Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns.

FossilOrigin-Name: 60de5f23424552c98aa760ac89149a3d51f895be
2025-11-12 13:01:09 +03:00 · 2015-11-21 19:43:29 +00:00
parent 62aaa6ca88
commit 8836cbbcb4
4 changed files with 22 additions and 9 deletions
--- a/src/select.c
+++ b/src/select.c
@@ -1613,6 +1613,7 @@ int sqlite3ColumnsFromExprList(
    nCol = 0;
    aCol = 0;
  }
+  assert( nCol==(i16)nCol );
  *pnCol = nCol;
  *paCol = aCol;

@@ -4455,6 +4456,7 @@ static int selectExpander(Walker *pWalker, Select *p){
 #if SQLITE_MAX_COLUMN
  if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
    sqlite3ErrorMsg(pParse, "too many columns in result set");
+    return WRC_Abort;
  }
 #endif
  return WRC_Continue;