Take extra care to ensure that JSONB values that are in cache are actually

owned by the JSON subsystem, and that ownership of such values is not handed
back to the bytecode engine.

FossilOrigin-Name: 1304534001e9ef66c6b12752b69d790bfa3427cc803f87cc48ca22ae12df0fdf

diff --git a/manifest b/manifest
index 4e9b31f23542dbcd12145022f819bdf90c3819ec..87767f5859e2aa448501cf4b45bd77e177164282 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Protect\sa\smemcpy()\sagainst\sOOM\sconditions.
-D 2023-12-02T16:11:22.802
+C Take\sextra\scare\sto\sensure\sthat\sJSONB\svalues\sthat\sare\sin\scache\sare\sactually\nowned\sby\sthe\sJSON\ssubsystem,\sand\sthat\sownership\sof\ssuch\svalues\sis\snot\shanded\nback\sto\sthe\sbytecode\sengine.
+D 2023-12-02T18:04:27.395
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -688,7 +688,7 @@ F src/hash.h 3340ab6e1d13e725571d7cee6d3e3135f0779a7d8e76a9ce0a85971fa3953c51
 F src/hwtime.h f9c2dfb84dce7acf95ce6d289e46f5f9d3d1afd328e53da8f8e9008e3b3caae6
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c 3f0a94082d978bbdd33c38fefea15346c6c6bffb70bc645a71dc0f1f87dd3276
-F src/json.c 21ffece5a6e846480e6f108203d5ee3838261c0d8af773986895b1fd33fea593
+F src/json.c 4c6b5c0c731fe7a2b2d28467af747c4744370bd47b5f9d6b7531efb8617eda37
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 7432c944ff197046d67a1207790a1b13eec4548c85a9457eb0896bb3641dfb36
 F src/main.c 1b89f3de98d1b59fec5bac1d66d6ece21f703821b8eaa0d53d9604c35309f6f9
@@ -2145,8 +2145,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P c6bacf57bd6fe0fee00c9d41163a270b60997c20659949971bbf5c6c62622bfe
-R 0ee4315c57b01c35ef946afcac5153f9
+P 26144d1c25ae0435db568009ba05e485d23d146f2b1f29f3a426c87860316aed
+R 4e2a070d847085a145ada5a2fea29659
 U drh
-Z 15254a8c6732e3004ca75d702e3d0bea
+Z 2cced16db85959c5b0bfa29c3e3e2f71
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 115ae173de6e5a1882718d10ddfb6705dad4ea61..18c274186a4fbb8dd7bece767c053be68672fe77 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-26144d1c25ae0435db568009ba05e485d23d146f2b1f29f3a426c87860316aed
\ No newline at end of file
+1304534001e9ef66c6b12752b69d790bfa3427cc803f87cc48ca22ae12df0fdf
\ No newline at end of file

diff --git a/src/json.c b/src/json.c
index cdc0d60c71d7cf607f756a250ad80d3a4f74681f..586371d9d49909b3375eaa1f4af95341bab39793 100644 (file)
--- a/src/json.c
+++ b/src/json.c
@@ -375,6 +375,7 @@ static int jsonCacheInsert(
     memmove(p->a, &p->a[1], (JSON_CACHE_SIZE-1)*sizeof(p->a[0]));
     p->nUsed = JSON_CACHE_SIZE-1;
   }
+  assert( pParse->nBlobAlloc>0 );
   pParse->eEdit = 0;
   pParse->nJPRef++;
   pParse->bReadOnly = 1;
@@ -731,7 +732,7 @@ static void jsonReturnString(
       sqlite3_result_text64(p->pCtx, p->zBuf, p->nUsed,
                             SQLITE_TRANSIENT, SQLITE_UTF8);
     }else if( jsonForceRCStr(p) ){
-      if( pParse && pParse->bJsonIsRCStr==0 ){
+      if( pParse && pParse->bJsonIsRCStr==0 && pParse->nBlobAlloc>0 ){
         int rc;
         pParse->zJson = sqlite3RCStrRef(p->zBuf);
         pParse->nJson = p->nUsed;
@@ -1751,6 +1752,8 @@ static void jsonReturnStringAsBlob(JsonString *pStr){
     sqlite3_free(px.aBlob);
     sqlite3_result_error_nomem(pStr->pCtx);
   }else{
+    assert( px.nBlobAlloc>0 );
+    assert( !px.bReadOnly );
     sqlite3_result_blob(pStr->pCtx, px.aBlob, px.nBlob, sqlite3_free);
   }
 }
@@ -2841,9 +2844,12 @@ static void jsonReturnParse(
   }
   flgs = SQLITE_PTR_TO_INT(sqlite3_user_data(ctx));
   if( flgs & JSON_BLOB ){
-    sqlite3_result_blob(ctx, p->aBlob, p->nBlob,
-                        p->nBlobAlloc>0 ? SQLITE_DYNAMIC : SQLITE_TRANSIENT);
-    p->nBlobAlloc = 0;
+    if( p->nBlobAlloc>0 && !p->bReadOnly ){
+      sqlite3_result_blob(ctx, p->aBlob, p->nBlob, SQLITE_DYNAMIC);
+      p->nBlobAlloc = 0;
+    }else{
+      sqlite3_result_blob(ctx, p->aBlob, p->nBlob, SQLITE_TRANSIENT);
+    }
   }else{
     JsonString s;
     jsonStringInit(&s, ctx);
@@ -3063,6 +3069,8 @@ static void jsonbFunc(
     if( jsonConvertTextToBlob(pParse, ctx) ){
       sqlite3_result_error(ctx, "malformed JSON", -1);
     }else{
+      assert( pParse->nBlobAlloc>0 );
+      assert( !pParse->bReadOnly );
       sqlite3_result_blob(ctx, pParse->aBlob, pParse->nBlob, sqlite3_free);
       pParse->aBlob = 0;
       pParse->nBlob = 0;