From: dan <dan@noemail.net>
Date: Thu, 16 Mar 2017 12:11:07 +0000 (+0000)
Subject: Fix a crash that could follow an OOM condition in the instr() SQL function.
X-Git-Tag: version-3.18.0~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=116b56a2ccb5671bd6ff668ad3aec104d8b4b9a9;p=thirdparty%2Fsqlite.git

Fix a crash that could follow an OOM condition in the instr() SQL function.

FossilOrigin-Name: 6e59e903e4e956617bddef0b94e5cae02d724ac8145940b57ab5b0f628759736
---

diff --git a/manifest b/manifest
index 83da720fa0..e9aad067d4 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Updates\sto\sREADME\sfiles\sunder\sthe\sext/\shierarchy.\s\sNo\schanges\sto\scode.
-D 2017-03-15T20:27:46.132
+C Fix\sa\scrash\sthat\scould\sfollow\san\sOOM\scondition\sin\sthe\sinstr()\sSQL\sfunction.
+D 2017-03-16T12:11:07.597
 F Makefile.in 9605f4c49eace601d5c12c85dd6e037cc613a6d823e857614ba26b42f1285db0
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc 1faf9f06aadc9284c212dea7bbc7c0dea7e8337f0287c81001eff500912c790a
@@ -36,7 +36,7 @@ F contrib/sqlitecon.tcl 210a913ad63f9f991070821e599d600bd913e0ad
 F doc/lemon.html b5a3c07d33ecb8e019ce8f7660fe2dbbad9d7977
 F doc/pager-invariants.txt 27fed9a70ddad2088750c4a2b493b63853da2710
 F doc/vfs-shm.txt e101f27ea02a8387ce46a05be2b1a902a021d37a
-F ext/README.md fd5f78013b0a2bc6f0067afb19e6ad040e89a10179b4f6f03eee58fac5f169bd w ext/README.txt
+F ext/README.md fd5f78013b0a2bc6f0067afb19e6ad040e89a10179b4f6f03eee58fac5f169bd
 F ext/async/README.txt e12275968f6fde133a80e04387d0e839b0c51f91
 F ext/async/sqlite3async.c 0f3070cc3f5ede78f2b9361fb3b629ce200d7d74
 F ext/async/sqlite3async.h f489b080af7e72aec0e1ee6f1d98ab6cf2e4dcef
@@ -356,7 +356,7 @@ F src/delete.c 0d9d5549d42e79ce4d82ff1db1e6c81e36d2f67c
 F src/expr.c f12a581f342a6fd85d14c31e4fb84f16b3dd107f54d7728dddb62cebc79d7ce1
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 2e9aabe1aee76273aff8a84ee92c464e095400ae
-F src/func.c c67273e1ec08abbdcc14c189892a3ff6eeece86b
+F src/func.c 72ed1518f59951daca3b3480331006f074041b4753ab652b46bbdaedb77f6d6c
 F src/global.c 4a34512d82fc5aa13c802db06bcfff5e1d3de955
 F src/hash.c 63d0ee752a3b92d4695b2b1f5259c4621b2cfebd
 F src/hash.h ab34c5c54a9e9de2e790b24349ba5aab3dbb4fd4
@@ -955,7 +955,7 @@ F test/mallocI.test 6c23a71df077fa5d387be90e7e669c5b368ca38a
 F test/mallocJ.test b5d1839da331d96223e5f458856f8ffe1366f62e
 F test/mallocK.test 27cb5566a6e5f2d76f9d4aa2eca45524401fd61e
 F test/mallocL.test fb311ff80afddf3b1a75e52289081f4754d901dc
-F test/mallocM.test 491001d1e273233048d265ec6d38fdd23745b0284f0c93bc98c94b64451c9c28
+F test/mallocM.test 78bbe9d3da84a5c679123cdb40d7b2010b18fc46e13897e4f253c6ba6fbff134
 F test/malloc_common.tcl aac62499b76be719fac31e7a3e54a7fd53272e7f
 F test/manydb.test 28385ae2087967aa05c38624cec7d96ec74feb3e
 F test/mem5.test c6460fba403c5703141348cd90de1c294188c68f
@@ -1565,7 +1565,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P b1b1aa8b69aa80c83aec3380565f0b4ec0b6a6e033537becee098872da362e9a
-R ed52dc66e6f47f5c1fac043513c8c66c
-U drh
-Z 7b77c481896e5fef2abe165dd1f4d320
+P 029bc5d224bcbdcca2307710539b133c39e2a27b971c28b294a1f517b80cb418
+R e125f692ae2203427c312740eb052007
+U dan
+Z 43eef8b6f1a791e34b2b986222f188cc
diff --git a/manifest.uuid b/manifest.uuid
index b973ec5b0b..808a7701e3 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-029bc5d224bcbdcca2307710539b133c39e2a27b971c28b294a1f517b80cb418
\ No newline at end of file
+6e59e903e4e956617bddef0b94e5cae02d724ac8145940b57ab5b0f628759736
\ No newline at end of file
diff --git a/src/func.c b/src/func.c
index 885725bc6b..181032a5e3 100644
--- a/src/func.c
+++ b/src/func.c
@@ -204,9 +204,11 @@ static void instrFunc(
     if( typeHaystack==SQLITE_BLOB && typeNeedle==SQLITE_BLOB ){
       zHaystack = sqlite3_value_blob(argv[0]);
       zNeedle = sqlite3_value_blob(argv[1]);
-      assert( zNeedle!=0 );
-      assert( zHaystack!=0 || nHaystack==0 );
       isText = 0;
+      /* The following condition may be true if the arguments passed to this
+      ** function are values returned by zeroblob() or similar and an OOM
+      ** occurs while expanding the blob value.  */
+      if( zNeedle==0 || (nHaystack && zHaystack==0) ) return;
     }else{
       zHaystack = sqlite3_value_text(argv[0]);
       zNeedle = sqlite3_value_text(argv[1]);
diff --git a/test/mallocM.test b/test/mallocM.test
index 85a38acf32..4da3a9e112 100644
--- a/test/mallocM.test
+++ b/test/mallocM.test
@@ -21,7 +21,7 @@ sqlite3_db_config_lookaside db 0 0 0
 do_execsql_test 1.0 {
   CREATE TABLE t1(x);
 }
-do_faultsim_test 1 -faults oom-t* -body {
+do_faultsim_test 1 -faults oom* -body {
   execsql {
     SELECT 'abc' FROM ( SELECT 'xyz' FROM t1 WHERE (SELECT 1) )
   }
@@ -29,4 +29,20 @@ do_faultsim_test 1 -faults oom-t* -body {
   faultsim_test_result {0 {}}
 }
 
+do_execsql_test 2.0.1 { SELECT instr(x'', x'') }         {1}
+do_execsql_test 2.0.2 { SELECT instr(x'12345678', x'') } {1}
+do_execsql_test 2.0.3 { SELECT instr(x'', x'1234') }     {0}
+
+do_faultsim_test 2.1 -faults oom* -body {
+  execsql { SELECT instr (x'00', zeroblob(1)) }
+} -test {
+  faultsim_test_result {0 1}
+}
+
+do_faultsim_test 2.2 -faults oom* -body {
+  execsql { SELECT instr (zeroblob(1), x'00') }
+} -test {
+  faultsim_test_result {0 1}
+}
+
 finish_test