Do not allow the number of terms in an ORDER BY or GROUP BY clause to

exceed the maximum number of columns in a table.

FossilOrigin-Name: 139e587c7b349e771d67a8b4ee02ab3ad5d5712d4ff4713dad63cb765bdee248

diff --git a/manifest b/manifest
index 9b2b42e5bc12c87b6b9ee7a92424053b61ff0b08..efb71e667991e527d65e7df72ac7fe9d65d20a00 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sWindows\smakefile\sbreakage\scaused\sby\s[ae9d7c9c922bb241].
-D 2025-08-06T19:05:39.163
+C Do\snot\sallow\sthe\snumber\sof\sterms\sin\san\sORDER\sBY\sor\sGROUP\sBY\sclause\sto\nexceed\sthe\smaximum\snumber\sof\scolumns\sin\sa\stable.
+D 2025-08-06T19:12:10.640
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -692,7 +692,7 @@ F src/date.c 9db4d604e699a73e10b8e85a44db074a1f04c0591a77e2abfd77703f50dce1e9
 F src/dbpage.c b3e218f8ed74fcbb7fa805df8ca669a3718d397617b3d8a8aac3307dc315c4d6
 F src/dbstat.c 73362c0df0f40ad5523a6f5501224959d0976757b511299bf892313e79d14f5c
 F src/delete.c 03a77ba20e54f0f42ebd8eddf15411ed6bdb06a2c472ac4b6b336521bf7cea42
-F src/expr.c 12aeb13773920b48831d7b53018d5cc79e47b3bd8ae7c0fdfd28e6aab977821a
+F src/expr.c 0cad74107489c688449d7fec47b605c61a75c6da707031dfc4c76d1ac75667b3
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 928ed2517e8732113d2b9821aa37af639688d752f4ea9ac6e0e393d713eeb76f
 F src/func.c de47a8295503aa130baae5e6d9868ecf4f7c4dbffa65d83ad1f70bdbac0ee2d6
@@ -741,7 +741,7 @@ F src/printf.c 5f0c957af9699e849d786e8fbaa3baab648ca5612230dc17916434c14bc8698f
 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c f8d1d011aba0964ff1bdccd049d4d2c2fec217efd90d202a4bb775e926b2c25d
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
-F src/select.c a6be657216e1fb72f85dad7df0dba0eb79fe76527c08caa65da8fe44f0e4db44
+F src/select.c 639bac342c1fdc6be97ee806f5e9e4b0ed325889a3f24a17e955a6e9be99f510
 F src/shell.c.in 7918c9355667b3b348e5850f0dad9095476ef942ee3b96ee9b8bc2710adda1da
 F src/sqlite.h.in b526a1eaa60096c9c043d7b128daf2764571e77413873888ee5582ca0141804c
 F src/sqlite3.rc 015537e6ac1eec6c7050e17b616c2ffe6f70fca241835a84a4f0d5937383c479
@@ -834,7 +834,7 @@ F test/affinity3.test 9b7d1133e11d5edd7805573c4ab6f3ba73b0b74a1f280d5b130d4bf350
 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
 F test/aggfault.test 777f269d0da5b0c2524c7ff6d99ae9a93db4f1b1839a914dd2a12e3035c29829
 F test/aggnested.test 610b0ce2c3e8f3daee25f9752800ee8d785db10da4aa1fbeea0ea1aabaf1d704
-F test/aggorderby.test cc3abf5de64d46ff66395ca8c2346b66c2576d5aedb7bffc5b0742508856e3bf
+F test/aggorderby.test 7be65e743f82ee49ba62da1c799e59341d23884a99edfe093df0cdfaac94cbbb
 F test/alias.test 4529fbc152f190268a15f9384a5651bbbabc9d87
 F test/all.test cf929f721e20960ca9db89471fa44f9176322ba8f25e97193f91881c223643b3
 F test/alter.test 3c00eff1e2036b9f93e9cd0f3d3e63750ac87ecb5bc71b9d7bd07cbf2ac4c494
@@ -2169,8 +2169,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P da07e0c02fe7de7b67f2564c29f49f251ae2374c0e269d246bd13e68a9a73328
-R b5216907e49e2b01f564bdbfd4b1e713
+P c41324139d6a75b0d37aeec2b0572c63207dd0b06e6a99e4fb221be564e73024
+R ff8fc7a0636f2891dad81ba7e07039e4
 U drh
-Z dea4777b257de656f41a34569efd6ff5
+Z b671d1a9840887adc2a0dda22b668f5f
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 131ad1bc98fb57008a5b8d739a0ccb37537680da..f21269ec6dec96221a97bc32b9579897e88bcc21 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-c41324139d6a75b0d37aeec2b0572c63207dd0b06e6a99e4fb221be564e73024
+139e587c7b349e771d67a8b4ee02ab3ad5d5712d4ff4713dad63cb765bdee248

diff --git a/src/expr.c b/src/expr.c
index 67c97930da6ccf9738e13830e2e957ff0cc4b03d..f53e45cda7b9e8e378044d19ba3e8f4ce1734747 100644 (file)
--- a/src/expr.c
+++ b/src/expr.c
@@ -1239,6 +1239,11 @@ void sqlite3ExprAddFunctionOrderBy(
     sqlite3ExprListDelete(db, pOrderBy);
     return;
   }
+  if( pOrderBy->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){
+    sqlite3ErrorMsg(pParse, "too many terms in ORDER BY clause");
+    sqlite3ExprListDelete(db, pOrderBy);
+    return;
+  }
 
   pOB = sqlite3ExprAlloc(db, TK_ORDER, 0, 0);
   if( pOB==0 ){

diff --git a/src/select.c b/src/select.c
index db41cb493fdb7d8769d74b1c794c7d91330abe97..fb9425bf7613b64fa76ea631151a0002b541a5d5 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -1546,7 +1546,10 @@ static void selectInnerLoop(
 */
 KeyInfo *sqlite3KeyInfoAlloc(sqlite3 *db, int N, int X){
   int nExtra = (N+X)*(sizeof(CollSeq*)+1);
-  KeyInfo *p = sqlite3DbMallocRawNN(db, SZ_KEYINFO(0) + nExtra);
+  KeyInfo *p;
+  assert( X>=0 );
+  if( NEVER(N+X>0xffff) ) return (KeyInfo*)sqlite3OomFault(db);
+  p = sqlite3DbMallocRawNN(db, SZ_KEYINFO(0) + nExtra);
   if( p ){
     p->aSortFlags = (u8*)&p->aColl[N+X];
     p->nKeyField = (u16)N;

diff --git a/test/aggorderby.test b/test/aggorderby.test
index eed1f83a7e00474f92d6520973a77915531f583b..466074815a51dc52c01a8a1f10863c9304c77de9 100644 (file)
--- a/test/aggorderby.test
+++ b/test/aggorderby.test
@@ -158,5 +158,17 @@ do_execsql_test aggorderby-9.3 {
   SELECT json_group_array(DISTINCT json(x) ORDER BY json(x)) FROM c;
 } {{[[1,1],[4,4],{"a":3},{"x":2}]}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test aggorderby-10.0 {
+  CREATE TABLE t1(w, x);
+  INSERT INTO t1 VALUES(1, 2);
+}
+
+for {set i 0} {$i < 70000} {incr i} { lappend lExpr x }
+do_catchsql_test aggorderby-10.1 "
+  SELECT group_concat(w ORDER BY [join $lExpr ,]) FROM t1
+" {1 {too many terms in ORDER BY clause}}
+
 
 finish_test