From: drh Date: Mon, 13 Aug 2018 17:02:26 +0000 (+0000) Subject: Make the sqlite_rename_column() SQL function resistant to problems caused X-Git-Tag: version-3.25.0~39^2~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a1cc223bd7e5aa411613db2199bfca475030038;p=thirdparty%2Fsqlite.git Make the sqlite_rename_column() SQL function resistant to problems caused by OOMs and/or malformed parameters submitted by hostile application code. Also add additional comments to the RENAME COLUMN logic. FossilOrigin-Name: 87743ddef11749b4017d60abc297abfd673e02a26a2ae45ffec861327578aa30 --- diff --git a/manifest b/manifest index d6c9346159..11e97f88c9 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\slegacy\scomments\son\sToken.\s\sBegin\scommenting\sthe\snew\sALTER\sTABLE\sRENAME\nCOLUMN\scode.\s\sFix\sa\smemory\sleak\sin\sthe\ssqlite_rename_column()\sSQL\sfunction. -D 2018-08-13T15:09:48.567 +C Make\sthe\ssqlite_rename_column()\sSQL\sfunction\sresistant\sto\sproblems\scaused\nby\sOOMs\sand/or\smalformed\sparameters\ssubmitted\sby\shostile\sapplication\scode.\nAlso\sadd\sadditional\scomments\sto\sthe\sRENAME\sCOLUMN\slogic. +D 2018-08-13T17:02:26.434 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in 0a3a6c81e6fcb969ff9106e882f0a08547014ba463cb6beca4c4efaecc924ee6 @@ -432,7 +432,7 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a -F src/alter.c 7a8e8f14b07063973b772b07921bcc54db36e26e8aae14d2584446ed5af9e513 +F src/alter.c 5367a5483812b08662f17e7eb5e1891cc0996f9b6e297955ce03454c508d3c79 F src/analyze.c 3dc6b98cf007b005af89df165c966baaa48e8124f38c87b4d2b276fe7f0b9eb9 F src/attach.c 4bd5b92633671d3e8ce431153ebb1893b50335818423b5373f3f27969f79769a F src/auth.c 32a5bbe3b755169ab6c66311c5225a3cd4f75a46c041f7fb117e0cbb68055114 @@ -1756,7 +1756,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 0b28dd5c2e4908d5e49eaedd359492e46de8af3bf84120f4683b3ea906882fbf -R 8e4aad63439996e323e3c103c6b55b1d +P 32edc8920376aabb84ebe1900eaa9512d23f1b44d6459e4916dc6b07db66e27c +R dded0a1ea7b07b29f53ec6b813829626 U drh -Z 82791a60e4da34a95b2d48254121d988 +Z 21a9b725df605fe8e7c9a80550758727 diff --git a/manifest.uuid b/manifest.uuid index aa113d45ed..3b2e0343e3 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -32edc8920376aabb84ebe1900eaa9512d23f1b44d6459e4916dc6b07db66e27c \ No newline at end of file +87743ddef11749b4017d60abc297abfd673e02a26a2ae45ffec861327578aa30 \ No newline at end of file diff --git a/src/alter.c b/src/alter.c index c19eb67a67..5c7ec996c7 100644 --- a/src/alter.c +++ b/src/alter.c @@ -940,6 +940,14 @@ static void renameTokenFree(sqlite3 *db, RenameToken *pToken){ } } +/* +** Return the RenameToken object associated with parse tree element pPtr, +** or a NULL pointer if not found. The RenameToken object returned is +** removed from the list of RenameToken objects attached to the Parse +** object and the caller becomes the new owner of the RenameToken object +** Hence, the caller assumes responsibility for freeing the returned +** RenameToken object. +*/ static RenameToken *renameTokenFind(Parse *pParse, void *pPtr){ RenameToken **pp; for(pp=&pParse->pRename; (*pp); pp=&(*pp)->pNext){ @@ -953,6 +961,15 @@ static RenameToken *renameTokenFind(Parse *pParse, void *pPtr){ return 0; } +/* +** This is a Walker expression callback. +** +** For every TK_COLUMN node in the expression tree, search to see +** if the column being references is the column being renamed by an +** ALTER TABLE statement. If it is, then attach its associated +** RenameToken object to the list of RenameToken objects being +** constructed in RenameCtx object at pWalker->u.pRename. +*/ static int renameColumnExprCb(Walker *pWalker, Expr *pExpr){ struct RenameCtx *p = pWalker->u.pRename; if( pExpr->op==TK_COLUMN && pExpr->iColumn==p->iCol ){ @@ -966,6 +983,15 @@ static int renameColumnExprCb(Walker *pWalker, Expr *pExpr){ return WRC_Continue; } +/* +** The RenameCtx contains a list of tokens that reference a column that +** is being renamed by an ALTER TABLE statement. Return the "first" +** RenameToken in the RenameCtx and remove that RenameToken from the +** RenameContext. "First" means the first RenameToken encountered when +** the input SQL from left to right. Repeated calls to this routine +** return all column name tokens in the order that they are encountered +** in the SQL statement. +*/ static RenameToken *renameColumnTokenNext(struct RenameCtx *pCtx){ RenameToken *pBest = pCtx->pList; RenameToken *pToken; @@ -981,7 +1007,24 @@ static RenameToken *renameColumnTokenNext(struct RenameCtx *pCtx){ } /* -** sqlite_rename_column(SQL, iCol, bQuote, zNew, zTable, zOld) +** SQL function: +** +** sqlite_rename_column(zSql, iCol, bQuote, zNew, zTable, zOld) +** +** Do a column rename operation on the CREATE statement given in zSql. +** The iCol-th column (left-most is 0) of table zTable is renamed from zCol +** into zNew. The name should be quoted if bQuote is true. +** +** This function is used internally by the ALTER TABLE RENAME COLUMN command. +** Though accessible to application code, it is not intended for use by +** applications. The existance of this function, and the way it works, +** is subject to change without notice. +** +** If any of the parameters are out-of-bounds, then simply return NULL. +** An out-of-bounds parameter can only occur when the application calls +** this function directly. The parameters will always be well-formed when +** this routine is invoked by the bytecode for a legitimate ALTER TABLE +** statement. */ static void renameColumnFunc( sqlite3_context *context, @@ -1009,8 +1052,13 @@ static void renameColumnFunc( int nQuot = 0; /* Length of zQuot in bytes */ int i; + if( zSql==0 ) return; + if( zNew==0 ) return; + if( zTable==0 ) return; + if( zOld==0 ) return; memset(&sCtx, 0, sizeof(sCtx)); sCtx.iCol = sqlite3_value_int(argv[1]); + if( sCtx.iCol<0 ) return; memset(&sParse, 0, sizeof(sParse)); sParse.eParseMode = PARSE_MODE_RENAME_COLUMN;