Fix a potential segfault following a malloc() failure during a call

to sqlite3_prepare() where the nBytes parameter is positive but less than
the length of the input SQL string. (CVS 3888)

FossilOrigin-Name: 27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097

diff --git a/manifest b/manifest
index b54e84e36c93f1f8ef6abc08545ce1bbff0fb010..eed416503b3aa4f0692305f7b12a50616c66af04 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Lift\sdocListMerge()\scall\sout\sof\sloadSegmentLeavesInt()\sfor\sprefix\nsearch.\s\sDoclists\sfrom\smultiple\sprefix\smatches\swill\sneed\sa\sunion\smerge\nfunction,\swhich\swill\shave\sto\slogically\shappen\sacross\sa\ssegment\sbefore\ndoclists\sare\smerged\sbetween\ssegments.\s(CVS\s3887)
-D 2007-04-30T17:52:52
+C Fix\sa\spotential\ssegfault\sfollowing\sa\smalloc()\sfailure\sduring\sa\scall\nto\ssqlite3_prepare()\swhere\sthe\snBytes\sparameter\sis\spositive\sbut\sless\sthan\nthe\slength\sof\sthe\sinput\sSQL\sstring.\s(CVS\s3888)
+D 2007-04-30T21:39:16
 F Makefile.in 8cab54f7c9f5af8f22fd97ddf1ecfd1e1860de62
 F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
 F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
@@ -91,7 +91,7 @@ F src/pager.c 48b1ebe8c9bcd8a9544ebef13c85547f28e8bb6b
 F src/pager.h d652ddf092d2318d00e41f8539760fe8e57c157c
 F src/parse.y a3940369e12c69c4968aa580cdc74cf73a664980
 F src/pragma.c 4fdefc03c3fd0ee87f8aad82bf80ba9bf1cdf416
-F src/prepare.c 4cb9c9eb926e8baf5652ca4b4f2416f53f5b5370
+F src/prepare.c 03277063bc4f5860efbf23548fa0123ac0f6eaec
 F src/printf.c 0c6f40648770831341ac45ab32423a80b4c87f05
 F src/random.c 6119474a6f6917f708c1dee25b9a8e519a620e88
 F src/select.c b914abca0ba28893e7fb7c7fb97a05e240e2ce8b
@@ -275,7 +275,8 @@ F test/malloc4.test 59cd02f71b363302a04c4e77b97c0a1572eaa210
 F test/malloc5.test f228cb7101ae403327824d327a1f5651d83ef0f2
 F test/malloc6.test 025ae0b78542e0ddd000d23f79d93e9be9ba0f15
 F test/malloc7.test 1cf52834509eac7ebeb92105dacd4669f9ca9869
-F test/malloc8.test ede3231e1d9359b3c618357e49cb1c62267382e7
+F test/malloc8.test c46bb15d03370a6740be49cb6cb5403ce711ff19
+F test/malloc9.test 8381041fd89c31fba60c8a1a1c776bb022108572
 F test/manydb.test 8de36b8d33aab5ef295b11d9e95310aeded31af8
 F test/memdb.test a67bda4ff90a38f2b19f6c7f95aa7289e051d893
 F test/memleak.test d2d2a1ff7105d32dc3fdf691458cf6cba58c7217
@@ -465,7 +466,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
-P 8cccec68bd9073b2b19d3d31cf0b77b0ce76172e
-R 7069672da6b54cde9af80d1ef9e46049
-U shess
-Z 8a2908873a8cd6c0a742806cb3215c42
+P 7ddb82668906e33e2d6a796f2da1795032e036d5
+R 6c84bdbf40bcc10c544725efed0e51c5
+U drh
+Z dbcc6f5007a9724aa47f910a6b885e46

diff --git a/manifest.uuid b/manifest.uuid
index c9a7edcd4a767eeaba3b0662c3f7736e17fac8f1..294d6b5d679229bc0b8fe67867179527262642af 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-7ddb82668906e33e2d6a796f2da1795032e036d5
\ No newline at end of file
+27bf3fc3cf3c9c7acdbf9281a4669c9f642b0097
\ No newline at end of file

diff --git a/src/prepare.c b/src/prepare.c
index cc1055f1c4cbbb50ecf3e574193c2bbd3941d351..c711c2f7a54af3069947c0cd18e7d0438f5206dc 100644 (file)
--- a/src/prepare.c
+++ b/src/prepare.c
@@ -13,7 +13,7 @@
 ** interface, and routines that contribute to loading the database schema
 ** from disk.
 **
-** $Id: prepare.c,v 1.46 2007/04/19 11:09:01 danielk1977 Exp $
+** $Id: prepare.c,v 1.47 2007/04/30 21:39:16 drh Exp $
 */
 #include "sqliteInt.h"
 #include "os.h"
@@ -491,9 +491,11 @@ int sqlite3Prepare(
   sParse.db = db;
   if( nBytes>=0 && zSql[nBytes]!=0 ){
     char *zSqlCopy = sqlite3StrNDup(zSql, nBytes);
-    sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg);
-    sParse.zTail += zSql - zSqlCopy;
-    sqliteFree(zSqlCopy);
+    if( zSqlCopy ){
+      sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg);
+      sqliteFree(zSqlCopy);
+    }
+    sParse.zTail = &zSql[nBytes];
   }else{
     sqlite3RunParser(&sParse, zSql, &zErrMsg);
   }

diff --git a/test/malloc8.test b/test/malloc8.test
index e624ca094621c9d9fbef363e430caffda4147f03..071861942ce635d81f771bb945cb9258fabbb7b7 100644 (file)
--- a/test/malloc8.test
+++ b/test/malloc8.test
@@ -1,4 +1,4 @@
-# 2006 July 26
+# 2007 April 25
 #
 # The author disclaims copyright to this source code.  In place of
 # a legal notice, here is a blessing:
@@ -11,7 +11,7 @@
 # This file contains additional out-of-memory checks (see malloc.tcl)
 # added to expose a bug in out-of-memory handling for sqlite3_value_text()
 #
-# $Id: malloc8.test,v 1.1 2007/04/25 18:23:53 drh Exp $
+# $Id: malloc8.test,v 1.2 2007/04/30 21:39:16 drh Exp $
 
 set testdir [file dirname $argv0]
 source $testdir/tester.tcl

diff --git a/test/malloc9.test b/test/malloc9.test
new file mode 100644 (file)
index 0000000..5df82e4
--- /dev/null
+++ b/test/malloc9.test
@@ -0,0 +1,142 @@
+# 2007 April 30
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice, here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#***********************************************************************
+# This file contains additional out-of-memory checks (see malloc.tcl)
+# added to expose a bug in out-of-memory handling for sqlite3_prepare().
+#
+# $Id: malloc9.test,v 1.1 2007/04/30 21:39:16 drh Exp $
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+
+# Only run these tests if memory debugging is turned on.
+#
+if {[info command sqlite_malloc_stat]==""} {
+   puts "Skipping malloc tests: not compiled with -DSQLITE_MEMDEBUG..."
+   finish_test
+   return
+}
+
+# Usage: do_malloc_test <test number> <options...>
+#
+# The first argument, <test number>, is an integer used to name the
+# tests executed by this proc. Options are as follows:
+#
+#     -tclprep          TCL script to run to prepare test.
+#     -sqlprep          SQL script to run to prepare test.
+#     -tclbody          TCL script to run with malloc failure simulation.
+#     -sqlbody          TCL script to run with malloc failure simulation.
+#     -cleanup          TCL script to run after the test.
+#
+# This command runs a series of tests to verify SQLite's ability
+# to handle an out-of-memory condition gracefully. It is assumed
+# that if this condition occurs a malloc() call will return a
+# NULL pointer. Linux, for example, doesn't do that by default. See
+# the "BUGS" section of malloc(3).
+#
+# Each iteration of a loop, the TCL commands in any argument passed
+# to the -tclbody switch, followed by the SQL commands in any argument
+# passed to the -sqlbody switch are executed. Each iteration the
+# Nth call to sqliteMalloc() is made to fail, where N is increased
+# each time the loop runs starting from 1. When all commands execute
+# successfully, the loop ends.
+#
+proc do_malloc_test {tn args} {
+  array unset ::mallocopts 
+  array set ::mallocopts $args
+
+  set ::go 1
+  for {set ::n 1} {$::go && $::n < 50000} {incr ::n} {
+    do_test malloc9-$tn.$::n {
+
+      sqlite_malloc_fail 0
+      catch {db close}
+      catch {file delete -force test.db}
+      catch {file delete -force test.db-journal}
+      sqlite3 db test.db
+      set ::DB [sqlite3_connection_pointer db]
+
+      # Execute any -tclprep and -sqlprep scripts.
+      #
+      if {[info exists ::mallocopts(-tclprep)]} {
+        eval $::mallocopts(-tclprep)
+      }
+      if {[info exists ::mallocopts(-sqlprep)]} {
+        execsql $::mallocopts(-sqlprep)
+      }
+
+      # Now set the ${::n}th malloc() to fail and execute the -tclbody and
+      # -sqlbody scripts.
+      #
+      sqlite_malloc_fail $::n
+      set ::mallocbody {}
+      if {[info exists ::mallocopts(-tclbody)]} {
+        append ::mallocbody "$::mallocopts(-tclbody)\n"
+      }
+      if {[info exists ::mallocopts(-sqlbody)]} {
+        append ::mallocbody "db eval {$::mallocopts(-sqlbody)}"
+      }
+      set v [catch $::mallocbody msg]
+
+      # If the test fails (if $v!=0) and the database connection actually
+      # exists, make sure the failure code is SQLITE_NOMEM.
+      if {$v && [info command db]=="db" && [info exists ::mallocopts(-sqlbody)]
+              && [db errorcode]!=7} {
+        set v 999
+      }
+
+      set leftover [lindex [sqlite_malloc_stat] 2]
+      if {$leftover>0} {
+        if {$leftover>1} {puts "\nLeftover: $leftover\nReturn=$v  Message=$msg"}
+        set ::go 0
+        if {$v} {
+          puts "\nError message returned: $msg"
+        } else {
+          set v {1 1}
+        }
+      } else {
+        set v2 [expr {$msg=="" || [regexp {out of memory} $msg]}]
+        if {!$v2} {puts "\nError message returned: $msg"}
+        lappend v $v2
+      }
+    } {1 1}
+
+    if {[info exists ::mallocopts(-cleanup)]} {
+      catch [list uplevel #0 $::mallocopts(-cleanup)] msg
+    }
+  }
+  unset ::mallocopts
+}
+
+
+do_malloc_test 1 -tclprep {
+  set sql {CREATE TABLE t1(x)}
+  set sqlbytes [string length $sql]
+  append sql {; INSERT INTO t1 VALUES(1)}
+} -tclbody {
+  if {[catch {sqlite3_prepare db $sql $sqlbytes TAIL} STMT]} {
+    set msg $STMT
+    set STMT {}
+    error $msg
+  }
+} -cleanup {
+  if {$STMT!=""} {
+    sqlite3_finalize $STMT
+  }
+}
+
+# Ensure that no file descriptors were leaked.
+do_test malloc-99.X {
+  catch {db close}
+  set sqlite_open_file_count
+} {0}
+
+sqlite_malloc_fail 0
+finish_test