Catch and avoid a 16-bit integer overflow on the number of columns in a

common table expression. This fixes a problem found by OSS-Fuzz. The test case is in TH3. FossilOrigin-Name: 6ee8cb6ae5fd076ec226bb184b5690ba29f9df8cfaef47aaf13336873b4c1f6c
2025-11-12 13:01:09 +03:00 · 2017-10-21 14:17:31 +00:00
parent 316ab93e2c
commit 6fe3733ba9
3 changed files with 8 additions and 7 deletions
--- a/src/select.c
+++ b/src/select.c
@@ -1689,6 +1689,7 @@ int sqlite3ColumnsFromExprList(
    nCol = pEList->nExpr;
    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
    testcase( aCol==0 );
+    if( nCol>32767 ) nCol = 32767;
  }else{
    nCol = 0;
    aCol = 0;