From: drh <drh@noemail.net>
Date: Sat, 4 Oct 2014 00:07:44 +0000 (+0000)
Subject: Avoid leaking Index.aiRowEst memory if an OOM causes a rollback which deletes
X-Git-Tag: version-3.8.7~44^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=75b170b16431b1b38aaf1bf64e29b8de5aec6325;p=thirdparty%2Fsqlite.git

Avoid leaking Index.aiRowEst memory if an OOM causes a rollback which deletes
the index before the aiRowEst deletion code in sqlite3AnalysisLoad() routine
has a chance to run.  Since the aiRowEst now might be deleted from freeIndex()
which does not always have a db pointer, make sure the aiRowEst memory is
not held in lookaside.

FossilOrigin-Name: efd87ba142723ba131fcc985db6eb45c5a3c637b
---

diff --git a/manifest b/manifest
index db1dca9628..2b01d7bbcc 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sdivision-by-zero\serror\sthat\smight\soccur\sif\sthe\ssqlite_stat1\stable\sis\scorrupt.
-D 2014-10-03T19:29:39.807
+C Avoid\sleaking\sIndex.aiRowEst\smemory\sif\san\sOOM\scauses\sa\srollback\swhich\sdeletes\nthe\sindex\sbefore\sthe\saiRowEst\sdeletion\scode\sin\ssqlite3AnalysisLoad()\sroutine\nhas\sa\schance\sto\srun.\s\sSince\sthe\saiRowEst\snow\smight\sbe\sdeleted\sfrom\sfreeIndex()\nwhich\sdoes\snot\salways\shave\sa\sdb\spointer,\smake\ssure\sthe\saiRowEst\smemory\sis\nnot\sheld\sin\slookaside.
+D 2014-10-04T00:07:44.206
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in cf57f673d77606ab0f2d9627ca52a9ba1464146a
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -166,7 +166,7 @@ F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 3d8b83c91651f53472ca17599dae3457b8b89494
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F src/alter.c ba266a779bc7ce10e52e59e7d3dc79fa342e8fdb
-F src/analyze.c 8d5a138936dab3436e67ca3a0f6466ad2f18d86b
+F src/analyze.c ee85c504829aea05489ed0c67cbcd68d6a1ea7dd
 F src/attach.c f4e94df2d1826feda65eb0939f7f6f5f923a0ad9
 F src/auth.c d8abcde53426275dab6243b441256fcd8ccbebb2
 F src/backup.c a31809c65623cc41849b94d368917f8bb66e6a7e
@@ -175,7 +175,7 @@ F src/btmutex.c 49ca66250c7dfa844a4d4cb8272b87420d27d3a5
 F src/btree.c fa00618117fb6bb46c243452c56997c0d22d4fc9
 F src/btree.h a79aa6a71e7f1055f01052b7f821bd1c2dce95c8
 F src/btreeInt.h 1bd7957161a1346a914f1f09231610e777a8e58d
-F src/build.c bde83dd5cf812e310a7e5ad2846790a14745bef4
+F src/build.c 9e5205db9a0c8a1a4ce7379d60a2a34cb0b7339c
 F src/callback.c 7b44ce59674338ad48b0e84e7b72f935ea4f68b0
 F src/complete.c 535183afb3c75628b78ce82612931ac7cdf26f14
 F src/ctime.c bb434068b5308a857b181c2d204a320ff0d6c638
@@ -1201,7 +1201,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P e6f7f97dbc677c9f01b23142928c3fa7307c2fba
-R d767aa2120b870307998a73a73f29d86
-U dan
-Z 9bc979da9e7cfcf210fc63943ac10f56
+P f9c053b23ece877a7fdbe82204a10592f2d24a2d
+R f53222c51c5cd542b15f6fc746109d5c
+U drh
+Z 12ba20164b8e53ca4d39b40be557570a
diff --git a/manifest.uuid b/manifest.uuid
index 662bc404af..e923963045 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-f9c053b23ece877a7fdbe82204a10592f2d24a2d
\ No newline at end of file
+efd87ba142723ba131fcc985db6eb45c5a3c637b
\ No newline at end of file
diff --git a/src/analyze.c b/src/analyze.c
index 2f65fe3d3e..6b244dd9a7 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1518,9 +1518,10 @@ static int analysisLoader(void *pData, int argc, char **argv, char **NotUsed){
   if( pIndex ){
     int nCol = pIndex->nKeyCol+1;
 #ifdef SQLITE_ENABLE_STAT3_OR_STAT4
-    tRowcnt * const aiRowEst = pIndex->aiRowEst = (tRowcnt*)sqlite3DbMallocZero(
-        pInfo->db, sizeof(tRowcnt) * nCol
+    tRowcnt * const aiRowEst = pIndex->aiRowEst = (tRowcnt*)sqlite3MallocZero(
+        sizeof(tRowcnt) * nCol
     );
+    if( aiRowEst==0 ) pInfo->db->mallocFailed = 1;
 #else
     tRowcnt * const aiRowEst = 0;
 #endif
@@ -1869,7 +1870,7 @@ int sqlite3AnalysisLoad(sqlite3 *db, int iDb){
   }
   for(i=sqliteHashFirst(&db->aDb[iDb].pSchema->idxHash);i;i=sqliteHashNext(i)){
     Index *pIdx = sqliteHashData(i);
-    sqlite3DbFree(db, pIdx->aiRowEst);
+    sqlite3_free(pIdx->aiRowEst);
     pIdx->aiRowEst = 0;
   }
 #endif
diff --git a/src/build.c b/src/build.c
index 777831aab5..14d8aab587 100644
--- a/src/build.c
+++ b/src/build.c
@@ -435,6 +435,9 @@ static void freeIndex(sqlite3 *db, Index *p){
   sqlite3ExprDelete(db, p->pPartIdxWhere);
   sqlite3DbFree(db, p->zColAff);
   if( p->isResized ) sqlite3DbFree(db, p->azColl);
+#ifdef SQLITE_ENABLE_STAT3_OR_STAT4
+  sqlite3_free(p->aiRowEst);
+#endif
   sqlite3DbFree(db, p);
 }