From d2a56238662a715ab2ceba808c2d4b5e61204e8f Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Mon, 28 Jan 2013 19:00:20 +0000
Subject: [PATCH] Issue an error message and quit (rather than overflowing a
 reference counter) if the number of references to a table exceeds the maximum
 due to nested UNION views.  Fix for ticket [d58ccbb3f1].

FossilOrigin-Name: c2462a95ed8e1e69886681400d673207d906bf1b
---
 manifest       | 18 +++++++++---------
 manifest.uuid  |  2 +-
 src/select.c   |  6 ++++++
 src/vdbeInt.h  |  4 ++--
 src/vdbeaux.c  |  2 +-
 test/view.test | 33 +++++++++++++++++++++++++++++++++
 6 files changed, 52 insertions(+), 13 deletions(-)

diff --git a/manifest b/manifest
index 9307d630d3..0fede016e2 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Cause\sthe\scommand-line\sshell\sto\sissue\san\serror\smessage\sif\syou\sgive\ssomething\nthat\sdoes\snot\slook\slike\sa\sboolean\svalue\sto\sa\sdot-command\sthat\swants\sa\sboolean\nargument.
-D 2013-01-28T18:18:26.777
+C Issue\san\serror\smessage\sand\squit\s(rather\sthan\soverflowing\sa\sreference\scounter)\nif\sthe\snumber\sof\sreferences\sto\sa\stable\sexceeds\sthe\smaximum\sdue\sto\snested\nUNION\sviews.\s\sFix\sfor\sticket\s[d58ccbb3f1].
+D 2013-01-28T19:00:20.786
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in a48faa9e7dd7d556d84f5456eabe5825dd8a6282
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -174,7 +174,7 @@ F src/printf.c 4a9f882f1c1787a8b494a2987765acf9d97ac21f
 F src/random.c cd4a67b3953b88019f8cd4ccd81394a8ddfaba50
 F src/resolve.c 0bca3bf694f14f96a13873d87f62d6a6f38f913f
 F src/rowset.c 64655f1a627c9c212d9ab497899e7424a34222e0
-F src/select.c 395e458a6dc611cbe1179f424753f0c344957607
+F src/select.c d1e0c173ef9c8aeb7fdfd6bb3474404eaa3f29b5
 F src/shell.c 266791241d7add796ccce2317977ae6c3c67d77f
 F src/sqlite.h.in 39cc33bb08897c748fe3383c29ccf56585704177
 F src/sqlite3.rc fea433eb0a59f4c9393c8e6d76a6e2596b1fe0c0
@@ -241,9 +241,9 @@ F src/util.c 0af2e515dc0dabacec931bca39525f6c3f1c5455
 F src/vacuum.c 2727bdd08847fcb6b2d2da6d14f018910e8645d3
 F src/vdbe.c f51eb3207594703d24e91335cb16906e894b48aa
 F src/vdbe.h b52887278cb173e66188da84dfab216bea61119d
-F src/vdbeInt.h 79abf9b31be406d35ca77d6999cb2d42aaf91e78
+F src/vdbeInt.h c5b337e571752a52aa7157d2ad991b33603b91b9
 F src/vdbeapi.c 4c2418161cf45392ba76a7ca92f9a5f06b96f89c
-F src/vdbeaux.c 7c3231498470049b6f1ce05d3992c48f615d2b5d
+F src/vdbeaux.c ec83f5db5b99db762eefefed1f5e19b513cca38a
 F src/vdbeblob.c 32f2a4899d67f69634ea4dd93e3f651936d732cb
 F src/vdbemem.c cb55e84b8e2c15704968ee05f0fae25883299b74
 F src/vdbesort.c c61ca318681c0e7267da8be3abfca8469652a7e9
@@ -926,7 +926,7 @@ F test/vacuum3.test 77ecdd54592b45a0bcb133339f99f1ae0ae94d0d
 F test/vacuum4.test d3f8ecff345f166911568f397d2432c16d2867d9
 F test/varint.test ab7b110089a08b9926ed7390e7e97bdefeb74102
 F test/veryquick.test 7701bb609fe8bf6535514e8b849a309e8f00573b
-F test/view.test b182a67ec43f490b156b5a710827a341be83dd17
+F test/view.test 977eb3fa17b44f73fc2b636172dc9136311024ce
 F test/vtab1.test 4403f987860ebddef1ce2de6db7216421035339d
 F test/vtab2.test 7bcffc050da5c68f4f312e49e443063e2d391c0d
 F test/vtab3.test baad99fd27217f5d6db10660522e0b7192446de1
@@ -1034,7 +1034,7 @@ F tool/vdbe-compress.tcl f12c884766bd14277f4fcedcae07078011717381
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac
-P 955a9459dabad231aa8d6282676975ab7fba244e
-R 66b9882bd300b48db89596b4965fc6ad
+P b4d94947fc11bd63180cbc27554b3bbb60abe7ff
+R 8be0f1d3c454c23195917422328f2d24
 U drh
-Z 250538fa0a3f3f5cd6c8e21a5b90ee24
+Z fc03c6951678032f2061e289aef39e13
diff --git a/manifest.uuid b/manifest.uuid
index 166b114050..435ee4c448 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b4d94947fc11bd63180cbc27554b3bbb60abe7ff
\ No newline at end of file
+c2462a95ed8e1e69886681400d673207d906bf1b
\ No newline at end of file
diff --git a/src/select.c b/src/select.c
index 3168894802..6d8d7856a5 100644
--- a/src/select.c
+++ b/src/select.c
@@ -3343,6 +3343,12 @@ static int selectExpander(Walker *pWalker, Select *p){
       assert( pFrom->pTab==0 );
       pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);
       if( pTab==0 ) return WRC_Abort;
+      if( pTab->nRef==0xffff ){
+        sqlite3ErrorMsg(pParse, "too many references to \"%s\": max 65535",
+           pTab->zName);
+        pFrom->pTab = 0;
+        return WRC_Abort;
+      }
       pTab->nRef++;
 #if !defined(SQLITE_OMIT_VIEW) || !defined (SQLITE_OMIT_VIRTUALTABLE)
       if( pTab->pSelect || IsVirtual(pTab) ){
diff --git a/src/vdbeInt.h b/src/vdbeInt.h
index fac0b2f6ed..9599515882 100644
--- a/src/vdbeInt.h
+++ b/src/vdbeInt.h
@@ -123,7 +123,7 @@ struct VdbeFrame {
   VdbeCursor **apCsr;     /* Array of Vdbe cursors for parent frame */
   void *token;            /* Copy of SubProgram.token */
   i64 lastRowid;          /* Last insert rowid (sqlite3.lastRowid) */
-  u16 nCursor;            /* Number of entries in apCsr */
+  u32 nCursor;            /* Number of entries in apCsr */
   int pc;                 /* Program Counter in parent (calling) frame */
   int nOp;                /* Size of aOp array */
   int nMem;               /* Number of entries in aMem */
@@ -309,7 +309,7 @@ struct Vdbe {
   int nLabel;             /* Number of labels used */
   int *aLabel;            /* Space to hold the labels */
   u16 nResColumn;         /* Number of columns in one row of the result set */
-  u16 nCursor;            /* Number of slots in apCsr[] */
+  u32 nCursor;            /* Number of slots in apCsr[] */
   u32 magic;              /* Magic number for sanity checking */
   char *zErrMsg;          /* Error message written here */
   Vdbe *pPrev,*pNext;     /* Linked list of VDBEs with the same Vdbe.db */
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 9949895dc2..d8aebd5e8c 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -1538,7 +1538,7 @@ void sqlite3VdbeMakeReady(
     zEnd = &zCsr[nByte];
   }while( nByte && !db->mallocFailed );
 
-  p->nCursor = (u16)nCursor;
+  p->nCursor = nCursor;
   p->nOnceFlag = nOnce;
   if( p->aVar ){
     p->nVar = (ynVar)nVar;
diff --git a/test/view.test b/test/view.test
index b4440905f9..4abd3cf70b 100644
--- a/test/view.test
+++ b/test/view.test
@@ -576,4 +576,37 @@ do_test view-20.1 {
   }
 } {}
 
+# Ticket [d58ccbb3f1b]: Prevent Table.nRef overflow.
+db close
+sqlite3 db :memory:
+do_test view-21.1 {
+  catchsql {
+    CREATE TABLE t1(x);
+    INSERT INTO t1 VALUES(5);
+    CREATE VIEW v1 AS SELECT x*2 FROM t1;
+    CREATE VIEW v2 AS SELECT * FROM v1 UNION SELECT * FROM v1;
+    CREATE VIEW v4 AS SELECT * FROM v2 UNION SELECT * FROM v2;
+    CREATE VIEW v8 AS SELECT * FROM v4 UNION SELECT * FROM v4;
+    CREATE VIEW v16 AS SELECT * FROM v8 UNION SELECT * FROM v8;
+    CREATE VIEW v32 AS SELECT * FROM v16 UNION SELECT * FROM v16;
+    CREATE VIEW v64 AS SELECT * FROM v32 UNION SELECT * FROM v32;
+    CREATE VIEW v128 AS SELECT * FROM v64 UNION SELECT * FROM v64;
+    CREATE VIEW v256 AS SELECT * FROM v128 UNION SELECT * FROM v128;
+    CREATE VIEW v512 AS SELECT * FROM v256 UNION SELECT * FROM v256;
+    CREATE VIEW v1024 AS SELECT * FROM v512 UNION SELECT * FROM v512;
+    CREATE VIEW v2048 AS SELECT * FROM v1024 UNION SELECT * FROM v1024;
+    CREATE VIEW v4096 AS SELECT * FROM v2048 UNION SELECT * FROM v2048;
+    CREATE VIEW v8192 AS SELECT * FROM v4096 UNION SELECT * FROM v4096;
+    CREATE VIEW v16384 AS SELECT * FROM v8192 UNION SELECT * FROM v8192;
+    CREATE VIEW v32768 AS SELECT * FROM v16384 UNION SELECT * FROM v16384;
+    CREATE VIEW vx AS SELECT * FROM v32768 UNION SELECT * FROM v32768;
+  }
+} {1 {too many references to "v1": max 65535}}
+do_test view-21.2 {
+  db progress 1000 {expr 1}
+  catchsql {
+    SELECT * FROM v32768;
+  }
+} {1 interrupted}
+
 finish_test
-- 
2.47.2