From: drh Date: Thu, 22 Sep 2016 21:37:18 +0000 (+0000) Subject: Fix a potential null-pointer dereference and crash in the case where one X-Git-Tag: version-3.15.0~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28f17017ee2ffdc6e52452b1b8f473c38e5e14ab;p=thirdparty%2Fsqlite.git Fix a potential null-pointer dereference and crash in the case where one thread is calling sqlite3_column_text() and another thread is calling sqlite3_step() on the same prepared statement at the same instant. FossilOrigin-Name: ee1382a36303eff8d94275ac3b12e5ce398ee620 --- diff --git a/manifest b/manifest index ec0fb230b0..31f00c98b9 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Remove\sthe\sinternal\ssqlite3CodeOnce()\sinterface,\sreplacing\sit\swith\sa\ndirect\scall\sto\ssqlite3VdbeAddOp0(v,OP_Once).\s\sSlightly\ssmaller\sand\sfaster. -D 2016-09-22T18:53:13.560 +C Fix\sa\spotential\snull-pointer\sdereference\sand\scrash\sin\sthe\scase\swhere\sone\nthread\sis\scalling\ssqlite3_column_text()\sand\sanother\sthread\sis\scalling\nsqlite3_step()\son\sthe\ssame\sprepared\sstatement\sat\sthe\ssame\sinstant. +D 2016-09-22T21:37:18.049 F Makefile.in 6fd48ffcf7c2deea7499062d1f3747f986c19678 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 5151cc64c4c05f3455f4f692ad11410a810d937f @@ -456,7 +456,7 @@ F src/vacuum.c 913970b9d86dd6c2b8063ef1af421880f1464ec3 F src/vdbe.c 0f87994593787575a4a23f932d27cb4588477436 F src/vdbe.h c044be7050ac6bf596eecc6ab159f5dbc020a3b7 F src/vdbeInt.h d21f14721dd87975dc9e3bcdbf504f9c098cf611 -F src/vdbeapi.c 1e0505f6a5495c47180eb2e3535a9779f42e72d6 +F src/vdbeapi.c 794f80669e9e3b9b3edc78d80c15968985c7bf21 F src/vdbeaux.c b9772e4134a17f5b42d32761f5119467815c2458 F src/vdbeblob.c 3e82a797b60c3b9fed7b8de8c539ca7607874937 F src/vdbemem.c 07874c2ac7c05f7df1ededc6ec6650c1339b2cad @@ -1525,7 +1525,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 5e892d60935e5c82234d1bfaef4c5026061acceb -R 4a98fd5ad20cf7ad4821bfd13a964ce7 +P c3774c6a5fe48af91fda28e9e18c6ed9053ea992 +R 6375993a9d5ddbf71b5ded7742ff83bd U drh -Z 0d81e518bb5c5c1a02f800fff5730756 +Z 824a3b47745c16899f3e858caef9c3bd diff --git a/manifest.uuid b/manifest.uuid index 3aff546e20..bd5435edc8 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -c3774c6a5fe48af91fda28e9e18c6ed9053ea992 \ No newline at end of file +ee1382a36303eff8d94275ac3b12e5ce398ee620 \ No newline at end of file diff --git a/src/vdbeapi.c b/src/vdbeapi.c index 937424843c..e37eeef2af 100644 --- a/src/vdbeapi.c +++ b/src/vdbeapi.c @@ -952,14 +952,13 @@ static Mem *columnMem(sqlite3_stmt *pStmt, int i){ Mem *pOut; pVm = (Vdbe *)pStmt; - if( pVm && pVm->pResultSet!=0 && inResColumn && i>=0 ){ - sqlite3_mutex_enter(pVm->db->mutex); + if( pVm==0 ) return (Mem*)columnNullValue(); + assert( pVm->db ); + sqlite3_mutex_enter(pVm->db->mutex); + if( pVm->pResultSet!=0 && inResColumn && i>=0 ){ pOut = &pVm->pResultSet[i]; }else{ - if( pVm && ALWAYS(pVm->db) ){ - sqlite3_mutex_enter(pVm->db->mutex); - sqlite3Error(pVm->db, SQLITE_RANGE); - } + sqlite3Error(pVm->db, SQLITE_RANGE); pOut = (Mem*)columnNullValue(); } return pOut; @@ -992,6 +991,8 @@ static void columnMallocFailure(sqlite3_stmt *pStmt) */ Vdbe *p = (Vdbe *)pStmt; if( p ){ + assert( p->db!=0 ); + assert( sqlite3_mutex_held(p->db->mutex) ); p->rc = sqlite3ApiExit(p->db, p->rc); sqlite3_mutex_leave(p->db->mutex); }