Fix three crash problems discovered by afl-fuzz.

Ticket [a59ae93ee990a55].

FossilOrigin-Name: fe5788633131281a0f27c5b75993ce2ff958bfeb

diff --git a/manifest b/manifest
index 3fb84faf9ce5ed62ff19d62a0ba001af7baadc14..31bf9fc12674351386141a418f07ad6469e0ed0a 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\sthe\s"ascii"\smode\sto\sthe\scommand-line\sshell.
-D 2015-01-09T00:38:06.225
+C Fix\sthree\scrash\sproblems\sdiscovered\sby\safl-fuzz.\nTicket\s[a59ae93ee990a55].
+D 2015-01-09T01:27:29.636
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in b40b4c2a3a187c41ee657d3f0e0e0dfe8fd860b5
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -180,9 +180,9 @@ F src/build.c f5cfd7b32216f695b995bbc7c1a395f6d451d11f
 F src/callback.c 7b44ce59674338ad48b0e84e7b72f935ea4f68b0
 F src/complete.c 198a0066ba60ab06fc00fba1998d870a4d575463
 F src/ctime.c df19848891c8a553c80e6f5a035e768280952d1a
-F src/date.c 93594514aae68de117ca4a2a0d6cc63eddf26744
+F src/date.c 53cedb541686b30eb5495753f0b622909a928780
 F src/delete.c 0750b1eb4d96cd3fb2c798599a3a7c85e92f1417
-F src/expr.c 00da3072f362b06f39ce4052baa1d4ce2bb36d1c
+F src/expr.c 7be80f7dc337329a24df45c2f3bdb2ea3b64c90e
 F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb
 F src/fkey.c e0444b61bed271a76840cbe6182df93a9baa3f12
 F src/func.c 6d3c4ebd72aa7923ce9b110a7dc15f9b8c548430
@@ -619,7 +619,7 @@ F test/func4.test 6beacdfcb0e18c358e6c2dcacf1b65d1fa80955f
 F test/func5.test cdd224400bc3e48d891827cc913a57051a426fa4
 F test/fuzz-oss1.test 4912e528ec9cf2f42134456933659d371c9e0d74
 F test/fuzz.test 96083052bf5765e4518c1ba686ce2bab785670d1
-F test/fuzz2.test 207d0f9d06db3eaf47a6b7bfc835b8e2fc397167
+F test/fuzz2.test b34fe575aa10292135421ff4bf315de4cde7824a
 F test/fuzz3.test efd384b896c647b61a2c1848ba70d42aad60a7b3
 F test/fuzz_common.tcl a87dfbb88c2a6b08a38e9a070dabd129e617b45b
 F test/fuzz_malloc.test 328f70aaca63adf29b4c6f06505ed0cf57ca7c26
@@ -1235,8 +1235,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 662932a69a0f69b7227cc05b75a9f1637a3862f4 ea99f4b29afb98dd474d96889c934763f5636891
-R 3f8d7ef6dd5f06bcfd99bf945267e110
-T +closed ea99f4b29afb98dd474d96889c934763f5636891
+P e1518a9478e1ce1ebd98894335e64c953064367f
+R 0672c0c00968fffbda70996e37c442f8
 U drh
-Z 1642395151124fe3b880675afbc572b4
+Z 8756c3c12d1aed88e2c7a41409182fc3

diff --git a/manifest.uuid b/manifest.uuid
index 1fa5f45fe0c0d5011c8eabce7097fcc386fe6bd3..833f237c5e635f29d654420ddabcc1caa4a469f2 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-e1518a9478e1ce1ebd98894335e64c953064367f
\ No newline at end of file
+fe5788633131281a0f27c5b75993ce2ff958bfeb
\ No newline at end of file

diff --git a/src/date.c b/src/date.c
index 10d900626308256a477d8b66892167e83e126dec..d19b633608600e9a9134f78a35ae4de4866fa30a 100644 (file)
--- a/src/date.c
+++ b/src/date.c
@@ -895,8 +895,10 @@ static void strftimeFunc(
   size_t i,j;
   char *z;
   sqlite3 *db;
-  const char *zFmt = (const char*)sqlite3_value_text(argv[0]);
+  const char *zFmt;
   char zBuf[100];
+  if( argc==0 ) return;
+  zFmt = (const char*)sqlite3_value_text(argv[0]);
   if( zFmt==0 || isDate(context, argc-1, argv+1, &x) ) return;
   db = sqlite3_context_db_handle(context);
   for(i=0, n=1; zFmt[i]; i++, n++){

diff --git a/src/expr.c b/src/expr.c
index 817975ab3aaca137d3e39a7a66c0a58f05b7140a..32adedf9bfb642fbc4354c4d420eda38d13a3985 100644 (file)
--- a/src/expr.c
+++ b/src/expr.c
@@ -515,7 +515,7 @@ Expr *sqlite3PExpr(
   const Token *pToken     /* Argument token */
 ){
   Expr *p;
-  if( op==TK_AND && pLeft && pRight ){
+  if( op==TK_AND && pLeft && pRight && pParse->nErr==0 ){
     /* Take advantage of short-circuit false optimization for AND */
     p = sqlite3ExprAnd(pParse->db, pLeft, pRight);
   }else{
@@ -4069,10 +4069,11 @@ static int exprSrcCount(Walker *pWalker, Expr *pExpr){
     int i;
     struct SrcCount *p = pWalker->u.pSrcCount;
     SrcList *pSrc = p->pSrc;
-    for(i=0; i<pSrc->nSrc; i++){
+    int nSrc = pSrc ? pSrc->nSrc : 0;
+    for(i=0; i<nSrc; i++){
       if( pExpr->iTable==pSrc->a[i].iCursor ) break;
     }
-    if( i<pSrc->nSrc ){
+    if( i<nSrc ){
       p->nThis++;
     }else{
       p->nOther++;

diff --git a/test/fuzz2.test b/test/fuzz2.test
index 989b00f056afe1bf3b5e21c0d540e62d4eaa54fd..4b3fb72e2dace82f856d871966668d8f059305fe 100644 (file)
--- a/test/fuzz2.test
+++ b/test/fuzz2.test
@@ -12,7 +12,6 @@
 #
 # This file checks error recovery from malformed SQL strings.
 #
-# $Id: fuzz2.test,v 1.3 2007/05/15 16:51:37 drh Exp $
 
 set testdir [file dirname $argv0]
 source $testdir/tester.tcl
@@ -105,4 +104,26 @@ do_test fuzz2-5.5 {
   fuzzcatch {SELECT ALL * GROUP BY EXISTS ( SELECT "AAAAAA" . * , AAAAAA ( * ) AS AAAAAA FROM "AAAAAA" . "AAAAAA" AS "AAAAAA" USING ( AAAAAA , "AAAAAA" , "AAAAAA" ) WHERE AAAAAA ( DISTINCT ) - RAISE ( FAIL , "AAAAAA" ) HAVING "AAAAAA" . "AAAAAA" . AAAAAA ORDER BY #182 , #55 ) BETWEEN EXISTS ( SELECT ALL * FROM ( ( }
 } {1}
 
+# Test cases discovered by Michal Zalewski on 2015-01-03 and reported on the
+# sqlite-users mailing list.  All of these cases cause segfaults in 
+# SQLite 3.8.7.4 and earlier.
+#
+do_test fuzz2-6.1 {
+  catchsql {SELECT n()AND+#0;}
+} {1 {near "#0": syntax error}}
+do_test fuzz2-6.2 {
+  catchsql {SELECT strftime()}
+} {0 {{}}}
+do_test fuzz2-6.3 {
+  catchsql {DETACH(SELECT group_concat(q));}
+} {1 {no such column: q}}
+do_test fuzz2-6.4a {
+  db eval {DROP TABLE IF EXISTS t0; CREATE TABLE t0(t);}
+  catchsql {INSERT INTO t0 SELECT strftime();}
+} {0 {}}
+do_test fuzz2-6.4b {
+  db eval {SELECT quote(t) FROM t0} 
+} {NULL}
+
+
 finish_test