]> git.ipfire.org Git - thirdparty/sqlite.git/commitdiff
Overnight, OSSFuzz helpfully pointed out a potential use-after-free bug in
authordrh <drh@noemail.net>
Sat, 26 Oct 2019 12:27:55 +0000 (12:27 +0000)
committerdrh <drh@noemail.net>
Sat, 26 Oct 2019 12:27:55 +0000 (12:27 +0000)
yesterdays changes, involving continued use of a pointer after the memory
pointed to had been realloc()-ed.  Thanks Google.

FossilOrigin-Name: c422afb507dc875751e6a72e4ba5f4f0793097c0de4533c1600311f689e76ed7

manifest
manifest.uuid
src/insert.c

index 377c552dd5b9f7003cb86de1b04066504c8c12e0..5311e40b16e72baba0ac08559c87d65976ef6ab7 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\smissing\sVdbeCoverage()\smacro.\s\sFix\san\soff-by-one\serror\sin\spartial\sindex\nhandling.\s\sNew\stest\scases.\s\sTicket\s[c1e19e12046d23fe]
-D 2019-10-26T01:43:14.417
+C Overnight,\sOSSFuzz\shelpfully\spointed\sout\sa\spotential\suse-after-free\sbug\sin\nyesterdays\schanges,\sinvolving\scontinued\suse\sof\sa\spointer\safter\sthe\smemory\npointed\sto\shad\sbeen\srealloc()-ed.\s\sThanks\sGoogle.
+D 2019-10-26T12:27:55.016
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -487,7 +487,7 @@ F src/hash.c 8d7dda241d0ebdafb6ffdeda3149a412d7df75102cecfc1021c98d6219823b19
 F src/hash.h 9d56a9079d523b648774c1784b74b89bd93fac7b365210157482e4319a468f38
 F src/hwtime.h 747c1bbe9df21a92e9c50f3bbec1de841dc5e5da
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
-F src/insert.c be086d71275a23bce61f3d9ab737ef135562d205ac5be1a4222385bdaa4376b5
+F src/insert.c 0ac7d3441ead03a3a457ed5c5c0f7f3cc20d7b7a6822c14c95d820fa9a091b9c
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 4ddc65ae13c0d93db0ceedc8b14a28c8c260513448b0eb8c5a2ac375e3b6a85d
 F src/main.c 3e01f6a1c96643381b5f9d79e4ff7f2520bc5712197746fb0852283e78cccf66
@@ -1848,7 +1848,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P fbac0c65d8464b126d385262d176864add55452ec9e3d5eb76ffee06e820cb9c
-R 9e2b0bb43a4e8a1e459a6408a4d01f3f
+P 41cc8e3dab998f7efc898d18837ca7fdac94ea3f89954990c5231456bf725fee
+R 85a03747b28d7a0450d46a9d4dc21bf2
 U drh
-Z 412ed0cb894f7416a9dbba390e20b800
+Z 237c760989c5c2d15ac113cc385665f5
index 99e0c4ee077453e0564abdd77ea83ff8c3b3ecd0..58e1f76c6e9370696ea5c960bd761a13842012c1 100644 (file)
@@ -1 +1 @@
-41cc8e3dab998f7efc898d18837ca7fdac94ea3f89954990c5231456bf725fee
\ No newline at end of file
+c422afb507dc875751e6a72e4ba5f4f0793097c0de4533c1600311f689e76ed7
\ No newline at end of file
index e3aa483df524f684e9674ac197267e860bd76a09..6726177e5409fc587f0b9326961d6d17a68ccca8 100644 (file)
@@ -1889,8 +1889,6 @@ void sqlite3GenerateConstraintChecks(
             regR, nPkField, 0, OE_Replace,
             (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
         if( regTrigCnt ){
-          VdbeOp *pOp;     /* Conflict check opcode to copy */
-          int p2;          /* New P2 value for copied conflict check opcode */
           int addrBypass;  /* Jump destination to bypass recheck logic */
 
           sqlite3VdbeAddOp2(v, OP_AddImm, regTrigCnt, 1); /* incr trigger cnt */
@@ -1911,21 +1909,25 @@ void sqlite3GenerateConstraintChecks(
           /* Copy the constraint check code from above, except change
           ** the constraint-ok jump destination to be the address of
           ** the next retest block */
-          pOp = sqlite3VdbeGetOp(v, addrConflictCk);
           while( nConflictCk>0 && !db->mallocFailed ){
-            if( sqlite3OpcodeProperty[pOp->opcode]&OPFLG_JUMP ){
-              p2 = lblRecheckOk;
-            }else{
-              p2 = pOp->p2;
-            }
-            if( pOp->opcode!=OP_IdxRowid ){
-              sqlite3VdbeAddOp4(v, pOp->opcode, pOp->p1, p2, pOp->p3,
-                                pOp->p4.z, pOp->p4type);
-              sqlite3VdbeChangeP5(v, pOp->p5);
-              VdbeCoverageIf(v, p2!=pOp->p2 );
+            VdbeOp x;    /* Conflict check opcode to copy */
+            /* The sqlite3VdbeAddOp4() call might reallocate the opcode array.
+            ** Hence, make a complete copy of the opcode, rather than using
+            ** a pointer to the opcode. */
+            x = *sqlite3VdbeGetOp(v, addrConflictCk);
+            if( x.opcode!=OP_IdxRowid ){
+              int p2;      /* New P2 value for copied conflict check opcode */
+              if( sqlite3OpcodeProperty[x.opcode]&OPFLG_JUMP ){
+                p2 = lblRecheckOk;
+              }else{
+                p2 = x.p2;
+              }
+              sqlite3VdbeAddOp4(v, x.opcode, x.p1, p2, x.p3, x.p4.z, x.p4type);
+              sqlite3VdbeChangeP5(v, x.p5);
+              VdbeCoverageIf(v, p2!=x.p2);
             }
             nConflictCk--;
-            pOp++;
+            addrConflictCk++;
           }
           /* If the retest fails, issue an abort */
           sqlite3UniqueConstraint(pParse, OE_Abort, pIdx);