From: dan Date: Fri, 30 Dec 2016 14:15:56 +0000 (+0000) Subject: Avoid passing NULL pointers to memcmp() or memcpy(), even when the X-Git-Tag: version-3.16.0~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=895decf6b5c21d73f5de02581498c221dfa7c5f8;p=thirdparty%2Fsqlite.git Avoid passing NULL pointers to memcmp() or memcpy(), even when the "number-of-bytes" argument is passed 0. FossilOrigin-Name: 56ff72ab44288296efc99a608f7edc4346366a50 --- diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c index 70ca840dae..50793df0a0 100644 --- a/ext/session/sqlite3session.c +++ b/ext/session/sqlite3session.c @@ -374,9 +374,7 @@ static int sessionSerializeValue( if( aBuf ){ sessionVarintPut(&aBuf[1], n); - memcpy(&aBuf[nVarint + 1], eType==SQLITE_TEXT ? - sqlite3_value_text(pValue) : sqlite3_value_blob(pValue), n - ); + if( n ) memcpy(&aBuf[nVarint + 1], z, n); } nByte = 1 + nVarint + n; @@ -1792,7 +1790,7 @@ static void sessionAppendBlob( int nBlob, int *pRc ){ - if( 0==sessionBufferGrow(p, nBlob, pRc) ){ + if( nBlob>0 && 0==sessionBufferGrow(p, nBlob, pRc) ){ memcpy(&p->aBuf[p->nBuf], aBlob, nBlob); p->nBuf += nBlob; } @@ -1978,13 +1976,13 @@ static int sessionAppendUpdate( } default: { - int nByte; - int nHdr = 1 + sessionVarintGet(&pCsr[1], &nByte); + int n; + int nHdr = 1 + sessionVarintGet(&pCsr[1], &n); assert( eType==SQLITE_TEXT || eType==SQLITE_BLOB ); - nAdvance = nHdr + nByte; + nAdvance = nHdr + n; if( eType==sqlite3_column_type(pStmt, i) - && nByte==sqlite3_column_bytes(pStmt, i) - && 0==memcmp(&pCsr[nHdr], sqlite3_column_blob(pStmt, i), nByte) + && n==sqlite3_column_bytes(pStmt, i) + && (n==0 || 0==memcmp(&pCsr[nHdr], sqlite3_column_blob(pStmt, i), n)) ){ break; } diff --git a/manifest b/manifest index a98844efba..52cf7abd9c 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\sharmless\scompiler\swarning\sin\sfuzzcheck.c -D 2016-12-30T12:10:48.960 +C Avoid\spassing\sNULL\spointers\sto\smemcmp()\sor\smemcpy(),\seven\swhen\sthe\n"number-of-bytes"\sargument\sis\spassed\s0. +D 2016-12-30T14:15:56.745 F Makefile.in 41bd4cad981487345c4a84081074bcdb876e4b2e F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc b8ca53350ae545e3562403d5da2a69cec79308da @@ -303,7 +303,7 @@ F ext/session/sessionG.test 01ef705096a9d3984eebdcca79807a211dee1b60 F ext/session/session_common.tcl 9b696a341cf1d3744823715ed92bb19749b6c3d4 F ext/session/sessionfault.test da273f2712b6411e85e71465a1733b8501dbf6f7 F ext/session/sessionfault2.test 04aa0bc9aa70ea43d8de82c4f648db4de1e990b0 -F ext/session/sqlite3session.c 37485891b4add26cf61495df193c419f36556a32 +F ext/session/sqlite3session.c c61a43396368ec00dc127f7bc647e9bd6a4ee5fb F ext/session/sqlite3session.h 9345166bd8f80562145586cf817f707de5ecada2 F ext/session/test_session.c eb0bd6c1ea791c1d66ee4ef94c16500dad936386 F ext/userauth/sqlite3userauth.h 19cb6f0e31316d0ee4afdfb7a85ef9da3333a220 @@ -325,7 +325,7 @@ F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a F src/alter.c 3b23977620ce9662ac54443f65b87ba996e36121 -F src/analyze.c 8b62b2cf4da85451534ac0af82cafc418d837f68 +F src/analyze.c 3c4a63ff7a55faefecf6eb1589932fdbc06b2415 F src/attach.c f6725410c184a80d8141b294fdf98a854c8a52b5 F src/auth.c 930b376a9c56998557367e6f7f8aaeac82a2a792 F src/backup.c faf17e60b43233c214aae6a8179d24503a61e83b @@ -344,7 +344,7 @@ F src/delete.c c8bc10d145c9666a34ae906250326fdaa8d58fa5 F src/expr.c a90e37bc542abe33890cafccacbf8a7db9cb5401 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007 F src/fkey.c 2e9aabe1aee76273aff8a84ee92c464e095400ae -F src/func.c 43916c1d8e6da5d107d91d2b212577d4f69a876a +F src/func.c e0190fd64810a66889bd52c8950f6b5ab3e67356 F src/global.c dcdb89f30b7aa531c5660030af106bc5bc48ef2e F src/hash.c 63d0ee752a3b92d4695b2b1f5259c4621b2cfebd F src/hash.h ab34c5c54a9e9de2e790b24349ba5aab3dbb4fd4 @@ -353,7 +353,7 @@ F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71 F src/insert.c 91ba5d0143e66479081536ebbaff1850ec9f57d9 F src/legacy.c 75d3023be8f0d2b99d60f905090341a03358c58e F src/loadext.c 5d6642d141c07d366e43d359e94ec9de47add41d -F src/main.c f2d0e34457ba8c5cce6d78a32cacab388d33e967 +F src/main.c e207b81542d13b9f13d61e78ca441f9781f055b0 F src/malloc.c f3fad34cd570022abca558c573f1761fb09a8212 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645 F src/mem1.c 6919bcf12f221868ea066eec27e579fed95ce98b @@ -384,7 +384,7 @@ F src/pcache1.c e3967219b2a92b9edcb9324a4ba75009090d3953 F src/pragma.c 5a23557e490e7ac5afef097efc4b59dce5b482c2 F src/pragma.h f9b221b2c8949ea941dbee49934299e4ed5af41c F src/prepare.c b1140c3d0cf59bc85ace00ce363153041b424b7a -F src/printf.c f94da4935d1dd25420ac50c6745db1deb35e07c1 +F src/printf.c 0c8579432f47948d9be5077eb590e8c4a01be667 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384 F src/resolve.c bb070cf5f23611c44ab7e4788803684e385fc3fb F src/rowset.c 7b7e7e479212e65b723bf40128c7b36dc5afdfac @@ -1540,7 +1540,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 3e25ba6e42fba239795a465b8510386a361ee5be -R cb43d33d19adf32bebd1dfaa0e0b456a -U drh -Z 067d360edde333b631fbf0df03bf7c2e +P 2842bc60538369f888c7df8365858c910322277d +R 2f360df0a4ed7700031588f42df25e4f +U dan +Z 37bb29b03ead205804ed648a38318574 diff --git a/manifest.uuid b/manifest.uuid index 6755f6c671..3fe3e58c51 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -2842bc60538369f888c7df8365858c910322277d \ No newline at end of file +56ff72ab44288296efc99a608f7edc4346366a50 \ No newline at end of file diff --git a/src/analyze.c b/src/analyze.c index e3955f3022..c480a0c507 100644 --- a/src/analyze.c +++ b/src/analyze.c @@ -1766,7 +1766,9 @@ static int loadStatTbl( sqlite3_finalize(pStmt); return SQLITE_NOMEM_BKPT; } - memcpy(pSample->p, sqlite3_column_blob(pStmt, 4), pSample->n); + if( pSample->n ){ + memcpy(pSample->p, sqlite3_column_blob(pStmt, 4), pSample->n); + } pIdx->nSample++; } rc = sqlite3_finalize(pStmt); diff --git a/src/func.c b/src/func.c index 5b8ed6dd2b..37f7cd6152 100644 --- a/src/func.c +++ b/src/func.c @@ -200,25 +200,27 @@ static void instrFunc( if( typeHaystack==SQLITE_NULL || typeNeedle==SQLITE_NULL ) return; nHaystack = sqlite3_value_bytes(argv[0]); nNeedle = sqlite3_value_bytes(argv[1]); - if( typeHaystack==SQLITE_BLOB && typeNeedle==SQLITE_BLOB ){ - zHaystack = sqlite3_value_blob(argv[0]); - zNeedle = sqlite3_value_blob(argv[1]); - isText = 0; - }else{ - zHaystack = sqlite3_value_text(argv[0]); - zNeedle = sqlite3_value_text(argv[1]); - isText = 1; - if( zNeedle==0 ) return; - assert( zHaystack ); - } - while( nNeedle<=nHaystack && memcmp(zHaystack, zNeedle, nNeedle)!=0 ){ - N++; - do{ - nHaystack--; - zHaystack++; - }while( isText && (zHaystack[0]&0xc0)==0x80 ); + if( nNeedle>0 ){ + if( typeHaystack==SQLITE_BLOB && typeNeedle==SQLITE_BLOB ){ + zHaystack = sqlite3_value_blob(argv[0]); + zNeedle = sqlite3_value_blob(argv[1]); + isText = 0; + }else{ + zHaystack = sqlite3_value_text(argv[0]); + zNeedle = sqlite3_value_text(argv[1]); + isText = 1; + if( zNeedle==0 ) return; + assert( zHaystack ); + } + while( nNeedle<=nHaystack && memcmp(zHaystack, zNeedle, nNeedle)!=0 ){ + N++; + do{ + nHaystack--; + zHaystack++; + }while( isText && (zHaystack[0]&0xc0)==0x80 ); + } + if( nNeedle>nHaystack ) N = 0; } - if( nNeedle>nHaystack ) N = 0; sqlite3_result_int(context, N); } diff --git a/src/main.c b/src/main.c index ffb1bc2a97..9aad8fdd4c 100644 --- a/src/main.c +++ b/src/main.c @@ -2739,7 +2739,9 @@ int sqlite3ParseUri( }else{ zFile = sqlite3_malloc64(nUri+2); if( !zFile ) return SQLITE_NOMEM_BKPT; - memcpy(zFile, zUri, nUri); + if( nUri ){ + memcpy(zFile, zUri, nUri); + } zFile[nUri] = '\0'; zFile[nUri+1] = '\0'; flags &= ~SQLITE_OPEN_URI; diff --git a/src/printf.c b/src/printf.c index 8de0a924ae..91b753e04f 100644 --- a/src/printf.c +++ b/src/printf.c @@ -841,7 +841,7 @@ void sqlite3StrAccumAppend(StrAccum *p, const char *z, int N){ assert( p->accError==0 || p->nAlloc==0 ); if( p->nChar+N >= p->nAlloc ){ enlargeAndAppend(p,z,N); - }else{ + }else if( N ){ assert( p->zText ); p->nChar += N; memcpy(&p->zText[p->nChar-N], z, N);