Fix a problem in vdbe.c that could cause a double-free of memory if the

SQLITE_LIMIT_LENGTH is changed after a statement is prepared but before
it is run.  Also remove debugging statements from tkt3841.test. (CVS 6777)

FossilOrigin-Name: 3d7327fd6af983d5ce9bc9a2ba869b23c44cc8e6

diff --git a/manifest b/manifest
index e22c17ad6f440a3416f7bfadd4328355d631f19d..ad0d995ae9cf251499a5e9c4c1963f1a928ea12e 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Use\scaution\sto\savoid\sinteger\soverflow\swhen\sdoing\sreal\sto\sinteger\saffinity\noperations.\s\sTicket\s#3922.\s(CVS\s6776)
-D 2009-06-17T16:20:04
+C Fix\sa\sproblem\sin\svdbe.c\sthat\scould\scause\sa\sdouble-free\sof\smemory\sif\sthe\nSQLITE_LIMIT_LENGTH\sis\schanged\safter\sa\sstatement\sis\sprepared\sbut\sbefore\nit\sis\srun.\s\sAlso\sremove\sdebugging\sstatements\sfrom\stkt3841.test.\s(CVS\s6777)
+D 2009-06-17T21:42:34
 F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0
 F Makefile.in 8b8fb7823264331210cddf103831816c286ba446
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@@ -203,7 +203,7 @@ F src/update.c 6ae6c26adff8dc34532d578f66e6cfde04b5d177
 F src/utf.c 9541d28f40441812c0b40f00334372a0542c00ff
 F src/util.c a7e981e032c3c9c0887d50d7e658a33cb355b43d
 F src/vacuum.c 0e14f371ea3326c6b8cfba257286d798cd20db59
-F src/vdbe.c a7b9ad4a1924fae36976391d3945b590066d8a9b
+F src/vdbe.c d382d0d12b4a5145a10c85dfcefa3cff1fa5002d
 F src/vdbe.h 35a648bc3279a120da24f34d9a25213ec15daf8a
 F src/vdbeInt.h 3727128255a93d116e454f67d4559700f7ae4d6f
 F src/vdbeapi.c 619992b16821b989050e8a12e259d795d30731a9
@@ -649,7 +649,7 @@ F test/tkt3793.test 754b73f0e6a9349c70dc57e522cf3247272ecd5d
 F test/tkt3824.test 3da2f5c81b057e3ff355f5dfc9aa0cf0a92e0206
 F test/tkt3832.test 7ebd5ac82d1e430accd5eec9768044133a94c2aa
 F test/tkt3838.test 2a1525946bc9d3751e1d49ce95f3a2472f2b7408
-F test/tkt3841.test fe7451fb899bc31c5fbcee53362c621d0271e25f
+F test/tkt3841.test 4659845bc53f809a5932c61c6ce8c5bb9d6b947f
 F test/tkt3871.test 43ecbc8d90dc83908e2a454aef345acc9d160c6f
 F test/tkt3879.test 2ad5bef2c87e9991ce941e054c31abe26ef7fb90
 F test/tkt3911.test 74cd324f3ba653040cc6d94cc4857b290d12d633
@@ -736,7 +736,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff
 F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
 F tool/vdbe-compress.tcl 672f81d693a03f80f5ae60bfefacd8a349e76746
-P 69eb0ff817cff6266c53b79047bcff5e5d54b618
-R 6181c593f1e99db7e423de696034df8f
+P 392559465d499f491907ef7f42d37a1a6c699511
+R 4f6b7052db49e44ba50de0737b43be98
 U drh
-Z 94cf86f58e243781b10d1003bc255540
+Z cabaf1e4011b7132c3e2e40c4a755bb0

diff --git a/manifest.uuid b/manifest.uuid
index 066932a1078242389079d66ba245a6669c8052d4..18703bf8646fbd3cfc75fd478797e86d11cc4700 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-392559465d499f491907ef7f42d37a1a6c699511
\ No newline at end of file
+3d7327fd6af983d5ce9bc9a2ba869b23c44cc8e6
\ No newline at end of file

diff --git a/src/vdbe.c b/src/vdbe.c
index feb84b0f43d405153be3a3923778d231635aa3c0..3945cbecc7e754b19adc3f2901681ba028cf0a9c 100644 (file)
--- a/src/vdbe.c
+++ b/src/vdbe.c
@@ -43,7 +43,7 @@
 ** in this file for details.  If in doubt, do not deviate from existing
 ** commenting and indentation practices when changing or adding code.
 **
-** $Id: vdbe.c,v 1.852 2009/06/17 16:20:04 drh Exp $
+** $Id: vdbe.c,v 1.853 2009/06/17 21:42:34 drh Exp $
 */
 #include "sqliteInt.h"
 #include "vdbeInt.h"
@@ -908,9 +908,11 @@ case OP_String8: {         /* same as TK_STRING, out2-prerelease */
 
 #ifndef SQLITE_OMIT_UTF16
   if( encoding!=SQLITE_UTF8 ){
-    sqlite3VdbeMemSetStr(pOut, pOp->p4.z, -1, SQLITE_UTF8, SQLITE_STATIC);
+    rc = sqlite3VdbeMemSetStr(pOut, pOp->p4.z, -1, SQLITE_UTF8, SQLITE_STATIC);
+    if( rc==SQLITE_TOOBIG ) goto too_big;
     if( SQLITE_OK!=sqlite3VdbeChangeEncoding(pOut, encoding) ) goto no_mem;
-    if( SQLITE_OK!=sqlite3VdbeMemMakeWriteable(pOut) ) goto no_mem;
+    assert( pOut->zMalloc==pOut->z );
+    assert( pOut->flags & MEM_Dyn );
     pOut->zMalloc = 0;
     pOut->flags |= MEM_Static;
     pOut->flags &= ~MEM_Dyn;
@@ -920,11 +922,6 @@ case OP_String8: {         /* same as TK_STRING, out2-prerelease */
     pOp->p4type = P4_DYNAMIC;
     pOp->p4.z = pOut->z;
     pOp->p1 = pOut->n;
-    if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){
-      goto too_big;
-    }
-    UPDATE_MAX_BLOBSIZE(pOut);
-    break;
   }
 #endif
   if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){

diff --git a/test/tkt3841.test b/test/tkt3841.test
index 3ba5e0afc07fa8061d4a082372724d5d8abe63bb..df6de5c2f3972689f6c8d722804506c3cead5476 100644 (file)
--- a/test/tkt3841.test
+++ b/test/tkt3841.test
@@ -36,7 +36,6 @@ do_test tkt3841.1 {
     INSERT INTO list VALUES ("b", 5);
     INSERT INTO list VALUES ("b", 6);
 
-pragma vdbe_listing=on; pragma vdbe_trace=on;  
     SELECT
       table2.x,
       (SELECT group_concat(list.value)