Fix the format() SQL function so that it reports TOOBIG and NOMEM errors.

Fix a possible integer overflow on %#Q formatting.
[bugs:/info/2026-05-31T02:00:07Z|Bug 2026-05-31T02:00:07Z].

FossilOrigin-Name: 3bfe0510aecccf113b9d008c308fca3096e9c45c59b919c0b91bb4703415988f

diff --git a/manifest b/manifest
index 07189ea88aaa39e5621f94bc35b800c16818b9a1..913e88768dfeb32a8bc83f7659bcc6a12ec68861 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\sa\stest\sto\sensure\san\sapplication\sdoes\snot\stry\sto\screate\sa\sgeopoly\nvirtual\stable\swith\stoo\smany\scolumns.\n[bugs:/info/2026-05-30T12:47:27Z|Bug\s2026-05-30T12:47:27Z].
-D 2026-05-30T13:23:25.636
+C Fix\sthe\sformat()\sSQL\sfunction\sso\sthat\sit\sreports\sTOOBIG\sand\sNOMEM\serrors.\nFix\sa\spossible\sinteger\soverflow\son\s%#Q\sformatting.\n[bugs:/info/2026-05-31T02:00:07Z|Bug\s2026-05-31T02:00:07Z].
+D 2026-05-31T09:18:31.445
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -691,7 +691,7 @@ F src/delete.c 59eeca3fb88c29329afc41bb803ee568b120d9dd7470b5f38ab55cc38390b451
 F src/expr.c d2188a699ded4522f15cf23d4c82da0ad73dcda09cd943982906824ef019947f
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 931f74cec1dc8038a0217ef340c91ce147dd1bbed08dc40c47ee0ec6edfffb08
-F src/func.c e8525e6c5493149680b0ebd3352e7f004ee7283181f24809b603329afe911443
+F src/func.c 5de08ba4c036c99d2699ea10486cbe3cb38a97e258084b8f9fd08893a79d7e74
 F src/global.c a19e4b1ca1335f560e9560e590fc13081e21f670643367f99cb9e8f9dc7d615b
 F src/hash.c 03c8c0f4be9e8bcb6de65aa26d34a61d48a9430747084a69f9469fbb00ea52ca
 F src/hash.h 46b92795a95bfefb210f52f0c316e9d7cdbcdd7e7fcfb0d8be796d3a5767cddf
@@ -733,7 +733,7 @@ F src/pcache.h 092b758d2c5e4dabb30eae46d8dfad77c0f70b16bf3ff1943f7a232b0fe0d4ba
 F src/pcache1.c 131ca0daf4e66b4608d2945ae76d6ed90de3f60539afbd5ef9ec65667a5f2fcd
 F src/pragma.c 789ef67117b74b5be0a2db6681f7f0c55e6913791b9da309aefd280de2c8a74d
 F src/prepare.c 084a037fd3810cb7ffbfc001cd58c0ffac68ba36598a5084b55ea2a090014ebd
-F src/printf.c 2bc09ee91d69c709528575bbbee2199e16d6a7e68e1508ac7cf998a7289170ca
+F src/printf.c 1b3d26ed8ea9a900317832625d5e83b833c7cf14640d7d98a2c235e172b6fefc
 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c 7e936a09405cb59e2b3e51a3ad23753e4803afc5269c5171a54c9bdd70f4fc50
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
@@ -2207,8 +2207,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 7487a1c59d3aaea9f8b2569dca76bbccf21948b1e7bd8a1d841e04382db696f4
-R ebb1f1b11844a09935dce12f33db6f4d
+P 2c605bfb1562d7a3609ad6ffd7446def12f1ac7084e41b9c6723e998c156501d
+R 63a7961695da01d8633721e28ccdef08
 U drh
-Z efd21511355ede67a795e7cec352e724
+Z 074783b25a8da3f2d8a55cfec0466688
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 7cf91bc8055520eeb5930a5d0407dab370a6be31..be1ecf48ba027b1339b8acd373ae46f9173e63da 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-2c605bfb1562d7a3609ad6ffd7446def12f1ac7084e41b9c6723e998c156501d
+3bfe0510aecccf113b9d008c308fca3096e9c45c59b919c0b91bb4703415988f

diff --git a/src/func.c b/src/func.c
index fa789292b5990ec41830e94f0d4535ab59dfe6f8..eaa4a1ef5b74dc1e8bdc21eb1d4aa0ada43cc04f 100644 (file)
--- a/src/func.c
+++ b/src/func.c
@@ -330,9 +330,18 @@ static void printfFunc(
     sqlite3StrAccumInit(&str, db, 0, 0, db->aLimit[SQLITE_LIMIT_LENGTH]);
     str.printfFlags = SQLITE_PRINTF_SQLFUNC;
     sqlite3_str_appendf(&str, zFormat, &x);
-    n = str.nChar;
-    sqlite3_result_text(context, sqlite3StrAccumFinish(&str), n,
-                        SQLITE_DYNAMIC);
+    if( str.accError==SQLITE_OK ){
+      n = str.nChar;
+      sqlite3_result_text(context, sqlite3StrAccumFinish(&str), n,
+                          SQLITE_DYNAMIC);
+    }else{
+      if( str.accError==SQLITE_NOMEM ){
+        sqlite3_result_error_nomem(context);
+      }else{
+        sqlite3_result_error_toobig(context);
+      }
+      sqlite3_str_reset(&str);
+    }
   }
 }
 

diff --git a/src/printf.c b/src/printf.c
index 82528765809296108264dde33bd241e7b102a5d7..401b1c4671b487c7dcf9169f5fc2ccd1a87aa13f 100644 (file)
--- a/src/printf.c
+++ b/src/printf.c
@@ -991,8 +991,8 @@ void sqlite3_str_vappendf(
           ** all control characters, and for backslash itself.
           ** For %#Q, do the same but only if there is at least
           ** one control character. */
-          u32 nBack = 0;
-          u32 nCtrl = 0;
+          i64 nBack = 0;
+          i64 nCtrl = 0;
           for(k=0; k<i; k++){
             if( escarg[k]=='\\' ){
               nBack++;