1
0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-12 23:22:53 +03:00

Fix a (almost always harmless) read past the end of a memory allocation

that comes about because the Expr.pTab field is checked on an
EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to
know that the Expr.pTab field is meaningless.

FossilOrigin-Name: e098de691002a78270540430b0df1e120582b53f
This commit is contained in:
drh
2015-01-27 13:17:05 +00:00
parent 1466e84187
commit a58d4a9612
4 changed files with 20 additions and 10 deletions

View File

@@ -132,9 +132,9 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
break;
}
if( p->pTab!=0
&& (op==TK_AGG_COLUMN || op==TK_COLUMN
if( (op==TK_AGG_COLUMN || op==TK_COLUMN
|| op==TK_REGISTER || op==TK_TRIGGER)
&& p->pTab!=0
){
/* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
** a TK_COLUMN but was previously evaluated and cached in a register */