ba774c2a8bdcbe72b943309d68

32
src/expr.c
View File

@ -521,14 +521,9 @@ static void codeVectorCompare(
Vdbe *v = pParse->pVdbe; Vdbe *v = pParse->pVdbe;
Expr *pLeft = pExpr->pLeft; Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight; Expr *pRight = pExpr->pRight;
int nLeft = sqlite3ExprVectorSize(pLeft);
int nRight = sqlite3ExprVectorSize(pRight);
/* Check that both sides of the comparison are vectors, and that if( sqlite3ExprCheckComparison(pParse, pLeft, pRight)==0 ){
** both are the same length. */ int nLeft = sqlite3ExprVectorSize(pLeft);
if( nLeft!=nRight ){
sqlite3ErrorMsg(pParse, "row value misused");
}else{
int i; int i;
int regLeft = 0; int regLeft = 0;
int regRight = 0; int regRight = 0;
@ -2656,6 +2651,29 @@ int sqlite3ExprCheckIN(Parse *pParse, Expr *pIn){
} }
#endif #endif
/*
** Expressions pLeft and pRight are the left and right sides of a comparison
** operator. If either pLeft or pRight is a vector and the other is not, or
** if they are both vectors but of a different size, leave an error message
** in the Parse object and return non-zero. Or, if there is no problem,
** return 0.
*/
int sqlite3ExprCheckComparison(Parse *pParse, Expr *pLeft, Expr *pRight){
int nLeft = sqlite3ExprVectorSize(pLeft);
int nRight = sqlite3ExprVectorSize(pRight);
if( nLeft!=nRight ){
if( (pRight->flags & EP_xIsSelect) ){
sqlite3SubselectError(pParse, nRight, nLeft);
}else if( pLeft->flags & EP_xIsSelect ){
sqlite3SubselectError(pParse, nLeft, nRight);
}else{
sqlite3ErrorMsg(pParse, "row value misused");
}
return 1;
}
return 0;
}
#ifndef SQLITE_OMIT_SUBQUERY #ifndef SQLITE_OMIT_SUBQUERY
/* /*
** Generate code for an IN expression. ** Generate code for an IN expression.

1
src/sqliteInt.h
View File

@ -4009,6 +4009,7 @@ int sqlite3ExprCheckIN(Parse*, Expr*);
#else #else
# define sqlite3ExprCheckIN(x,y) SQLITE_OK # define sqlite3ExprCheckIN(x,y) SQLITE_OK
#endif #endif
int sqlite3ExprCheckComparison(Parse*, Expr*, Expr*);
#ifdef SQLITE_ENABLE_STAT3_OR_STAT4 #ifdef SQLITE_ENABLE_STAT3_OR_STAT4
void sqlite3AnalyzeFunctions(void); void sqlite3AnalyzeFunctions(void);

4
src/whereexpr.c
View File

@ -952,6 +952,10 @@ static void exprAnalyze(
Expr *pRight = sqlite3ExprSkipCollate(pExpr->pRight); Expr *pRight = sqlite3ExprSkipCollate(pExpr->pRight);
u16 opMask = (pTerm->prereqRight & prereqLeft)==0 ? WO_ALL : WO_EQUIV; u16 opMask = (pTerm->prereqRight & prereqLeft)==0 ? WO_ALL : WO_EQUIV;
if( pRight && sqlite3ExprCheckComparison(pParse, pLeft, pRight) ){
return;
}
if( pTerm->iField>0 ){ if( pTerm->iField>0 ){
assert( op==TK_IN ); assert( op==TK_IN );
assert( pLeft->op==TK_VECTOR ); assert( pLeft->op==TK_VECTOR );

2
test/rowvalue4.test
View File

@ -47,6 +47,8 @@ foreach {tn s error} {
6 "SELECT * FROM t1 WHERE (a, b) IN (SELECT * FROM t1)" 6 "SELECT * FROM t1 WHERE (a, b) IN (SELECT * FROM t1)"
{sub-select returns 3 columns - expected 2} {sub-select returns 3 columns - expected 2}
7 "SELECT * FROM t1 WHERE (c, c) <= 1" {row value misused}
8 "SELECT * FROM t1 WHERE (b, b) <= 1" {row value misused}
} { } {
do_catchsql_test 2.$tn "$s" [list 1 $error] do_catchsql_test 2.$tn "$s" [list 1 $error]
} }