Prevent use-after-free of the u.vtab.idxStr string following an OOM

while generating the OP_VFilter opcode. FossilOrigin-Name: 751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
2025-11-18 10:21:03 +03:00 · 2020-09-17 11:32:14 +00:00
parent f1ea425560
commit bc2e95140b
3 changed files with 10 additions and 7 deletions
--- a/12
+++ b/12
@@ -1,5 +1,5 @@
-C DISTINCT\smay\snot\sbe\signored\sinside\sa\sUNION\sALL\scommon\stable\sexpression.\nFix\sfor\sticket\s[c51489c3b8f919c5]
+C Prevent\suse-after-free\sof\sthe\su.vtab.idxStr\sstring\sfollowing\san\sOOM\nwhile\sgenerating\sthe\sOP_VFilter\sopcode.
-D 2020-09-17T00:46:09.055
+D 2020-09-17T11:32:14.578
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -624,7 +624,7 @@ F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
 F src/walker.c 3df26a33dc4f54e8771600fb7fdebe1ece0896c2ad68c30ab40b017aa4395049
 F src/where.c 23f47e845e304a41d0b221bf67bd170014ae08b673076813fcd945dda1a3d4af
 F src/whereInt.h eb8c2847fb464728533777efec1682b3c074224293b2da73513c61a609efbeab
-F src/wherecode.c 8b1176a3b7d4d61f78b0516bb7f6bb3803c658a6565663b8414c3b5d37a02eaa
+F src/wherecode.c 9afd600ca9fe831f342121cca48ad8839c8a18ca4e0372518a0a3c8123a8f022
 F src/whereexpr.c 264d58971eaf8256eb5b0917bcd7fc7a1f1109fdda183a8382308a1b18a2dce7
 F src/window.c edd6f5e25a1e8f2b6f5305b7f5f7da7bb35f07f0d432b255b1d4c2fcab4205aa
 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
@@ -1880,7 +1880,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9ea3039b538ffd0f348c8fbc9452af1fbf899a1f668af9a2404bdd0f8dd21351
+P 7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
-R 5bf1eaed1b0f62e19f1e327d7467bbe1
+R 64b915f5a215a95424570ee566dcd81b
 U drh
-Z 6e1d5387493b3a726ae70a6af2467d64
+Z ee1bdda50dc146e98a6a3caca7097de2
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
+751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -1397,6 +1397,9 @@ Bitmask sqlite3WhereCodeOneLoopStart(
                      pLoop->u.vtab.needFree ? P4_DYNAMIC : P4_STATIC);
    VdbeCoverage(v);
    pLoop->u.vtab.needFree = 0;
    /* An OOM inside of AddOp4(OP_VFilter) instruction above might have freed
    ** the u.vtab.idxStr.  NULL it out to prevent a use-after-free */
    if( db->mallocFailed ) pLoop->u.vtab.idxStr = 0;
    pLevel->p1 = iCur;
    pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext;
    pLevel->p2 = sqlite3VdbeCurrentAddr(v);
		`@@ -1 +1 @@`
			`7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903`				`751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a`