From: drh <drh@noemail.net>
Date: Tue, 11 Jul 2006 13:15:08 +0000 (+0000)
Subject: Prevent memory leak and possible NULL pointer deference after malloc
X-Git-Tag: version-3.6.10~2838
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=206f3d96d140c9480f19bf92e8f7f35132048d4b;p=thirdparty%2Fsqlite.git

Prevent memory leak and possible NULL pointer deference after malloc
failure.  Ticket #1886. (CVS 3329)

FossilOrigin-Name: b1f326e6959ef3be11f772e80f5ab6dd65b2d065
---

diff --git a/manifest b/manifest
index f4b0a99545..e9d8df1f36 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sNULL\spointer\sdeference\sfollowing\smalloc\sfailure.\s\sBug\sdiscovered\nby\sklocwork.\s(CVS\s3328)
-D 2006-07-11T12:40:25
+C Prevent\smemory\sleak\sand\spossible\sNULL\spointer\sdeference\safter\smalloc\nfailure.\s\sTicket\s#1886.\s(CVS\s3329)
+D 2006-07-11T13:15:08
 F Makefile.in 9c2a76055c305868cc5f5b73e29a252ff3632c0a
 F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
 F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
@@ -42,7 +42,7 @@ F src/complete.c 7d1a44be8f37de125fcafd3d3a018690b3799675
 F src/date.c cd2bd5d1ebc6fa12d6312f69789ae5b0a2766f2e
 F src/delete.c 804384761144fe1a5035b99f4bd7d706976831bd
 F src/experimental.c 1b2d1a6cd62ecc39610e97670332ca073c50792b
-F src/expr.c f2c7af5591370191840b2a6334abf07c62f74a76
+F src/expr.c 715734d8681c5ad179a24156800b5c5646489e05
 F src/func.c f357a81bcdd83684cb198a8ad96be1c21e29f85c
 F src/hash.c 449f3d6620193aa557f5d86cbc5cc6b87702b185
 F src/hash.h 1b3f7e2609141fd571f62199fc38687d262e9564
@@ -69,12 +69,12 @@ F src/pragma.c 27d5e395c5d950931c7ac4fe610e7c2993e2fa55
 F src/prepare.c e477df44112e3ce167f048226432fca9d9cba6a0
 F src/printf.c b179b6ed12f793e028dd169e2e2e2b2a37eedc63
 F src/random.c d40f8d356cecbd351ccfab6eaedd7ec1b54f5261
-F src/select.c 380fa06c99ae01050c0054c4b1db91e9f1d8322d
+F src/select.c aeec8efbe83bc1e50e9b49ada19b34eda5de05bd
 F src/server.c 087b92a39d883e3fa113cae259d64e4c7438bc96
 F src/shell.c 359551ab5cdd8f8fe5f3fe170fd330b108b08d7d
 F src/sqlite.h.in 432848ac7f8d7e6fea727668acccec62bdd86cc4
 F src/sqlite3ext.h c611255287e9a11ce4f1fe6251c2a0b9d32a828b
-F src/sqliteInt.h 434b530013bd3093faa7c1c1a5817df81616f6ec
+F src/sqliteInt.h 5a485f340533da2baa56ff1ceb9c101726062150
 F src/table.c d8817f43a6c6bf139487db161760b9e1e02da3f1
 F src/tclsqlite.c 22ab598cfaa6fda50dec9035852687114286d06e
 F src/test1.c 535294d7f21a4127082c4f7a57f225482df9cc36
@@ -375,7 +375,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl 97e2b5cd296f7d8057e11f44427dea8a4c2db513
-P 368bcf264456f5506260797497bc8d8dc4897e0f
-R 23b4814e29ce2ab5bcc6f845bb301aeb
+P eb91612f4646b15c2b8398c5225669419b03b531
+R ad854be3689dac4985748c7dc8520e06
 U drh
-Z 94facde76db6586626f382b43ed3c568
+Z f6315bc4dfdd75362a9c8ec6860ea002
diff --git a/manifest.uuid b/manifest.uuid
index c2e4cb1234..65580e4416 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-eb91612f4646b15c2b8398c5225669419b03b531
\ No newline at end of file
+b1f326e6959ef3be11f772e80f5ab6dd65b2d065
\ No newline at end of file
diff --git a/src/expr.c b/src/expr.c
index 5ba7cde7cc..4e8d322b92 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -12,7 +12,7 @@
 ** This file contains routines used for analyzing expressions and
 ** for generating VDBE code that evaluates expressions in SQLite.
 **
-** $Id: expr.c,v 1.265 2006/07/08 18:41:37 drh Exp $
+** $Id: expr.c,v 1.266 2006/07/11 13:15:08 drh Exp $
 */
 #include "sqliteInt.h"
 #include <ctype.h>
@@ -211,6 +211,19 @@ Expr *sqlite3Expr(int op, Expr *pLeft, Expr *pRight, const Token *pToken){
   return pNew;
 }
 
+/*
+** Works like sqlite3Expr() but frees its pLeft and pRight arguments
+** if it fails due to a malloc problem.
+*/
+Expr *sqlite3ExprOrFree(int op, Expr *pLeft, Expr *pRight, const Token *pToken){
+  Expr *pNew = sqlite3Expr(op, pLeft, pRight, pToken);
+  if( pNew==0 ){
+    sqlite3ExprDelete(pLeft);
+    sqlite3ExprDelete(pRight);
+  }
+  return pNew;
+}
+
 /*
 ** When doing a nested parse, you can include terms in an expression
 ** that look like this:   #0 #1 #2 ...  These terms refer to elements
diff --git a/src/select.c b/src/select.c
index c909fc00f5..b6bb1f9083 100644
--- a/src/select.c
+++ b/src/select.c
@@ -12,7 +12,7 @@
 ** This file contains C code routines that are called by the parser
 ** to handle SELECT statements in SQLite.
 **
-** $Id: select.c,v 1.318 2006/06/21 07:02:33 danielk1977 Exp $
+** $Id: select.c,v 1.319 2006/07/11 13:15:08 drh Exp $
 */
 #include "sqliteInt.h"
 
@@ -221,12 +221,17 @@ static void addWhereTerm(
     zAlias2 = pTab2->zName;
   }
   pE2b = sqlite3CreateIdExpr(zAlias2);
-  pE1c = sqlite3Expr(TK_DOT, pE1b, pE1a, 0);
-  pE2c = sqlite3Expr(TK_DOT, pE2b, pE2a, 0);
-  pE = sqlite3Expr(TK_EQ, pE1c, pE2c, 0);
-  ExprSetProperty(pE, EP_FromJoin);
-  pE->iRightJoinTable = iRightJoinTable;
-  *ppExpr = sqlite3ExprAnd(*ppExpr, pE);
+  pE1c = sqlite3ExprOrFree(TK_DOT, pE1b, pE1a, 0);
+  pE2c = sqlite3ExprOrFree(TK_DOT, pE2b, pE2a, 0);
+  pE = sqlite3ExprOrFree(TK_EQ, pE1c, pE2c, 0);
+  if( pE ){
+    ExprSetProperty(pE, EP_FromJoin);
+    pE->iRightJoinTable = iRightJoinTable;
+  }
+  pE = sqlite3ExprAnd(*ppExpr, pE);
+  if( pE ){
+    *ppExpr = pE;
+  }
 }
 
 /*
@@ -2373,6 +2378,7 @@ static int simpleMinMaxQuery(Parse *pParse, Select *p, int eDest, int iParm){
     pIdx = 0;
   }else{
     CollSeq *pColl = sqlite3ExprCollSeq(pParse, pExpr);
+    if( pColl==0 ) return 0;
     for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
       assert( pIdx->nColumn>=1 );
       if( pIdx->aiColumn[0]==iCol && 
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index ff5edb0ec4..360c69cdc4 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -11,7 +11,7 @@
 *************************************************************************
 ** Internal interface definitions for SQLite.
 **
-** @(#) $Id: sqliteInt.h,v 1.519 2006/07/08 18:35:00 drh Exp $
+** @(#) $Id: sqliteInt.h,v 1.520 2006/07/11 13:15:08 drh Exp $
 */
 #ifndef _SQLITEINT_H_
 #define _SQLITEINT_H_
@@ -1568,6 +1568,7 @@ int sqlite3KeywordCode(const unsigned char*, int);
 int sqlite3RunParser(Parse*, const char*, char **);
 void sqlite3FinishCoding(Parse*);
 Expr *sqlite3Expr(int, Expr*, Expr*, const Token*);
+Expr *sqlite3ExprOrFree(int, Expr*, Expr*, const Token*);
 Expr *sqlite3RegisterExpr(Parse*,Token*);
 Expr *sqlite3ExprAnd(Expr*, Expr*);
 void sqlite3ExprSpan(Expr*,Token*,Token*);