database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-11-09 14:21:03 +03:00
Code Activity

Fix a potential UAF caused by JSON parser cache spill.

Browse Source 
[forum:/forumpost/b25edc1d46|Forum post b25edc1d46].

FossilOrigin-Name: a163fecca90cab9d1b7bf8ebac78d498775eed7b6d81e7920e3401633c3a4b60
This commit is contained in:
drh
2023-10-09 12:46:53 +00:00
parent 66dacae4c3
commit faef28e6bd
4 changed files with 38 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/json.c
View File

@@ -2902,6 +2902,7 @@ static void jsonReplaceFunc(
}
pParse = jsonParseCached(ctx, argv[0], ctx, argc>1);
if( pParse==0 ) return;
pParse->nJPRef++;
for(i=1; i<(u32)argc; i+=2){
zPath = (const char*)sqlite3_value_text(argv[i]);
pParse->useMod = 1;
@@ -2914,6 +2915,7 @@ static void jsonReplaceFunc(
jsonReturnJson(pParse, pParse->aNode, ctx, 1);
replace_err:
jsonDebugPrintParse(pParse);
jsonParseFree(pParse);
}
@@ -2948,6 +2950,7 @@ static void jsonSetFunc(
}
pParse = jsonParseCached(ctx, argv[0], ctx, argc>1);
if( pParse==0 ) return;
pParse->nJPRef++;
for(i=1; i<(u32)argc; i+=2){
zPath = (const char*)sqlite3_value_text(argv[i]);
bApnd = 0;
@@ -2964,9 +2967,8 @@ static void jsonSetFunc(
}
jsonDebugPrintParse(pParse);
jsonReturnJson(pParse, pParse->aNode, ctx, 1);
jsonSetDone:
/* no cleanup required */;
jsonParseFree(pParse);
}
/*