From: drh Date: Tue, 27 Jan 2015 13:17:05 +0000 (+0000) Subject: Fix a (almost always harmless) read past the end of a memory allocation X-Git-Tag: version-3.8.9~153 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a58d4a9612f0ca27344b0802169dca467faa13ca;p=thirdparty%2Fsqlite.git Fix a (almost always harmless) read past the end of a memory allocation that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless. FossilOrigin-Name: e098de691002a78270540430b0df1e120582b53f --- diff --git a/manifest b/manifest index f00b0e5c05..26c720e3c2 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C The\sva_list\sargument\scannot\stake\son\sa\sNULL\svalue\sand\scannot\sbe\scompared\swith\nNULL\son\ssome\splatforms\s(ex:\sARM).\s\sSo\sdo\snot\sattempt\sto\sdo\sso. -D 2015-01-25T20:19:53.843 +C Fix\sa\s(almost\salways\sharmless)\sread\spast\sthe\send\sof\sa\smemory\sallocation\nthat\scomes\sabout\sbecause\sthe\sExpr.pTab\sfield\sis\schecked\son\san\nEXPR_REDUCEDSIZE\sExpr\sobject\sbefore\schecking\sthe\sExpr.op\sfield\sto\nknow\sthat\sthe\sExpr.pTab\sfield\sis\smeaningless. +D 2015-01-27T13:17:05.225 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 5407a688f4d77a05c18a8142be8ae5a2829dd610 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -182,7 +182,7 @@ F src/complete.c 198a0066ba60ab06fc00fba1998d870a4d575463 F src/ctime.c 98f89724adc891a1a4c655bee04e33e716e05887 F src/date.c e4d50b3283696836ec1036b695ead9a19e37a5ac F src/delete.c bd1a91ddd247ce13004075251e0b7fe2bf9925ef -F src/expr.c 33a4518b2c786903cb185dbdc66e071ac38d467e +F src/expr.c abe930897ccafae3819fd2855cbc1b00c262fd12 F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb F src/fkey.c e0444b61bed271a76840cbe6182df93a9baa3f12 F src/func.c 6d3c4ebd72aa7923ce9b110a7dc15f9b8c548430 @@ -734,7 +734,7 @@ F test/minmax.test 42fbad0e81afaa6e0de41c960329f2b2c3526efd F test/minmax2.test b44bae787fc7b227597b01b0ca5575c7cb54d3bc F test/minmax3.test cc1e8b010136db0d01a6f2a29ba5a9f321034354 F test/minmax4.test 936941484ebdceb8adec7c86b6cd9b6e5e897c1f -F test/misc1.test 1201a037c24f982cc0e956cdaa34fcaf6439c417 +F test/misc1.test 4864f2834b203cad7f688df8a5f725e4bab08029 F test/misc2.test 00d7de54eda90e237fc9a38b9e5ccc769ebf6d4d F test/misc3.test cf3dda47d5dda3e53fc5804a100d3c82be736c9d F test/misc4.test 9c078510fbfff05a9869a0b6d8b86a623ad2c4f6 @@ -1237,7 +1237,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P 2a9ea9b4a7d6904efb2112e32efe84123dfa75d7 -R c61f1e2c587edb0aaed1944a39bd65a6 +P 1964e656b4b420e8d6a4ba12d270ed02db292b88 +R 5d4aecd212970d14e41b3c7464003655 U drh -Z 4e92b2f1fb46383d9f32b9035c98c869 +Z 469718f07e1956a0a1c83ab2938852ec diff --git a/manifest.uuid b/manifest.uuid index d74709bc23..488022b3f9 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -1964e656b4b420e8d6a4ba12d270ed02db292b88 \ No newline at end of file +e098de691002a78270540430b0df1e120582b53f \ No newline at end of file diff --git a/src/expr.c b/src/expr.c index 64fb3c5fd4..25bd958ceb 100644 --- a/src/expr.c +++ b/src/expr.c @@ -132,9 +132,9 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){ pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken); break; } - if( p->pTab!=0 - && (op==TK_AGG_COLUMN || op==TK_COLUMN + if( (op==TK_AGG_COLUMN || op==TK_COLUMN || op==TK_REGISTER || op==TK_TRIGGER) + && p->pTab!=0 ){ /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally ** a TK_COLUMN but was previously evaluated and cached in a register */ diff --git a/test/misc1.test b/test/misc1.test index 173b77d637..d18223e67b 100644 --- a/test/misc1.test +++ b/test/misc1.test @@ -621,4 +621,14 @@ do_test misc1-19.2 { set fault_callbacks } {0} +# 2015-01-26: Valgrind-detected over-read. +# Reported on sqlite-users@sqlite.org by Michal Zalewski. Found by afl-fuzz +# presumably. +# +do_execsql_test misc1-20.1 { + CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL); + REPLACE INTO t0(x) VALUES(''); + SELECT rowid, quote(x) FROM t0; +} {1 ''} + finish_test