From: drh <drh@noemail.net>
Date: Tue, 10 Mar 2020 19:23:48 +0000 (+0000)
Subject: Prevent the read-only expressions held in the schema from being passed down
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efd6135b219a86795d5d67d53dc2fad8e447653e;p=thirdparty%2Fsqlite.git

Prevent the read-only expressions held in the schema from being passed down
into code generating subroutines where they might be changed.  Pass a copy
of the expression instead.

FossilOrigin-Name: 2b750b0f74e5a11621997267d419c567cd860dd8bc7306d58fe037200c0d7679
---

diff --git a/manifest b/manifest
index 5c89756829..9416aa195d 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Backport\sthe\schange\sthat\sallows\sthe\sfilename\spassed\sinto\sthe\sxFullPathname\sto\nbe\sused\sas\san\sargument\sto\ssqlite3_uri_parameter().
-D 2020-02-27T12:33:33.406
+C Prevent\sthe\sread-only\sexpressions\sheld\sin\sthe\sschema\sfrom\sbeing\spassed\sdown\ninto\scode\sgenerating\ssubroutines\swhere\sthey\smight\sbe\schanged.\s\sPass\sa\scopy\nof\sthe\sexpression\sinstead.
+D 2020-03-10T19:23:48.698
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -483,7 +483,7 @@ F src/date.c 6c408fdd2e9ddf6e8431aba76315a2d061bea2cec8fbb75e25d7c1ba08274712
 F src/dbpage.c 8a01e865bf8bc6d7b1844b4314443a6436c07c3efe1d488ed89e81719047833a
 F src/dbstat.c 0f55297469d4244ab7df395849e1af98eb5e95816af7c661e7d2d8402dea23da
 F src/delete.c a5c59b9c0251cf7682bc52af0d64f09b1aefc6781a63592c8f1136f7b73c66e4
-F src/expr.c 003c59158b33d7f3b198122cb0d1e13c06517cc3932e56b42283eb0e96696d66
+F src/expr.c d8845931d5aa576ae1cbfa726d28c217ca894061f1a5a3da58922919685810e9
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 92a248ec0fa4ed8ab60c98d9b188ce173aaf218f32e7737ba77deb2a684f9847
 F src/func.c 108577cebe8a50c86d849a93b99493a54e348dd0b846f00d13b52ca973d5baf4
@@ -492,7 +492,7 @@ F src/hash.c 8d7dda241d0ebdafb6ffdeda3149a412d7df75102cecfc1021c98d6219823b19
 F src/hash.h 9d56a9079d523b648774c1784b74b89bd93fac7b365210157482e4319a468f38
 F src/hwtime.h cb1d7e3e1ed94b7aa6fde95ae2c2daccc3df826be26fc9ed7fd90d1750ae6144
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
-F src/insert.c 2fe4d7f67078a68650f16e4efe73207899e21702e6b9d2e8ad1894c76dcad352
+F src/insert.c 465ee38d9d0180cb2df79dfa4d14ebae44ee9c34b13a0bb208bf3629486e3d86
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 8cd803f1747c03a50b32fe87ebfb5851998d0cdafefe02737daa95e0616b42bb
 F src/main.c aad9966a6fc1fdabfbe4750f725987dc346e086539036280ba1498757b4ece8b
@@ -808,7 +808,7 @@ F test/dbfuzz2.c c2c9cb40082a77b7e95ffb8b2da1e93322efadfb1c8c1e0001c95a0af1e156c
 F test/dbpage.test 650234ba683b9d82b899c6c51439819787e7609f17a0cc40e0080a7b6443bc38
 F test/dbstatus.test 4a4221a883025ffd39696b3d1b3910b928fb097d77e671351acb35f3aed42759
 F test/dbstatus2.test f5fe0afed3fa45e57cfa70d1147606c20d2ba23feac78e9a172f2fe8ab5b78ef
-F test/default.test 3e46c421eebefd2787c2f96673efabf792d360f3a1d5073918cbe450ce672a62
+F test/default.test 9687cfb16717e4b8238c191697c98be88c0b16e568dd5368cd9284154097ef50
 F test/delete.test 31832b0c45ecb51a54348c68db173be462985901e6ed7f403d6d7a8f70ab4ef0
 F test/delete2.test 3a03f2cca1f9a67ec469915cb8babd6485db43fa
 F test/delete3.test 555e84a00a99230b7d049d477a324a631126a6ab
@@ -1857,8 +1857,10 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 6279f69f0fe3c7bb7b2eddd5ca51e28f003044ed0a3629260991a3aa8e521850
-Q +bfb09371d452d5d4dacab2ec476880bc729952f44ac0e5de90ea7ba203243c8c
-R 4c16e2afa5ed9354b409edd21cbabacf
+P 9c77bfe41e1b786dbe649bffddc2500202884de1a19bbbee63831ba583ce0878
+Q +03d201c041c17579e791c73fe6babd60b9f892a84ffd1470851f8eb2857d3990
+Q +a2d6f108c5d07559b125823a04c9cb072c80be80d7913097891a6192c7e1e225
+Q +f45f5de000834da5b23cdcf12c3f0e3073287756afe06bdb77b95fb65b250258
+R 1d618ce0babf0dcd8549b9e38ae82278
 U drh
-Z 4603522ee1417c48c6d3a1de5f55ba12
+Z c7e30f1a90f7884a4ee53b80c7e8481a
diff --git a/manifest.uuid b/manifest.uuid
index 2d50d0d4ae..9428d2765a 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9c77bfe41e1b786dbe649bffddc2500202884de1a19bbbee63831ba583ce0878
\ No newline at end of file
+2b750b0f74e5a11621997267d419c567cd860dd8bc7306d58fe037200c0d7679
\ No newline at end of file
diff --git a/src/expr.c b/src/expr.c
index d82ef8b8c7..e4125a8937 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -2850,6 +2850,7 @@ void sqlite3CodeRhsOfIN(
 
     /* Begin coding the subroutine */
     ExprSetProperty(pExpr, EP_Subrtn);
+    assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
     pExpr->y.sub.regReturn = ++pParse->nMem;
     pExpr->y.sub.iAddr =
       sqlite3VdbeAddOp2(v, OP_Integer, 0, pExpr->y.sub.regReturn) + 1;
@@ -3496,7 +3497,7 @@ void sqlite3ExprCodeGeneratedColumn(
   }else{
     iAddr = 0;
   }
-  sqlite3ExprCode(pParse, pCol->pDflt, regOut);
+  sqlite3ExprCodeCopy(pParse, pCol->pDflt, regOut);
   if( pCol->affinity>=SQLITE_AFF_TEXT ){
     sqlite3VdbeAddOp4(v, OP_Affinity, regOut, 1, 0, &pCol->affinity, 1);
   }
@@ -4595,7 +4596,7 @@ void sqlite3ExprCodeFactorable(Parse *pParse, Expr *pExpr, int target){
   if( pParse->okConstFactor && sqlite3ExprIsConstantNotJoin(pExpr) ){
     sqlite3ExprCodeAtInit(pParse, pExpr, target);
   }else{
-    sqlite3ExprCode(pParse, pExpr, target);
+    sqlite3ExprCodeCopy(pParse, pExpr, target);
   }
 }
 
diff --git a/src/insert.c b/src/insert.c
index 93f22a8cbf..b98219434e 100644
--- a/src/insert.c
+++ b/src/insert.c
@@ -1606,7 +1606,7 @@ void sqlite3GenerateConstraintChecks(
             VdbeCoverage(v);
             assert( (pCol->colFlags & COLFLAG_GENERATED)==0 );
             nSeenReplace++;
-            sqlite3ExprCode(pParse, pCol->pDflt, iReg);
+            sqlite3ExprCodeCopy(pParse, pCol->pDflt, iReg);
             sqlite3VdbeJumpHere(v, addr1);
             break;
           }
@@ -1661,6 +1661,7 @@ void sqlite3GenerateConstraintChecks(
     onError = overrideError!=OE_Default ? overrideError : OE_Abort;
     for(i=0; i<pCheck->nExpr; i++){
       int allOk;
+      Expr *pCopy;
       Expr *pExpr = pCheck->a[i].pExpr;
       if( aiChng
        && !sqlite3ExprReferencesUpdatedColumn(pExpr, aiChng, pkChng)
@@ -1671,7 +1672,11 @@ void sqlite3GenerateConstraintChecks(
       }
       allOk = sqlite3VdbeMakeLabel(pParse);
       sqlite3VdbeVerifyAbortable(v, onError);
-      sqlite3ExprIfTrue(pParse, pExpr, allOk, SQLITE_JUMPIFNULL);
+      pCopy = sqlite3ExprDup(db, pExpr, 0);
+      if( !db->mallocFailed ){
+        sqlite3ExprIfTrue(pParse, pCopy, allOk, SQLITE_JUMPIFNULL);
+      }
+      sqlite3ExprDelete(db, pCopy);
       if( onError==OE_Ignore ){
         sqlite3VdbeGoto(v, ignoreDest);
       }else{
diff --git a/test/default.test b/test/default.test
index d691303485..06a180c1de 100644
--- a/test/default.test
+++ b/test/default.test
@@ -128,4 +128,13 @@ do_catchsql_test default-4.4 {
   CREATE TABLE t2(a TEXT, b TEXT DEFAULT(98+coalesce(5,:xyz)));
 } {1 {default value of column [b] is not constant}}
 
+# 2020-03-09 out-of-bounds memory access discovered by "Eternal Sakura"
+# and reported to chromium.
+#
+reset_db
+do_catchsql_test default-5.1 {
+  CREATE TABLE t1 (a,b DEFAULT(random() NOTNULL IN (RAISE(IGNORE),2,3)));
+  INSERT INTO t1(a) VALUES(1);
+} {1 {RAISE() may only be used within a trigger-program}}
+
 finish_test