Improved defenses against integer overflow when computing the size of a

memory allocations.  No bugs were fixed here.  But perhaps future bugs will
be prevented.

FossilOrigin-Name: eb878c01f317f09e8ef6b1bd2ec8d6d5cd6ce0bdfe9da7fa7d92d2047cc9d9e4

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 046ec7bcd18726a259ae9e5ef90fed335074db30..54efb340c37b1f0b1fdeb0dc3e932fa3af55e48c 100644 (file)
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -850,7 +850,7 @@ int sqlite3Fts5StructureTest(Fts5Index *p, void *pStruct){
 static void fts5StructureMakeWritable(int *pRc, Fts5Structure **pp){
   Fts5Structure *p = *pp;
   if( *pRc==SQLITE_OK && p->nRef>1 ){
-    int nByte = sizeof(Fts5Structure)+(p->nLevel-1)*sizeof(Fts5StructureLevel);
+    i64 nByte = sizeof(Fts5Structure)+(p->nLevel-1)*sizeof(Fts5StructureLevel);
     Fts5Structure *pNew;
     pNew = (Fts5Structure*)sqlite3Fts5MallocZero(pRc, nByte);
     if( pNew ){

diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c
index 148af565e1cfa5cc5c5752f76a604854cfc47ab3..18774c4e4aaa113342c9f50db8acfc7b6a45e93c 100644 (file)
--- a/ext/fts5/fts5_vocab.c
+++ b/ext/fts5/fts5_vocab.c
@@ -374,7 +374,7 @@ static int fts5VocabOpenMethod(
   }
 
   if( rc==SQLITE_OK ){
-    int nByte = pFts5->pConfig->nCol * sizeof(i64)*2 + sizeof(Fts5VocabCursor);
+    i64 nByte = pFts5->pConfig->nCol * sizeof(i64)*2 + sizeof(Fts5VocabCursor);
     pCsr = (Fts5VocabCursor*)sqlite3Fts5MallocZero(&rc, nByte);
   }
 

diff --git a/manifest b/manifest
index c582b63837f37a63c5a845cc6fef9200ab7052d8..9e795e46dbb7be1713afe9073f382189c5fb36f1 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fixes\sto\sinternal\scomments.\s\sNo\schanges\sto\scode\sor\sdocumentation.
-D 2021-11-26T15:08:55.132
+C Improved\sdefenses\sagainst\sinteger\soverflow\swhen\scomputing\sthe\ssize\sof\sa\nmemory\sallocations.\s\sNo\sbugs\swere\sfixed\shere.\s\sBut\sperhaps\sfuture\sbugs\swill\nbe\sprevented.
+D 2021-11-26T17:10:18.515
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -119,7 +119,7 @@ F ext/fts5/fts5_buffer.c 3001fbabb585d6de52947b44b455235072b741038391f830d6b7292
 F ext/fts5/fts5_config.c 501e7d3566bc92766b0e11c0109a7c5a6146bc41144195459af5422f6c2078aa
 F ext/fts5/fts5_expr.c fcd0770d53028c2b53a15d0f53bf6d0e01b1bf3dd97630b9fedf0801f03aa3ec
 F ext/fts5/fts5_hash.c d4fb70940359f2120ccd1de7ffe64cc3efe65de9e8995b822cd536ff64c96982
-F ext/fts5/fts5_index.c 037b12ca0a29761b3308f2b8e3505edec8c2b8e178577d96ee88b6a1e27e2a00
+F ext/fts5/fts5_index.c a3ada4897c3b14b8a15a8695d2cb3a46b5761137aae0964fc44efe96a877ddd0
 F ext/fts5/fts5_main.c 7c6092a53e6802962fa07b0fad3e61cb077b6c98b74b727d8d44ac2cf63bd914
 F ext/fts5/fts5_storage.c 76c6085239eb44424004c022e9da17a5ecd5aaec859fba90ad47d3b08f4c8082
 F ext/fts5/fts5_tcl.c b1445cbe69908c411df8084a10b2485500ac70a9c747cdc8cda175a3da59d8ae
@@ -128,7 +128,7 @@ F ext/fts5/fts5_test_tok.c a2bed8edb25f6432e8cdb62aad5916935c19dba8dac2b8324950c
 F ext/fts5/fts5_tokenize.c 5e251efb0f1af99a25ed50010ba6b1ad1250aca5921af1988fdcabe5ebc3cb43
 F ext/fts5/fts5_unicode2.c eca63dbc797f8ff0572e97caf4631389c0ab900d6364861b915bdd4735973f00
 F ext/fts5/fts5_varint.c e64d2113f6e1bfee0032972cffc1207b77af63319746951bf1d09885d1dadf80
-F ext/fts5/fts5_vocab.c 925a05c891edf6abd0ac4fdf4dc998c4c13bf6612d0b6c4102157bc459c0c86b
+F ext/fts5/fts5_vocab.c 12138e84616b56218532e3e8feb1d3e0e7ae845e33408dbe911df520424dc9d6
 F ext/fts5/fts5parse.y eb526940f892ade5693f22ffd6c4f2702543a9059942772526eac1fde256bb05
 F ext/fts5/mkportersteps.tcl 5acf962d2e0074f701620bb5308155fa1e4a63ba
 F ext/fts5/test/fts5_common.tcl b01c584144b5064f30e6c648145a2dd6bc440841
@@ -494,7 +494,7 @@ F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
 F src/btree.c 13b965a0f3cd57221e3b4e61e24452ec264a5b163de347b03b5039ddcd95cd54
 F src/btree.h 74d64b8f28cfa4a894d14d4ed64fa432cd697b98b61708d4351482ae15913e22
 F src/btreeInt.h ee9348c4cb9077243b049edc93a82c1f32ca48baeabf2140d41362b9f9139ff7
-F src/build.c 1b41a6417e5bb260a5988588764863229905b07b3e9a47878030a1c92d49010f
+F src/build.c c46bd4f5a69f398410c4472f7c1c4291fb8078d2c9758a2dad5916edd1d30ecc
 F src/callback.c 106b585da1edd57d75fa579d823a5218e0bf37f191dbf7417eeb4a8a9a267dbc
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
 F src/ctime.c 8159d5f706551861c18ec6c8f6bdf105e15ea00367f05d9ab65d31a1077facc1
@@ -502,7 +502,7 @@ F src/date.c fa928630fecf1d436cdc7a7a5c950c781709023ca782c21b7a43cc7361a9451e
 F src/dbpage.c 8a01e865bf8bc6d7b1844b4314443a6436c07c3efe1d488ed89e81719047833a
 F src/dbstat.c 861e08690fcb0f2ee1165eff0060ea8d4f3e2ea10f80dab7d32ad70443a6ff2d
 F src/delete.c 0c151975fa99560767d7747f9b60543d0093d9f8b89f13d2d6058e9c83ad19e7
-F src/expr.c 89c4a225af2ccf5e7f1d53a70170c405036c63cc55130467e013ec9553261cb1
+F src/expr.c 4b6dfb224b6234ff4f529023993b503048e1b045ff49cbb911e7d28a28cca795
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 187b67af20c5795953a592832c5d985e4313fe503ebd8f95e3e9e9ad5a730bb5
 F src/func.c 1cfb09d7ffca81238eccefdb0293e1f5b7cfebbd1816dfad5ec6024742a7496b
@@ -550,7 +550,7 @@ F src/printf.c 5901672228f305f7d493cbc4e7d76a61a5caecdbc1cd06b1f9ec42ea4265cf8d
 F src/random.c 097dc8b31b8fba5a9aca1697aeb9fd82078ec91be734c16bffda620ced7ab83c
 F src/resolve.c 4a1db4aadd802683db40ca2dbbb268187bd195f10cbdb7206dbd8ac988795571
 F src/rowset.c ba9515a922af32abe1f7d39406b9d35730ed65efab9443dc5702693b60854c92
-F src/select.c 335db0c2e009ca251fd5647e1d4769da2bb1bca899e3efcd31ad9e14b8ae9de8
+F src/select.c a7a3d9f54eb24821ec5f67f2e5589b68a5d42d46fc5849d7376886777d93a85a
 F src/shell.c.in 975f268ef261773fcbed1e519dfa10c4f33e8b1cffc12120563e61857fff07c6
 F src/sqlite.h.in 5cd209ac7dc4180f0e19292846f40440b8488015849ca0110c70b906b57d68f0
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
@@ -1933,7 +1933,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 654e6cf8ab493d48b1827bb8100d4e4366a8e889e647c233a9b1b1278a7133d0
-R 6abd755098d90c827f7d464c64811c8f
+P 1489b196ce82cddf7360aff6c89219ca25e666187f0f5ff6419ba3b504cdef8d
+R c3e7cad31e108fbcd57f75061231ef74
 U drh
-Z 3a2155d677f9253d6797d37459c4bb61
+Z d9bca23ba48769924e0a60580792a369

diff --git a/manifest.uuid b/manifest.uuid
index 8cdef585240e56e77b47137db58911bf4c0a47cf..8403a7076622c604a1d26c88c1531d3d10b7a52a 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-1489b196ce82cddf7360aff6c89219ca25e666187f0f5ff6419ba3b504cdef8d
\ No newline at end of file
+eb878c01f317f09e8ef6b1bd2ec8d6d5cd6ce0bdfe9da7fa7d92d2047cc9d9e4
\ No newline at end of file

diff --git a/src/build.c b/src/build.c
index d0630e169368e758bc397d80c26a2316bdfd41ab..d53ff3b6709541866e831f7566b0aa1497aab1ef 100644 (file)
--- a/src/build.c
+++ b/src/build.c
@@ -742,8 +742,8 @@ void sqlite3ColumnSetColl(
   Column *pCol,
   const char *zColl
 ){
-  int nColl;
-  int n;
+  i64 nColl;
+  i64 n;
   char *zNew;
   assert( zColl!=0 );
   n = sqlite3Strlen30(pCol->zCnName) + 1;
@@ -1548,7 +1548,7 @@ void sqlite3AddColumn(Parse *pParse, Token sName, Token sType){
     }
   }
 
-  z = sqlite3DbMallocRaw(db, sName.n + 1 + sType.n + (sType.n>0) );
+  z = sqlite3DbMallocRaw(db, (i64)sName.n + 1 + (i64)sType.n + (sType.n>0) );
   if( z==0 ) return;
   if( IN_RENAME_OBJECT ) sqlite3RenameTokenMap(pParse, (void*)z, &sName);
   memcpy(z, sName.z, sName.n);
@@ -1562,7 +1562,7 @@ void sqlite3AddColumn(Parse *pParse, Token sName, Token sType){
       return;
     }
   }
-  aNew = sqlite3DbRealloc(db,p->aCol,(p->nCol+1)*sizeof(p->aCol[0]));
+  aNew = sqlite3DbRealloc(db,p->aCol,((i64)p->nCol+1)*sizeof(p->aCol[0]));
   if( aNew==0 ){
     sqlite3DbFree(db, z);
     return;
@@ -3575,7 +3575,7 @@ void sqlite3CreateForeignKey(
   FKey *pFKey = 0;
   FKey *pNextTo;
   Table *p = pParse->pNewTable;
-  int nByte;
+  i64 nByte;
   int i;
   int nCol;
   char *z;

diff --git a/src/expr.c b/src/expr.c
index e41a4fd4e58316227ae6f53cce7ae68782140cab..2a00748846ff54d984f116813780e1fbdad6b46d 100644 (file)
--- a/src/expr.c
+++ b/src/expr.c
@@ -5888,7 +5888,7 @@ int sqlite3ExprCoveredByIndex(
 struct RefSrcList {
   sqlite3 *db;         /* Database connection used for sqlite3DbRealloc() */
   SrcList *pRef;       /* Looking for references to these tables */
-  int nExclude;        /* Number of tables to exclude from the search */
+  i64 nExclude;        /* Number of tables to exclude from the search */
   int *aiExclude;      /* Cursor IDs for tables to exclude from the search */
 };
 
@@ -5903,7 +5903,8 @@ struct RefSrcList {
 static int selectRefEnter(Walker *pWalker, Select *pSelect){
   struct RefSrcList *p = pWalker->u.pRefSrcList;
   SrcList *pSrc = pSelect->pSrc;
-  int i, j, *piNew;
+  i64 i, j;
+  int *piNew;
   if( pSrc->nSrc==0 ) return WRC_Continue;
   j = p->nExclude;
   p->nExclude += pSrc->nSrc;

diff --git a/src/select.c b/src/select.c
index c6f1edb4d36c03a946219a63926c2ee3e96b0141..7f15c2acb28c109cda63b6e08370910ca0da76f4 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -2196,7 +2196,7 @@ void sqlite3SelectAddColumnTypeAndCollation(
   a = pSelect->pEList->a;
   for(i=0, pCol=pTab->aCol; i<pTab->nCol; i++, pCol++){
     const char *zType;
-    int n, m;
+    i64 n, m;
     pTab->tabFlags |= (pCol->colFlags & COLFLAG_NOINSERT);
     p = a[i].pExpr;
     zType = columnType(&sNC, p, 0, 0, 0);
@@ -4182,7 +4182,7 @@ static int flattenSubquery(
 
     if( pSrc->nSrc>1 ){
       if( pParse->nSelect>500 ) return 0;
-      aCsrMap = sqlite3DbMallocZero(db, (pParse->nTab+1)*sizeof(int));
+      aCsrMap = sqlite3DbMallocZero(db, ((i64)pParse->nTab+1)*sizeof(int));
       if( aCsrMap ) aCsrMap[0] = pParse->nTab;
     }
   }