database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-07-30 19:03:16 +03:00
Code Activity

Fix a (almost always harmless) read past the end of a memory allocation

Browse Source 
that comes about because the Expr.pTab field is checked on an
EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to
know that the Expr.pTab field is meaningless.

FossilOrigin-Name: e098de691002a78270540430b0df1e120582b53f
This commit is contained in:
drh
2015-01-27 13:17:05 +00:00
parent 1466e84187
commit a58d4a9612
4 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
manifest
View File

@ -1,5 +1,5 @@
C The\sva_list\sargument\scannot\stake\son\sa\sNULL\svalue\sand\scannot\sbe\scompared\swith\nNULL\son\ssome\splatforms\s(ex:\sARM).\s\sSo\sdo\snot\sattempt\sto\sdo\sso. C Fix\sa\s(almost\salways\sharmless)\sread\spast\sthe\send\sof\sa\smemory\sallocation\nthat\scomes\sabout\sbecause\sthe\sExpr.pTab\sfield\sis\schecked\son\san\nEXPR_REDUCEDSIZE\sExpr\sobject\sbefore\schecking\sthe\sExpr.op\sfield\sto\nknow\sthat\sthe\sExpr.pTab\sfield\sis\smeaningless.
D 2015-01-25T20:19:53.843 D 2015-01-27T13:17:05.225
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
F Makefile.in 5407a688f4d77a05c18a8142be8ae5a2829dd610 F Makefile.in 5407a688f4d77a05c18a8142be8ae5a2829dd610
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@ -182,7 +182,7 @@ F src/complete.c 198a0066ba60ab06fc00fba1998d870a4d575463
F src/ctime.c 98f89724adc891a1a4c655bee04e33e716e05887 F src/ctime.c 98f89724adc891a1a4c655bee04e33e716e05887
F src/date.c e4d50b3283696836ec1036b695ead9a19e37a5ac F src/date.c e4d50b3283696836ec1036b695ead9a19e37a5ac
F src/delete.c bd1a91ddd247ce13004075251e0b7fe2bf9925ef F src/delete.c bd1a91ddd247ce13004075251e0b7fe2bf9925ef
F src/expr.c 33a4518b2c786903cb185dbdc66e071ac38d467e F src/expr.c abe930897ccafae3819fd2855cbc1b00c262fd12
F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb
F src/fkey.c e0444b61bed271a76840cbe6182df93a9baa3f12 F src/fkey.c e0444b61bed271a76840cbe6182df93a9baa3f12
F src/func.c 6d3c4ebd72aa7923ce9b110a7dc15f9b8c548430 F src/func.c 6d3c4ebd72aa7923ce9b110a7dc15f9b8c548430
@ -734,7 +734,7 @@ F test/minmax.test 42fbad0e81afaa6e0de41c960329f2b2c3526efd
F test/minmax2.test b44bae787fc7b227597b01b0ca5575c7cb54d3bc F test/minmax2.test b44bae787fc7b227597b01b0ca5575c7cb54d3bc
F test/minmax3.test cc1e8b010136db0d01a6f2a29ba5a9f321034354 F test/minmax3.test cc1e8b010136db0d01a6f2a29ba5a9f321034354
F test/minmax4.test 936941484ebdceb8adec7c86b6cd9b6e5e897c1f F test/minmax4.test 936941484ebdceb8adec7c86b6cd9b6e5e897c1f
F test/misc1.test 1201a037c24f982cc0e956cdaa34fcaf6439c417 F test/misc1.test 4864f2834b203cad7f688df8a5f725e4bab08029
F test/misc2.test 00d7de54eda90e237fc9a38b9e5ccc769ebf6d4d F test/misc2.test 00d7de54eda90e237fc9a38b9e5ccc769ebf6d4d
F test/misc3.test cf3dda47d5dda3e53fc5804a100d3c82be736c9d F test/misc3.test cf3dda47d5dda3e53fc5804a100d3c82be736c9d
F test/misc4.test 9c078510fbfff05a9869a0b6d8b86a623ad2c4f6 F test/misc4.test 9c078510fbfff05a9869a0b6d8b86a623ad2c4f6
@ -1237,7 +1237,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
P 2a9ea9b4a7d6904efb2112e32efe84123dfa75d7 P 1964e656b4b420e8d6a4ba12d270ed02db292b88
R c61f1e2c587edb0aaed1944a39bd65a6 R 5d4aecd212970d14e41b3c7464003655
U drh U drh
Z 4e92b2f1fb46383d9f32b9035c98c869 Z 469718f07e1956a0a1c83ab2938852ec

2
manifest.uuid
View File

@ -1 +1 @@
1964e656b4b420e8d6a4ba12d270ed02db292b88 e098de691002a78270540430b0df1e120582b53f

4
src/expr.c
View File

@ -132,9 +132,9 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken); pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
break; break;
} }
if( p->pTab!=0 if( (op==TK_AGG_COLUMN || op==TK_COLUMN
&& (op==TK_AGG_COLUMN || op==TK_COLUMN
|| op==TK_REGISTER || op==TK_TRIGGER) || op==TK_REGISTER || op==TK_TRIGGER)
&& p->pTab!=0
){ ){
/* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
** a TK_COLUMN but was previously evaluated and cached in a register */ ** a TK_COLUMN but was previously evaluated and cached in a register */

10
test/misc1.test
View File

@ -621,4 +621,14 @@ do_test misc1-19.2 {
set fault_callbacks set fault_callbacks
} {0} } {0}
# 2015-01-26: Valgrind-detected over-read.
# Reported on sqlite-users@sqlite.org by Michal Zalewski. Found by afl-fuzz
# presumably.
#
do_execsql_test misc1-20.1 {
CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
REPLACE INTO t0(x) VALUES('');
SELECT rowid, quote(x) FROM t0;
} {1 ''}
finish_test finish_test