Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns.

FossilOrigin-Name: 60de5f23424552c98aa760ac89149a3d51f895be
2025-11-12 13:01:09 +03:00 · 2015-11-21 19:43:29 +00:00
parent 62aaa6ca88
commit 8836cbbcb4
4 changed files with 22 additions and 9 deletions
--- a/16
+++ b/16
@@ -1,5 +1,5 @@
-C Fix\sover-length\ssource\scode\slines.\s\sNo\slogic\schanges.
-D 2015-11-21T17:27:42.127
+C Fix\san\sobscure\smemory\sleak\sfound\sby\slibfuzzer\sthat\smay\soccur\sunder\ssome\scircumstances\sif\sexpanding\sa\s"*"\sexpression\scauses\sa\sSELECT\sto\sreturn\smore\sthan\s32767\scolumns.
+D 2015-11-21T19:43:29.760
 F Makefile.in d828db6afa6c1fa060d01e33e4674408df1942a1
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc e928e68168df69b353300ac87c10105206653a03
@@ -339,7 +339,7 @@ F src/printf.c f8fc8f04e75b1e983ef2793c27ec7a43b287e94a
 F src/random.c ba2679f80ec82c4190062d756f22d0c358180696
 F src/resolve.c f4c897ca76ca6d5e0b3f0499c627392ffe657c8e
 F src/rowset.c eccf6af6d620aaa4579bd3b72c1b6395d9e9fa1e
-F src/select.c 0495e86f8377026fbd529a1a5bf62046cbb6eec5
+F src/select.c e10586c750d87211caa8f4b239e2bfa6a2049e5b
 F src/shell.c f0f59ea60ad297f671b7ae0fb957a736ad17c92c
 F src/sqlite.h.in fa62718f73553f06b2f2e362fd09ccb4e1cbb626
 F src/sqlite3.rc 992c9f5fb8285ae285d6be28240a7e8d3a7f2bad
@@ -1038,7 +1038,7 @@ F test/speedtest1.c f8bf04214e7b5f745feea99f7bde68b1c4870666
 F test/spellfix.test 0597065ff57042df1f138e6a2611ae19c2698135
 F test/spellfix2.test dfc8f519a3fc204cb2dfa8b4f29821ae90f6f8c3
 F test/sqldiff1.test 8f6bc7c6a5b3585d350d779c6078869ba402f8f5
-F test/sqllimits1.test 89b3d5aad05b99f707ee3786bdd4416dccf83304
+F test/sqllimits1.test a74ee2a3740b9f9c2437c246d8fb77354862a142
 F test/sqllog.test a8faa2df39610a037dd372ed872d124260d32953
 F test/stat.test 8de91498c99f5298b303f70f1d1f3b9557af91bf
 F test/statfault.test f525a7bf633e50afd027700e9a486090684b1ac1
@@ -1404,7 +1404,7 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 48bd54594752d5be3337f12c72f28d2080cb630b
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P ff5716b89f99d9c4568a39f1f52524528a631623
-R 558d15295cc22b403e8d5cb8c3ebd48a
-U drh
-Z 0a3988f827c1f289bd36fdbbf324f548
+P 198d191b2f5ef7d63ac0093c701955c9052fd734
+R 8ed8d9e954ea81e19ae35a6836359b00
+U dan
+Z f96d100152be981f85597b50bc9a8134
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-198d191b2f5ef7d63ac0093c701955c9052fd734
+60de5f23424552c98aa760ac89149a3d51f895be
--- a/src/select.c
+++ b/src/select.c
@@ -1613,6 +1613,7 @@ int sqlite3ColumnsFromExprList(
    nCol = 0;
    aCol = 0;
  }
+  assert( nCol==(i16)nCol );
  *pnCol = nCol;
  *paCol = aCol;

@@ -4455,6 +4456,7 @@ static int selectExpander(Walker *pWalker, Select *p){
 #if SQLITE_MAX_COLUMN
  if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
    sqlite3ErrorMsg(pParse, "too many columns in result set");
+    return WRC_Abort;
  }
 #endif
  return WRC_Continue;
--- a/test/sqllimits1.test
+++ b/test/sqllimits1.test
@@ -874,6 +874,17 @@ do_test sqllimits1-16.2 {
  }
 } {1 {string or blob too big}}

+do_catchsql_test sqllimits1.17.0 {
+  SELECT *,*,*,*,*,*,*,* FROM (
+  SELECT *,*,*,*,*,*,*,* FROM (
+  SELECT *,*,*,*,*,*,*,* FROM (
+  SELECT *,*,*,*,*,*,*,* FROM (
+  SELECT *,*,*,*,*,*,*,* FROM (
+    SELECT 1,2,3,4,5,6,7,8,9,10
+  )
+  ))))
+} "1 {too many columns in result set}"
+

 foreach {key value} [array get saved] {
  catch {set $key $value}