Prevent use-after-free of the u.vtab.idxStr string following an OOM

while generating the OP_VFilter opcode. FossilOrigin-Name: 751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
2025-11-18 10:21:03 +03:00 · 2020-09-17 11:32:14 +00:00
parent f1ea425560
commit bc2e95140b
3 changed files with 10 additions and 7 deletions
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -1397,6 +1397,9 @@ Bitmask sqlite3WhereCodeOneLoopStart(
                      pLoop->u.vtab.needFree ? P4_DYNAMIC : P4_STATIC);
    VdbeCoverage(v);
    pLoop->u.vtab.needFree = 0;
+    /* An OOM inside of AddOp4(OP_VFilter) instruction above might have freed
+    ** the u.vtab.idxStr.  NULL it out to prevent a use-after-free */
+    if( db->mallocFailed ) pLoop->u.vtab.idxStr = 0;
    pLevel->p1 = iCur;
    pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext;
    pLevel->p2 = sqlite3VdbeCurrentAddr(v);