From: dan Date: Sat, 21 Nov 2015 19:43:29 +0000 (+0000) Subject: Fix an obscure memory leak found by libfuzzer that may occur under some circumstances... X-Git-Tag: version-3.10.0~110 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8836cbbcb4924f5b78f5749dffc9857acf9b684f;p=thirdparty%2Fsqlite.git Fix an obscure memory leak found by libfuzzer that may occur under some circumstances if expanding a "*" expression causes a SELECT to return more than 32767 columns. FossilOrigin-Name: 60de5f23424552c98aa760ac89149a3d51f895be --- diff --git a/manifest b/manifest index 48ad5f5d35..1ed1813193 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sover-length\ssource\scode\slines.\s\sNo\slogic\schanges. -D 2015-11-21T17:27:42.127 +C Fix\san\sobscure\smemory\sleak\sfound\sby\slibfuzzer\sthat\smay\soccur\sunder\ssome\scircumstances\sif\sexpanding\sa\s"*"\sexpression\scauses\sa\sSELECT\sto\sreturn\smore\sthan\s32767\scolumns. +D 2015-11-21T19:43:29.760 F Makefile.in d828db6afa6c1fa060d01e33e4674408df1942a1 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc e928e68168df69b353300ac87c10105206653a03 @@ -339,7 +339,7 @@ F src/printf.c f8fc8f04e75b1e983ef2793c27ec7a43b287e94a F src/random.c ba2679f80ec82c4190062d756f22d0c358180696 F src/resolve.c f4c897ca76ca6d5e0b3f0499c627392ffe657c8e F src/rowset.c eccf6af6d620aaa4579bd3b72c1b6395d9e9fa1e -F src/select.c 0495e86f8377026fbd529a1a5bf62046cbb6eec5 +F src/select.c e10586c750d87211caa8f4b239e2bfa6a2049e5b F src/shell.c f0f59ea60ad297f671b7ae0fb957a736ad17c92c F src/sqlite.h.in fa62718f73553f06b2f2e362fd09ccb4e1cbb626 F src/sqlite3.rc 992c9f5fb8285ae285d6be28240a7e8d3a7f2bad @@ -1038,7 +1038,7 @@ F test/speedtest1.c f8bf04214e7b5f745feea99f7bde68b1c4870666 F test/spellfix.test 0597065ff57042df1f138e6a2611ae19c2698135 F test/spellfix2.test dfc8f519a3fc204cb2dfa8b4f29821ae90f6f8c3 F test/sqldiff1.test 8f6bc7c6a5b3585d350d779c6078869ba402f8f5 -F test/sqllimits1.test 89b3d5aad05b99f707ee3786bdd4416dccf83304 +F test/sqllimits1.test a74ee2a3740b9f9c2437c246d8fb77354862a142 F test/sqllog.test a8faa2df39610a037dd372ed872d124260d32953 F test/stat.test 8de91498c99f5298b303f70f1d1f3b9557af91bf F test/statfault.test f525a7bf633e50afd027700e9a486090684b1ac1 @@ -1404,7 +1404,7 @@ F tool/vdbe_profile.tcl 246d0da094856d72d2c12efec03250d71639d19f F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 48bd54594752d5be3337f12c72f28d2080cb630b F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P ff5716b89f99d9c4568a39f1f52524528a631623 -R 558d15295cc22b403e8d5cb8c3ebd48a -U drh -Z 0a3988f827c1f289bd36fdbbf324f548 +P 198d191b2f5ef7d63ac0093c701955c9052fd734 +R 8ed8d9e954ea81e19ae35a6836359b00 +U dan +Z f96d100152be981f85597b50bc9a8134 diff --git a/manifest.uuid b/manifest.uuid index 48582621bb..90fb983695 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -198d191b2f5ef7d63ac0093c701955c9052fd734 \ No newline at end of file +60de5f23424552c98aa760ac89149a3d51f895be \ No newline at end of file diff --git a/src/select.c b/src/select.c index dc8443e8b5..cf486e5b85 100644 --- a/src/select.c +++ b/src/select.c @@ -1613,6 +1613,7 @@ int sqlite3ColumnsFromExprList( nCol = 0; aCol = 0; } + assert( nCol==(i16)nCol ); *pnCol = nCol; *paCol = aCol; @@ -4455,6 +4456,7 @@ static int selectExpander(Walker *pWalker, Select *p){ #if SQLITE_MAX_COLUMN if( p->pEList && p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){ sqlite3ErrorMsg(pParse, "too many columns in result set"); + return WRC_Abort; } #endif return WRC_Continue; diff --git a/test/sqllimits1.test b/test/sqllimits1.test index ec72723ebe..9508b5233d 100644 --- a/test/sqllimits1.test +++ b/test/sqllimits1.test @@ -874,6 +874,17 @@ do_test sqllimits1-16.2 { } } {1 {string or blob too big}} +do_catchsql_test sqllimits1.17.0 { + SELECT *,*,*,*,*,*,*,* FROM ( + SELECT *,*,*,*,*,*,*,* FROM ( + SELECT *,*,*,*,*,*,*,* FROM ( + SELECT *,*,*,*,*,*,*,* FROM ( + SELECT *,*,*,*,*,*,*,* FROM ( + SELECT 1,2,3,4,5,6,7,8,9,10 + ) + )))) +} "1 {too many columns in result set}" + foreach {key value} [array get saved] { catch {set $key $value}