Fixes to the substr() SQL function so that it can handle ridiculously large

numbers in its 2nd and 3rd arguments without signed integer overflows. FossilOrigin-Name: c1de8f916ea617109a903c436c57d082756fbb2b933ba9ce6998b9b912b12dea
2025-10-21 11:13:54 +03:00 · 2024-12-28 12:32:01 +00:00
parent 9591d3fe93
commit e0190a6984
3 changed files with 18 additions and 19 deletions
--- a/src/func.c
+++ b/src/func.c
@@ -354,7 +354,6 @@ static void substrFunc(
  int len;
  int p0type;
  i64 p1, p2;
-  int negP2 = 0;

  assert( argc==3 || argc==2 );
  if( sqlite3_value_type(argv[1])==SQLITE_NULL
@@ -389,18 +388,17 @@ static void substrFunc(
 #endif
  if( argc==3 ){
    p2 = sqlite3_value_int64(argv[2]);
-    if( p2<0 ){
-      p2 = -p2;
-      negP2 = 1;
-    }
  }else{
    p2 = sqlite3_context_db_handle(context)->aLimit[SQLITE_LIMIT_LENGTH];
  }
  if( p1<0 ){
    p1 += len;
    if( p1<0 ){
-      p2 += p1;
-      if( p2<0 ) p2 = 0;
+      if( p2<0 ){
+        p2 = 0;
+      }else{
+        p2 += p1;
+      }
      p1 = 0;
    }
  }else if( p1>0 ){
@@ -408,12 +406,13 @@ static void substrFunc(
  }else if( p2>0 ){
    p2--;
  }
-  if( negP2 ){
-    p1 -= p2;
-    if( p1<0 ){
-      p2 += p1;
-      p1 = 0;
+  if( p2<0 ){
+    if( p2<-p1 ){
+      p2 = p1;
+    }else{
+      p2 = -p2;
    }
+    p1 -= p2;
  }
  assert( p1>=0 && p2>=0 );
  if( p0type!=SQLITE_BLOB ){