Do not allow the number of terms in an ORDER BY or GROUP BY clause to

exceed the maximum number of columns in a table.

FossilOrigin-Name: cb41512386dd6e97869f56fc7be020682d203950a481bc9ae5b9094116a0c52a

diff --git a/manifest b/manifest
index 626899335ecd8313520525802c9f466736fba6ee..cf29e9ae401e5f78d0fd2aae6ca4f6d73950256a 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Improved\sdefenses\sagainst\scorrupt\sZIP\sarchives\sin\sthe\szipfile\sextension.
-D 2025-08-05T01:58:20.832
+C Do\snot\sallow\sthe\snumber\sof\sterms\sin\san\sORDER\sBY\sor\sGROUP\sBY\sclause\sto\nexceed\sthe\smaximum\snumber\sof\scolumns\sin\sa\stable.
+D 2025-08-06T19:19:52.023
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -736,7 +736,7 @@ F src/date.c 9db4d604e699a73e10b8e85a44db074a1f04c0591a77e2abfd77703f50dce1e9
 F src/dbpage.c fcb1aafe00872a8aff9a7aa0ef7ff1b01e5817ec7bbd521f8f3e1e674ac8d609
 F src/dbstat.c 73362c0df0f40ad5523a6f5501224959d0976757b511299bf892313e79d14f5c
 F src/delete.c 03a77ba20e54f0f42ebd8eddf15411ed6bdb06a2c472ac4b6b336521bf7cea42
-F src/expr.c d966479195c66a36c06196daadf6ecc587ec7bad7081026f7b168d80cfddf659
+F src/expr.c 439dcb9cdd34389e69de467dfcea30f3160feaf46f84c16dbf73128691fccfc4
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 928ed2517e8732113d2b9821aa37af639688d752f4ea9ac6e0e393d713eeb76f
 F src/func.c de47a8295503aa130baae5e6d9868ecf4f7c4dbffa65d83ad1f70bdbac0ee2d6
@@ -785,7 +785,7 @@ F src/printf.c 3b91c334f528359145f4dde0dedd945bbb21044d0825ea064934d7222d61662c
 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c d40fe18d7c2fd0339f5846ffcf7d6809866e380acdf14c76fb2af87e9fe13f64
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
-F src/select.c 5c129b669317a1d57283055482b9c1e105199a7e47d69526491ca165d3376999
+F src/select.c 11675a82af91deab946dc15e17ff6f70f5b007ccc7b638818d1e70f767fd2cde
 F src/shell.c.in ba53a52dafb167ac6320703da741386c34fbcabe8c078a188bb9f89808e3ef8f
 F src/sqlite.h.in 9ae373d11e1b11ac9c81c508523ae37f1619e739858280078ee9fb4e1e62d3ed
 F src/sqlite3.rc 015537e6ac1eec6c7050e17b616c2ffe6f70fca241835a84a4f0d5937383c479
@@ -880,7 +880,7 @@ F test/affinity3.test 9b7d1133e11d5edd7805573c4ab6f3ba73b0b74a1f280d5b130d4bf350
 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
 F test/aggfault.test 777f269d0da5b0c2524c7ff6d99ae9a93db4f1b1839a914dd2a12e3035c29829
 F test/aggnested.test 610b0ce2c3e8f3daee25f9752800ee8d785db10da4aa1fbeea0ea1aabaf1d704
-F test/aggorderby.test cc3abf5de64d46ff66395ca8c2346b66c2576d5aedb7bffc5b0742508856e3bf
+F test/aggorderby.test 7be65e743f82ee49ba62da1c799e59341d23884a99edfe093df0cdfaac94cbbb
 F test/alias.test 4529fbc152f190268a15f9384a5651bbbabc9d87
 F test/all.test cf929f721e20960ca9db89471fa44f9176322ba8f25e97193f91881c223643b3
 F test/alter.test 3c00eff1e2036b9f93e9cd0f3d3e63750ac87ecb5bc71b9d7bd07cbf2ac4c494
@@ -2209,9 +2209,9 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P aba0285ff293a64b2409c79a9fe58dd2f18830ee121b9f0cd470647ecbc97e68
-Q +642e89191deaf75db236102248c662aeef65bcd3dcbdfea694256583556be75f
-R 89dfde611c12556e5117113c45862a20
+P d04c30b9f25383a422620355a02edee550c31349624b76a5ce8c7e4a03ce0f9a
+Q +139e587c7b349e771d67a8b4ee02ab3ad5d5712d4ff4713dad63cb765bdee248
+R ec9fc00419a99160a5df88bd600b4a48
 U drh
-Z a8d73835d2d4cbeb7413a7837e680fd3
+Z f0c2e9a9a43a6532f3433d3a035358dd
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 1f0a75738331f90a7bdcc7ae0bdf9bbc02320b7f..15b5fba818dff1b055e8a4e5113be7d6939b2e60 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-d04c30b9f25383a422620355a02edee550c31349624b76a5ce8c7e4a03ce0f9a
+cb41512386dd6e97869f56fc7be020682d203950a481bc9ae5b9094116a0c52a

diff --git a/src/expr.c b/src/expr.c
index b74bc11b0fa86b5752016daff3d5ff65ed3f7fa5..5127b89e551f728969cbf497061c70420cf3a674 100644 (file)
--- a/src/expr.c
+++ b/src/expr.c
@@ -1239,6 +1239,11 @@ void sqlite3ExprAddFunctionOrderBy(
     sqlite3ExprListDelete(db, pOrderBy);
     return;
   }
+  if( pOrderBy->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
+    sqlite3ErrorMsg(pParse, "too many terms in ORDER BY clause");
+    sqlite3ExprListDelete(db, pOrderBy);
+    return;
+  }
 
   pOB = sqlite3ExprAlloc(db, TK_ORDER, 0, 0);
   if( pOB==0 ){

diff --git a/src/select.c b/src/select.c
index dc4e87393cf4e87272283cd8662e32ccac17f5ca..09e0d5149b988bef2e5a785def95e676dd7a4af4 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -1546,7 +1546,10 @@ static void selectInnerLoop(
 */
 KeyInfo *sqlite3KeyInfoAlloc(sqlite3 *db, int N, int X){
   int nExtra = (N+X)*(sizeof(CollSeq*)+1);
-  KeyInfo *p = sqlite3DbMallocRawNN(db, SZ_KEYINFO(0) + nExtra);
+  KeyInfo *p;
+  assert( X>=0 );
+  if( NEVER(N+X>0xffff) ) return (KeyInfo*)sqlite3OomFault(db);
+  p = sqlite3DbMallocRawNN(db, SZ_KEYINFO(0) + nExtra);
   if( p ){
     p->aSortFlags = (u8*)&p->aColl[N+X];
     p->nKeyField = (u16)N;

diff --git a/test/aggorderby.test b/test/aggorderby.test
index eed1f83a7e00474f92d6520973a77915531f583b..466074815a51dc52c01a8a1f10863c9304c77de9 100644 (file)
--- a/test/aggorderby.test
+++ b/test/aggorderby.test
@@ -158,5 +158,17 @@ do_execsql_test aggorderby-9.3 {
   SELECT json_group_array(DISTINCT json(x) ORDER BY json(x)) FROM c;
 } {{[[1,1],[4,4],{"a":3},{"x":2}]}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test aggorderby-10.0 {
+  CREATE TABLE t1(w, x);
+  INSERT INTO t1 VALUES(1, 2);
+}
+
+for {set i 0} {$i < 70000} {incr i} { lappend lExpr x }
+do_catchsql_test aggorderby-10.1 "
+  SELECT group_concat(w ORDER BY [join $lExpr ,]) FROM t1
+" {1 {too many terms in ORDER BY clause}}
+
 
 finish_test