From: drh Date: Tue, 8 Mar 2011 02:38:28 +0000 (+0000) Subject: Fix additional cases of possible signed integer overflow, especially with X-Git-Tag: version-3.7.6~115 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d50ffc416fc47ad9ed6c643d4aaba0df2e59254c;p=thirdparty%2Fsqlite.git Fix additional cases of possible signed integer overflow, especially with regard to negation. FossilOrigin-Name: 2d5800bd8cfc7d7f5578a71b1aeaa74b2ec4b372 --- diff --git a/manifest b/manifest index 00e7080f20..61ec936a43 100644 --- a/manifest +++ b/manifest @@ -1,8 +1,8 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -C Another\sminor\ssimplification\sbrought\sto\slight\sby\sclang. -D 2011-03-06T21:54:33.572 +C Fix\sadditional\scases\sof\spossible\ssigned\sinteger\soverflow,\sespecially\swith\nregard\sto\snegation. +D 2011-03-08T02:38:28.410 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 27701a1653595a1f2187dc61c8117e00a6c1d50f F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -124,7 +124,7 @@ F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34 F src/backup.c 6728d6d48d55b449af76a3e51c0808849cb32a2e F src/bitvec.c af50f1c8c0ff54d6bdb7a80e2fceca5a93670bef F src/btmutex.c 96a12f50f7a17475155971a241d85ec5171573ff -F src/btree.c 33265f923a6bcbc035a0914699ab312b93584791 +F src/btree.c 43302cc4f3de6479b90fa6bb271b65d86333d00e F src/btree.h e2f2cd9933bf30724f53ffa12c4c5a3a864bbd6e F src/btreeInt.h 20f73dc93b1eeb83afd7259fbc6bd7dcf2df7fe4 F src/build.c 00a327120d81ace6267e714ae8010c997d55de5d @@ -133,7 +133,7 @@ F src/complete.c dc1d136c0feee03c2f7550bafc0d29075e36deac F src/ctime.c 7deec4534f3b5a0c3b4a4cbadf809d321f64f9c4 F src/date.c 1548fdac51377e4e7833251de878b4058c148e1b F src/delete.c 7ed8a8c8b5f748ece92df173d7e0f7810c899ebd -F src/expr.c 66c9383e5e1f5259c43ef3aa7883da66cfc0f492 +F src/expr.c 00817c672af554321fd67c44325afd7cef0e4648 F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb F src/fkey.c 418b840007c873975fd0d071746d952f8bca20ce F src/func.c 3a8cb2fb2de3e3aed7f39106daf4878d9d17fcce @@ -173,8 +173,8 @@ F src/parse.y 12b7ebd61ea54f0e1b1083ff69cc2c8ce9353d58 F src/pcache.c 09d38c44ab275db581f7a2f6ff8b9bc7f8c0faaa F src/pcache.h c683390d50f856d4cd8e24342ae62027d1bb6050 F src/pcache1.c d548e31beafa792d1994b663a29a5303569efc4e -F src/pragma.c a83f320497aee18eda60fc8d854df5897906c2b1 -F src/prepare.c 319b47280b6281e6d4f6c57a1651e4f1ea3dac8a +F src/pragma.c 4221eb822d7cdb1fb69be555b189e15e5a24b6b5 +F src/prepare.c eb4944d9f7bfa13eb42a7416ed9aaed4de4d0bf3 F src/printf.c 585a36b6a963df832cfb69505afa3a34ed5ef8a1 F src/random.c cd4a67b3953b88019f8cd4ccd81394a8ddfaba50 F src/resolve.c 1c0f32b64f8e3f555fe1f732f9d6f501a7f05706 @@ -183,7 +183,7 @@ F src/select.c d24406c45dd2442eb2eeaac413439066b149c944 F src/shell.c 649c51979812f77f97507024a4cea480c6862b8b F src/sqlite.h.in ccb23cc9378874c7c72682b739f311474a80848d F src/sqlite3ext.h c90bd5507099f62043832d73f6425d8d5c5da754 -F src/sqliteInt.h 118481da7db00c4ae2709ed8af6498be900e6ae0 +F src/sqliteInt.h 2cea3e47997e3f4d9b4f1ce62f99c35be1b5a586 F src/sqliteLimit.h a17dcd3fb775d63b64a43a55c54cb282f9726f44 F src/status.c 4997380fbb915426fef9e500b4872e79c99267fc F src/table.c 2cd62736f845d82200acfa1287e33feb3c15d62e @@ -231,7 +231,7 @@ F src/tokenize.c 604607d6813e9551cf5189d899e0a25c12681080 F src/trigger.c 95d2ff4b2996fabe886c9764b5978980e29f4afa F src/update.c 81911be16ece3c3e7716aa18565b4814ec41f8b9 F src/utf.c 1baeeac91707a4df97ccc6141ec0f808278af685 -F src/util.c 0e04fb389132f3cfbd5ea69a096206da1cbf32de +F src/util.c f6c87805d36799a0d90ea6f0c8c961bee84a6950 F src/vacuum.c 924bd1bcee2dfb05376f79845bd3b4cec7b54b2f F src/vdbe.c ac6e8b8264dcc0e4beea44307ff63b1275a9ca3e F src/vdbe.h 4de0efb4b0fdaaa900cf419b35c458933ef1c6d2 @@ -239,7 +239,7 @@ F src/vdbeInt.h 6e6f28e9bccc6c703dca1372fd661c57b5c15fb0 F src/vdbeapi.c a09ad9164cafc505250d5dd6b69660c960f1308c F src/vdbeaux.c 00439455c80ff7b37d7f2e5be5c0cf02de732a42 F src/vdbeblob.c 18955f0ee6b133cd08e1592010cb9a6b11e9984c -F src/vdbemem.c d8f713bcc3e176040d3e2bb4fbffc3b31faa4252 +F src/vdbemem.c 0498796b6ffbe45e32960d6a1f5adfb6e419883b F src/vdbetrace.c 3ba13bc32bdf16d2bdea523245fd16736bed67b5 F src/vtab.c b297e8fa656ab5e66244ab15680d68db0adbec30 F src/wal.c 7334009b396285b658a95a3b6bc6d2b016a1f794 @@ -914,14 +914,14 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f -P 01a79d5a7af48fb7e50291c0c7c6283d3fb359d0 -R f26f22d38e31d99ab2a9418e84c97bed +P 3bfbf026dd6a0eeef07f8f5f1ebf74c9cfebcd61 +R 14384a8f4890b1a5943c537e15c8a789 U drh -Z a115c36c7eaf4f6e951cb7f5d4e94ec0 +Z f625fb04060bd1f53406bce59c01aeac -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) -iD8DBQFNdAKcoxKgR168RlERAtyUAJ9ywxjzGGZVVqunZ3Nt1qv9pd2YmgCfR7rm -kZxrrIHa7TLJ4O/kbYiB2Mw= -=Rm5M +iD8DBQFNdZanoxKgR168RlERAuRYAJ9wNMACH3kVtSPlH9ioTxMSTFcVAwCdEtGo +QSf9S56IOhmO4JkP2her+Ik= +=G+By -----END PGP SIGNATURE----- diff --git a/manifest.uuid b/manifest.uuid index 3ee000c911..5beb948d1c 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -3bfbf026dd6a0eeef07f8f5f1ebf74c9cfebcd61 \ No newline at end of file +2d5800bd8cfc7d7f5578a71b1aeaa74b2ec4b372 \ No newline at end of file diff --git a/src/btree.c b/src/btree.c index fa0889adbe..33d7460675 100644 --- a/src/btree.c +++ b/src/btree.c @@ -4901,11 +4901,9 @@ static int allocateBtreePage( u32 i; int dist; closest = 0; - dist = get4byte(&aData[8]) - nearby; - if( dist<0 ) dist = -dist; + dist = sqlite3AbsInt32(get4byte(&aData[8]) - nearby); for(i=1; iz==0 || sqlite3GetInt32(pToken->z, &iValue)==0 ){ nExtra = pToken->n+1; + assert( iValue>=0 ); } } pNew = sqlite3DbMallocZero(db, sizeof(Expr)+nExtra); @@ -614,6 +615,8 @@ void sqlite3ExprAssignVarNumber(Parse *pParse, Expr *pExpr){ */ void sqlite3ExprDelete(sqlite3 *db, Expr *p){ if( p==0 ) return; + /* Sanity check: Assert that the IntValue is non-negative if it exists */ + assert( !ExprHasProperty(p, EP_IntValue) || p->u.iValue>=0 ); if( !ExprHasAnyProperty(p, EP_TokenOnly) ){ sqlite3ExprDelete(db, p->pLeft); sqlite3ExprDelete(db, p->pRight); @@ -1223,13 +1226,6 @@ int sqlite3ExprIsInteger(Expr *p, int *pValue){ } default: break; } - if( rc ){ - assert( ExprHasAnyProperty(p, EP_Reduced|EP_TokenOnly) - || (p->flags2 & EP2_MallocedToken)==0 ); - p->op = TK_INTEGER; - p->flags |= EP_IntValue; - p->u.iValue = *pValue; - } return rc; } @@ -1954,6 +1950,7 @@ static void codeInteger(Parse *pParse, Expr *pExpr, int negFlag, int iMem){ Vdbe *v = pParse->pVdbe; if( pExpr->flags & EP_IntValue ){ int i = pExpr->u.iValue; + assert( i>=0 ); if( negFlag ) i = -i; sqlite3VdbeAddOp2(v, OP_Integer, i, iMem); }else{ diff --git a/src/pragma.c b/src/pragma.c index cbfe01f014..db55e4bb41 100644 --- a/src/pragma.c +++ b/src/pragma.c @@ -384,8 +384,7 @@ void sqlite3Pragma( sqlite3VdbeChangeP1(v, addr+1, iDb); sqlite3VdbeChangeP1(v, addr+6, SQLITE_DEFAULT_CACHE_SIZE); }else{ - int size = sqlite3Atoi(zRight); - if( size<0 ) size = -size; + int size = sqlite3AbsInt32(sqlite3Atoi(zRight)); sqlite3BeginWriteOperation(pParse, 0, iDb); sqlite3VdbeAddOp2(v, OP_Integer, size, 1); sqlite3VdbeAddOp3(v, OP_SetCookie, iDb, BTREE_DEFAULT_CACHE_SIZE, 1); @@ -694,8 +693,7 @@ void sqlite3Pragma( if( !zRight ){ returnSingleInt(pParse, "cache_size", pDb->pSchema->cache_size); }else{ - int size = sqlite3Atoi(zRight); - if( size<0 ) size = -size; + int size = sqlite3AbsInt32(sqlite3Atoi(zRight)); pDb->pSchema->cache_size = size; sqlite3BtreeSetCacheSize(pDb->pBt, pDb->pSchema->cache_size); } diff --git a/src/prepare.c b/src/prepare.c index d778b8ba9e..45654ecfca 100644 --- a/src/prepare.c +++ b/src/prepare.c @@ -278,9 +278,8 @@ static int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg){ pDb->pSchema->enc = ENC(db); if( pDb->pSchema->cache_size==0 ){ - size = meta[BTREE_DEFAULT_CACHE_SIZE-1]; + size = sqlite3AbsInt32(meta[BTREE_DEFAULT_CACHE_SIZE-1]); if( size==0 ){ size = SQLITE_DEFAULT_CACHE_SIZE; } - if( size<0 ) size = -size; pDb->pSchema->cache_size = size; sqlite3BtreeSetCacheSize(pDb->pBt, pDb->pSchema->cache_size); } diff --git a/src/sqliteInt.h b/src/sqliteInt.h index bbf1b16883..0142d1e9d3 100644 --- a/src/sqliteInt.h +++ b/src/sqliteInt.h @@ -1623,7 +1623,7 @@ struct Expr { u16 flags; /* Various flags. EP_* See below */ union { char *zToken; /* Token value. Zero terminated and dequoted */ - int iValue; /* Integer value if EP_IntValue */ + int iValue; /* Non-negative integer value if EP_IntValue */ } u; /* If the EP_TokenOnly flag is set in the Expr.flags mask, then no @@ -2906,6 +2906,7 @@ void sqlite3VdbeSetChanges(sqlite3 *, int); int sqlite3AddInt64(i64*,i64); int sqlite3SubInt64(i64*,i64); int sqlite3MulInt64(i64*,i64); +int sqlite3AbsInt32(int); const void *sqlite3ValueText(sqlite3_value*, u8); int sqlite3ValueBytes(sqlite3_value*, u8); diff --git a/src/util.c b/src/util.c index b070bd6ae7..05934c4602 100644 --- a/src/util.c +++ b/src/util.c @@ -1138,3 +1138,13 @@ int sqlite3MulInt64(i64 *pA, i64 iB){ *pA = r; return 0; } + +/* +** Compute the absolute value of a 32-bit signed integer, of possible. Or +** if the integer has a value of -2147483648, return +2147483647 +*/ +int sqlite3AbsInt32(int x){ + if( x>=0 ) return x; + if( x==0x80000000 ) return 0x7fffffff; + return -x; +} diff --git a/src/vdbemem.c b/src/vdbemem.c index d2fdeb7ee9..882c686334 100644 --- a/src/vdbemem.c +++ b/src/vdbemem.c @@ -1077,9 +1077,14 @@ int sqlite3ValueFromExpr( /* This branch happens for multiple negative signs. Ex: -(-5) */ if( SQLITE_OK==sqlite3ValueFromExpr(db,pExpr->pLeft,enc,affinity,&pVal) ){ sqlite3VdbeMemNumerify(pVal); - pVal->u.i = -1 * pVal->u.i; - /* (double)-1 In case of SQLITE_OMIT_FLOATING_POINT... */ - pVal->r = (double)-1 * pVal->r; + if( pVal->u.i==SMALLEST_INT64 ){ + pVal->flags &= MEM_Int; + pVal->flags |= MEM_Real; + pVal->r = (double)LARGEST_INT64; + }else{ + pVal->u.i = -pVal->u.i; + } + pVal->r = -pVal->r; sqlite3ValueApplyAffinity(pVal, affinity, enc); } }else if( op==TK_NULL ){