Fix an instance where sqlite3JumpHere() might be called with a negative

address following an OOM fault. (CVS 6828)

FossilOrigin-Name: 49f22e55d69d0b5a34400b36332a2eb861362eb2

diff --git a/manifest b/manifest
index d1e2527f79ac6b7ce45589a0aa19270a3e976b35..98b365eb83e31686661399d07b2d355128317276 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sbug\sin\ssqlite3_realloc()\s-\sif\scalled\swith\sa\ssize\sof\smore\sthan\n2147483392\sit\sreturns\s0\sbut\sit\salso\sreleases\sthe\sprior\sallocation.\s(CVS\s6827)
-D 2009-06-27T00:48:33
+C Fix\san\sinstance\swhere\ssqlite3JumpHere()\smight\sbe\scalled\swith\sa\snegative\naddress\sfollowing\san\sOOM\sfault.\s(CVS\s6828)
+D 2009-06-27T11:17:35
 F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0
 F Makefile.in 8b8fb7823264331210cddf103831816c286ba446
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@@ -199,7 +199,7 @@ F src/test_thread.c b8a1ab7ca1a632f18e8a361880d5d65eeea08eac
 F src/test_wsd.c 3ae5101de6cbfda2720152ab659ea84079719241
 F src/tokenize.c eadd396fa81e8031d4b4a65eefd661e9c675167f
 F src/trigger.c c07c5157c58fcdb704f65d5f5e4775276e45bb8b
-F src/update.c b58db45e40f11082281d6f94137cd3b5657771d9
+F src/update.c a1bbe774bce495d62dce3df3f42a5f04c1de173a
 F src/utf.c 9541d28f40441812c0b40f00334372a0542c00ff
 F src/util.c 861d5b5c58be4921f0a254489ea94cb15f550ef8
 F src/vacuum.c 0e14f371ea3326c6b8cfba257286d798cd20db59
@@ -737,7 +737,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff
 F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
 F tool/vdbe-compress.tcl 672f81d693a03f80f5ae60bfefacd8a349e76746
-P 0d345e5923ff92a87195f6c04a29a56bf67ee43c
-R 169f7765871685a4332f4c1aefebde22
+P 653df0afcc58de82c8c1b5f6a7b2f4829ff69792
+R 081c6cf0e8f2499b8b69ecc027b9626f
 U drh
-Z 92880a7456ebca89a25dc923023f5817
+Z 2ef2a0908757252ee03ecce7509b94c2

diff --git a/manifest.uuid b/manifest.uuid
index e64cee5356cb6fc296129fc7907cefd36983d0e9..1db69584e1cffa9170eabc8e26baae3eb2706962 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-653df0afcc58de82c8c1b5f6a7b2f4829ff69792
\ No newline at end of file
+49f22e55d69d0b5a34400b36332a2eb861362eb2
\ No newline at end of file

diff --git a/src/update.c b/src/update.c
index 12348c91a7c9410c2aad3cd54a77a82a70a75fd2..fb69799c56bc1d95eedc73c8e30cd3c63464cc3b 100644 (file)
--- a/src/update.c
+++ b/src/update.c
@@ -12,7 +12,7 @@
 ** This file contains C code routines that are called by the parser
 ** to handle UPDATE statements.
 **
-** $Id: update.c,v 1.203 2009/06/23 20:28:54 drh Exp $
+** $Id: update.c,v 1.204 2009/06/27 11:17:35 drh Exp $
 */
 #include "sqliteInt.h"
 
@@ -669,8 +669,7 @@ static void updateVirtualTable(
   /* Generate code to scan the ephemeral table and call VUpdate. */
   iReg = ++pParse->nMem;
   pParse->nMem += pTab->nCol+1;
-  sqlite3VdbeAddOp2(v, OP_Rewind, ephemTab, 0);
-  addr = sqlite3VdbeCurrentAddr(v);
+  addr = sqlite3VdbeAddOp2(v, OP_Rewind, ephemTab, 0);
   sqlite3VdbeAddOp3(v, OP_Column,  ephemTab, 0, iReg);
   sqlite3VdbeAddOp3(v, OP_Column, ephemTab, (pRowid?1:0), iReg+1);
   for(i=0; i<pTab->nCol; i++){
@@ -678,8 +677,8 @@ static void updateVirtualTable(
   }
   sqlite3VtabMakeWritable(pParse, pTab);
   sqlite3VdbeAddOp4(v, OP_VUpdate, 0, pTab->nCol+2, iReg, pVtab, P4_VTAB);
-  sqlite3VdbeAddOp2(v, OP_Next, ephemTab, addr);
-  sqlite3VdbeJumpHere(v, addr-1);
+  sqlite3VdbeAddOp2(v, OP_Next, ephemTab, addr+1);
+  sqlite3VdbeJumpHere(v, addr);
   sqlite3VdbeAddOp2(v, OP_Close, ephemTab, 0);
 
   /* Cleanup */