Changes to avoid undefined behavior in memset() and memcpy() and in the

comparisons of pointers from different allocations. All problems are found by analysis tools - none have been seen in the wild. FossilOrigin-Name: 901d0b8f3b72e96ffa8e9436993a12980f5ebd51
2025-08-10 01:02:56 +03:00 · 2015-12-08 16:58:45 +00:00
parent ea06a271a4
commit 72ea29d7ae
5 changed files with 20 additions and 11 deletions
--- a/src/expr.c
+++ b/src/expr.c
@@ -853,6 +853,7 @@ static int dupedExprSize(Expr *p, int flags){
 */
 static Expr *exprDup(sqlite3 *db, Expr *p, int flags, u8 **pzBuffer){
  Expr *pNew = 0;                      /* Value to return */
+  assert( flags==0 || flags==EXPRDUP_REDUCE );
  if( p ){
    const int isReduced = (flags&EXPRDUP_REDUCE);
    u8 *zAlloc;
@@ -889,7 +890,9 @@ static Expr *exprDup(sqlite3 *db, Expr *p, int flags, u8 **pzBuffer){
      }else{
        int nSize = exprStructSize(p);
        memcpy(zAlloc, p, nSize);
-        memset(&zAlloc[nSize], 0, EXPR_FULLSIZE-nSize);
+        if( nSize<EXPR_FULLSIZE ){ 
+          memset(&zAlloc[nSize], 0, EXPR_FULLSIZE-nSize);
+        }
      }

      /* Set the EP_Reduced, EP_TokenOnly, and EP_Static flags appropriately. */
@@ -979,6 +982,7 @@ static With *withDup(sqlite3 *db, With *p){
 ** part of the in-memory representation of the database schema.
 */
 Expr *sqlite3ExprDup(sqlite3 *db, Expr *p, int flags){
+  assert( flags==0 || flags==EXPRDUP_REDUCE );
  return exprDup(db, p, flags, 0);
 }
 ExprList *sqlite3ExprListDup(sqlite3 *db, ExprList *p, int flags){