Prevent a possible NULL pointer dereference in the OP_Found opcode that

can follow an OOM error.  Problem found by OSS-Fuzz.

FossilOrigin-Name: 50ad60ded54aa22dfdf519ed5da6451de790e22a972ff299f7976fbdce7a0579

diff --git a/manifest b/manifest
index d17b17216d440c345cb978f5f044d126cc1e4837..7b0500a7aca203d4d94021fb4b8cafc21b5717d7 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Branch\sfor\sthe\s3.19\srelease.
-D 2017-05-19T20:46:27.662
+C Prevent\sa\spossible\sNULL\spointer\sdereference\sin\sthe\sOP_Found\sopcode\sthat\ncan\sfollow\san\sOOM\serror.\s\sProblem\sfound\sby\sOSS-Fuzz.
+D 2017-05-19T23:04:04.031
 F Makefile.in 1cc758ce3374a32425e4d130c2fe7b026b20de5b8843243de75f087c0a2661fb
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc 8eeb80162074004e906b53d7340a12a14c471a83743aab975947e95ce061efcc
@@ -470,7 +470,7 @@ F src/update.c c443935c652af9365e033f756550b5032d02e1b06eb2cb890ed7511ae0c051dc
 F src/utf.c 699001c79f28e48e9bcdf8a463da029ea660540c
 F src/util.c fc081ec6f63448dcd80d3dfad35baecfa104823254a815b081a4d9fe76e1db23
 F src/vacuum.c 1fe4555cd8c9b263afb85b5b4ee3a4a4181ad569
-F src/vdbe.c 9bac2bc2313ed682e6f48ccff6644d3263341885bfcbb3cdea7b720c722be2d5
+F src/vdbe.c b24b9806db72ad02ca82263b4705150fe9a547508948ee9906b7e120d3710211
 F src/vdbe.h f7d1456e28875c2dcb964056589b5b7149ab7edf39edeca801596a39bb3d3848
 F src/vdbeInt.h 1ecdacc1322fdd3241ec30c32a480e328a6f864e532dc53fae8e0ab68121aebf
 F src/vdbeapi.c dc904b3c5e459727993c2421e653e29d63223846d129fae98adc782b0a996481
@@ -1580,10 +1580,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 35f721045dfe3f82e016938ab1a668bfc37b6b57b8813cc963ef640ec82de58d
-R 43b2f6640d15533e1a63dfe250cd3268
-T *branch * branch-3.19
-T *sym-branch-3.19 *
-T -sym-trunk *
+P f2b829ec52c2037eba4feb9427c56d84aca736cb5fc841dfe91cfff22cf660c1
+Q +c2de178fe7e2e4e0d764e7e6ac637cfc8c053580c43f7246318dafad2974de3c
+R fa3de8848fde01ec07b6ff80f323523f
 U drh
-Z a733288d67c031dc7d9d7d304f469f22
+Z 8ada4e4e3a5f42b8890ba86493cb429e

diff --git a/manifest.uuid b/manifest.uuid
index dc4e892a2dfb3c41cc9fa51dc9de00e37ab2e414..bf1abc06e97b3dc1c6052170f16de304a07cb0c8 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f2b829ec52c2037eba4feb9427c56d84aca736cb5fc841dfe91cfff22cf660c1
\ No newline at end of file
+50ad60ded54aa22dfdf519ed5da6451de790e22a972ff299f7976fbdce7a0579
\ No newline at end of file

diff --git a/src/vdbe.c b/src/vdbe.c
index e6c964245faf53260165b7ceb956fc2b18b5450e..495cec2191b4a9140f3efecce3b5e782094ff944 100644 (file)
--- a/src/vdbe.c
+++ b/src/vdbe.c
@@ -4106,10 +4106,12 @@ case OP_Found: {        /* jump, in3 */
     pIdxKey = &r;
     pFree = 0;
   }else{
+    assert( pIn3->flags & MEM_Blob );
+    rc = ExpandBlob(pIn3);
+    assert( rc==SQLITE_OK || rc==SQLITE_NOMEM );
+    if( rc ) goto no_mem;
     pFree = pIdxKey = sqlite3VdbeAllocUnpackedRecord(pC->pKeyInfo);
     if( pIdxKey==0 ) goto no_mem;
-    assert( pIn3->flags & MEM_Blob );
-    (void)ExpandBlob(pIn3);
     sqlite3VdbeRecordUnpack(pC->pKeyInfo, pIn3->n, pIn3->z, pIdxKey);
   }
   pIdxKey->default_rc = 0;