Prevent use-after-free of the u.vtab.idxStr string following an OOM

author drh <drh@noemail.net>

Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)

committer drh <drh@noemail.net>

Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)
author drh <drh@noemail.net>
Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)
committer drh <drh@noemail.net>
Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)
diff --git a/manifest b/manifest

index 278b587ac8ab15b7f31f99ca66c3cd6d1ee9b612..739315cf00c9cf5b9991890b1258a68cfe56a627 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C DISTINCT\smay\snot\sbe\signored\sinside\sa\sUNION\sALL\scommon\stable\sexpression.\nFix\sfor\sticket\s[c51489c3b8f919c5]
-D 2020-09-17T00:46:09.055
+C Prevent\suse-after-free\sof\sthe\su.vtab.idxStr\sstring\sfollowing\san\sOOM\nwhile\sgenerating\sthe\sOP_VFilter\sopcode.
+D 2020-09-17T11:32:14.578
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
  F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -624,7 +624,7 @@ F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
  F src/walker.c 3df26a33dc4f54e8771600fb7fdebe1ece0896c2ad68c30ab40b017aa4395049
  F src/where.c 23f47e845e304a41d0b221bf67bd170014ae08b673076813fcd945dda1a3d4af
  F src/whereInt.h eb8c2847fb464728533777efec1682b3c074224293b2da73513c61a609efbeab
-F src/wherecode.c 8b1176a3b7d4d61f78b0516bb7f6bb3803c658a6565663b8414c3b5d37a02eaa
+F src/wherecode.c 9afd600ca9fe831f342121cca48ad8839c8a18ca4e0372518a0a3c8123a8f022
  F src/whereexpr.c 264d58971eaf8256eb5b0917bcd7fc7a1f1109fdda183a8382308a1b18a2dce7
  F src/window.c edd6f5e25a1e8f2b6f5305b7f5f7da7bb35f07f0d432b255b1d4c2fcab4205aa
  F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
@@ -1880,7 +1880,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
  F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
  F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
  F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9ea3039b538ffd0f348c8fbc9452af1fbf899a1f668af9a2404bdd0f8dd21351
-R 5bf1eaed1b0f62e19f1e327d7467bbe1
+P 7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
+R 64b915f5a215a95424570ee566dcd81b
  U drh
-Z 6e1d5387493b3a726ae70a6af2467d64
+Z ee1bdda50dc146e98a6a3caca7097de2
diff --git a/manifest.uuid b/manifest.uuid

index 22a693b7d86dfc084b80023f834e16de7cf81488..67e30802d89ea513dbf910b5cd4b86baf15f0601 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
-\ No newline at end of file
+751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
+\ No newline at end of file
diff --git a/src/wherecode.c b/src/wherecode.c

index 591f267e82d2a891e8474f2732ab093e7fe43255..ae3a19757025d11d6f7868edaf68bdb48f29f90d 100644 (file)
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -1397,6 +1397,9 @@ Bitmask sqlite3WhereCodeOneLoopStart(
                        pLoop->u.vtab.needFree ? P4_DYNAMIC : P4_STATIC);
      VdbeCoverage(v);
      pLoop->u.vtab.needFree = 0;
+    /* An OOM inside of AddOp4(OP_VFilter) instruction above might have freed
+    ** the u.vtab.idxStr.  NULL it out to prevent a use-after-free */
+    if( db->mallocFailed ) pLoop->u.vtab.idxStr = 0;
      pLevel->p1 = iCur;
      pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext;
      pLevel->p2 = sqlite3VdbeCurrentAddr(v);
author	drh <drh@noemail.net>
	Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)
committer	drh <drh@noemail.net>
	Thu, 17 Sep 2020 11:32:14 +0000 (11:32 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/wherecode.c		patch \| blob \| blame \| history