From: dan Date: Fri, 8 Aug 2014 17:25:33 +0000 (+0000) Subject: Fix a buffer overrun in the previous commit. X-Git-Tag: version-3.8.6~22^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2c278513d56f27725b0b9118c19aef2fc77e695;p=thirdparty%2Fsqlite.git Fix a buffer overrun in the previous commit. FossilOrigin-Name: 43c59c85436dc8001c81f4aac7f5231b13d741cb --- diff --git a/manifest b/manifest index fe79529289..3634881a4d 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Because\sSQLite\sinternally\scalculates\squery\splan\scosts\susing\sa\slogarithmic\sscale,\svery\slarge\sestimated\ssorting\scosts\scan\scause\sall\sother\sestimated\scosts\sto\sbe\srounded\sdown\sto\szero.\sIn\sthese\scases\sbreak\sties\sbetween\splans\swith\sthe\ssame\stotal\scost\sby\scomparing\sthe\scosts\swith\ssorting\sexcluded.\sThis\sis\san\salternative\sfix\sfor\sthe\ssame\sproblem\sas\saddressed\sby\s[2af630c572]. -D 2014-08-08T16:52:28.259 +C Fix\sa\sbuffer\soverrun\sin\sthe\sprevious\scommit. +D 2014-08-08T17:25:33.967 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 5eb79e334a5de69c87740edd56af6527dd219308 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -296,7 +296,7 @@ F src/vtab.c 21b932841e51ebd7d075e2d0ad1415dce8d2d5fd F src/wal.c 264df50a1b33124130b23180ded2e2c5663c652a F src/wal.h df01efe09c5cb8c8e391ff1715cca294f89668a4 F src/walker.c 11edb74d587bc87b33ca96a5173e3ec1b8389e45 -F src/where.c 012ef65af2ae3e1061aa42bbe4eb549b409ee7e7 +F src/where.c ab20f9c24a422ee8900831b343c3d1e5e7aca87b F src/whereInt.h 923820bee9726033a501a08d2fc69b9c1ee4feb3 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2 @@ -1185,10 +1185,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P 36b7c5cefcad6bad044806092593c84876fee8bc -R 97e5eb0484c42f8168a99aaa07e49072 -T *branch * query-planner-fix -T *sym-query-planner-fix * -T -sym-trunk * +P 299b9570279ded7158d22349ef93384286a5c755 +R 1f8265817308d29fd5a420f3d8d1525f U dan -Z 10210eb3192fa621adfca2044e28b578 +Z 2535cee87377895ac3ecbfed51081b0b diff --git a/manifest.uuid b/manifest.uuid index 2b491ab1ab..b3ea543e1e 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -299b9570279ded7158d22349ef93384286a5c755 \ No newline at end of file +43c59c85436dc8001c81f4aac7f5231b13d741cb \ No newline at end of file diff --git a/src/where.c b/src/where.c index ece31542b7..9c30136e87 100644 --- a/src/where.c +++ b/src/where.c @@ -5471,6 +5471,7 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){ WhereLoop **pX; /* Used to divy up the pSpace memory */ LogEst *aSortCost = 0; /* Sorting and partial sorting costs */ char *pSpace; /* Temporary memory used by this routine */ + int nSpace; /* Bytes of space allocated at pSpace */ pParse = pWInfo->pParse; db = pParse->db; @@ -5494,9 +5495,9 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){ } /* Allocate and initialize space for aTo, aFrom and aSortCost[] */ - ii = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2; - ii += sizeof(LogEst) * nOrderBy; - pSpace = sqlite3DbMallocRaw(db, ii); + nSpace = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2; + nSpace += sizeof(LogEst) * nOrderBy; + pSpace = sqlite3DbMallocRaw(db, nSpace); if( pSpace==0 ) return SQLITE_NOMEM; aTo = (WherePath*)pSpace; aFrom = aTo+mxChoice; @@ -5513,8 +5514,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){ ** the ORDER BY clause are already in order, where X is the array ** index. */ aSortCost = (LogEst*)pX; - memset(aSortCost, 0, sizeof(LogEst) * (nOrderBy+1)); + memset(aSortCost, 0, sizeof(LogEst) * nOrderBy); } + assert( aSortCost==0 || &pSpace[nSpace]==(char*)&aSortCost[nOrderBy] ); + assert( aSortCost!=0 || &pSpace[nSpace]==(char*)pX ); /* Seed the search with a single WherePath containing zero WhereLoops. **