From: drh <drh@noemail.net>
Date: Tue, 15 May 2007 02:34:09 +0000 (+0000)
Subject: Fix a bug in sqlite3_mprintf() which could have caused a buffer
X-Git-Tag: version-3.4.0~87
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=eaad32b1df677f7f3f6fabb863a341c98383bc66;p=thirdparty%2Fsqlite.git

Fix a bug in sqlite3_mprintf() which could have caused a buffer
overrun if malloc() failed. (CVS 3998)

FossilOrigin-Name: 5af49a57d4866be21c0206f34584bcc63adc1315
---

diff --git a/manifest b/manifest
index e4afb5261e..139255ea57 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C The\sbuilt-in\ssubstr()\sfunction\sapplied\sto\sa\sBLOB\scounts\sbytes,\snot\scharacters.\s(CVS\s3997)
-D 2007-05-15T01:13:47
+C Fix\sa\sbug\sin\ssqlite3_mprintf()\swhich\scould\shave\scaused\sa\sbuffer\noverrun\sif\smalloc()\sfailed.\s(CVS\s3998)
+D 2007-05-15T02:34:09
 F Makefile.in 87b200ad9970907f76df734d29dff3d294c10935
 F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
 F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
@@ -97,7 +97,7 @@ F src/pager.h 94110a5570dca30d54a883e880a3633b2e4c05ae
 F src/parse.y 5d4d60e7e1beb1ad134835ee0624d35617f36c4e
 F src/pragma.c 6d5eb19feef9e84117b9b17a4c38b12b8c1c6897
 F src/prepare.c 87c23644986b5e41a58bc76f05abebd899e00089
-F src/printf.c 05b233c7a39aec4c54c79ef87af24f0a6591175d
+F src/printf.c cd91e057fa7e2661673eecd4eeecf4900b1e5cfe
 F src/random.c 6119474a6f6917f708c1dee25b9a8e519a620e88
 F src/select.c c10b98aeccc67a9724c37bbecd6553e5a8da5bf6
 F src/server.c 087b92a39d883e3fa113cae259d64e4c7438bc96
@@ -491,7 +491,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
-P d07cdd3c096c120d104ae13f7932c0a955324517
-R 2be0a4c9f659ac8ba502f4d27f744853
+P 75d573080d03ee48fe88710f70c6875ff9cae19c
+R b07b9e5fab6d7eaa0b8188e0005d371e
 U drh
-Z 429140db9719a9a8e8c56d1f7aa1fad7
+Z afee1df567f28ceb1f5fd286b893c976
diff --git a/manifest.uuid b/manifest.uuid
index 56819ee5d6..4538bc8537 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-75d573080d03ee48fe88710f70c6875ff9cae19c
\ No newline at end of file
+5af49a57d4866be21c0206f34584bcc63adc1315
\ No newline at end of file
diff --git a/src/printf.c b/src/printf.c
index 31c929830f..92073991d8 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -729,19 +729,22 @@ static void mout(void *arg, const char *zNewText, int nNewChar){
     if( pM->xRealloc==0 ){
       nNewChar =  pM->nAlloc - pM->nChar - 1;
     }else{
-      pM->nAlloc = pM->nChar + nNewChar*2 + 1;
+      int nAlloc = pM->nChar + nNewChar*2 + 1;
       if( pM->zText==pM->zBase ){
-        pM->zText = pM->xRealloc(0, pM->nAlloc);
+        pM->zText = pM->xRealloc(0, nAlloc);
         if( pM->zText && pM->nChar ){
           memcpy(pM->zText, pM->zBase, pM->nChar);
         }
       }else{
         char *zNew;
-        zNew = pM->xRealloc(pM->zText, pM->nAlloc);
+        zNew = pM->xRealloc(pM->zText, nAlloc);
         if( zNew ){
           pM->zText = zNew;
+        }else{
+          return;
         }
       }
+      pM->nAlloc = nAlloc;
     }
   }
   if( pM->zText ){