New compile-time option SQLITE_MAX_SCHEMA and runtime limit option
SQLITE_LIMIT_SCHEMA that put an upper bound on the number of objects
in a database schema. Current default is 10 million.
dan [Thu, 9 Jul 2026 20:56:29 +0000 (20:56 +0000)]
Ensure that the "leaf-size" field of an fts5 record is only read from records that are actually leaves and are large enough to contain it. Bug [bugs:/info/2026-07-09T20:15:55Z | 2026-07-09T20:15:55Z].
Make the (legacy, deprecated) ".header" command in the CLI responsive to
the "always" title mode. Clean up title mode and define its operation with
improved comments in the TCL interface and in the CLI. Add the
"-title auto" option to the CLI.
Change the CLI so that the default "--title" is "always" instead of "on"
for some display modes. This check-in also include a fix to "--title always"
for the "markdown" display mode.
Improved title separator in QRF when using "-title always" on an empty row.
Improved comments on the mode matrix in the CLI code. Additional test
cases.
Add new option "bRowCount" to QRF. Add QRF_Always as a possibility for
bTitles. Use these feature to enhance ".mode psql" to be a better
approximation of what psql actually does.
dan [Mon, 6 Jul 2026 15:13:52 +0000 (15:13 +0000)]
Fix a problem in the fossil-delta implementation within RBU causing it to reject some well-formed delta records. Bug [bugs:/info/2026-07-06T13:01:22Z | 2026-07-06T13:01:22Z].
dan [Mon, 6 Jul 2026 14:37:08 +0000 (14:37 +0000)]
Fix another buffer overread in RBU that could occur when processing an RBU database with corrupt rbu_control fields. Bug [bugs:/info/2026-07-06T13:01:41Z | 2026-07-06T13:01:41Z].
dan [Mon, 6 Jul 2026 08:36:48 +0000 (08:36 +0000)]
Avoid a buffer overread in the session module when an UPDATE change is rebased against a baseline that records fewer columns than the UPDATE. Bug [bugs:/info/2026-07-05T13:57:01Z | 2026-07-05T13:57:01Z].
Fix the parse_create_index() SQL function created by the incremental
integrity_check extension so that it works for widely correct CREATE INDEX
statements.
[bugs:/info/2026-07-05T12:00:57Z|Bug 2026-07-05T12:00:57Z].
Also fix the extension so that it removes the parse_create_index() function.
Add the sqlite3_intck_register() API function so that the
parse_create_index() function can be more easily tested.
The jsonSkipLabel() routine, part of json_each() and json_next(), should
never return an index outside of the range of bytes of the input JSONB.
[bugs:/info/2026-07-04T04:58:54Z|Bug 2026-07-04T04:58:54Z]
Avoid an integer overflow in the string allocator for the snippet()
function of FTS3/4, when SQLITE_MAX_LENGTH is unusually large.
[bugs:/info/2026-07-03T18:34:04Z|Bug 2026-07-03T18:34:04Z]
Enhance the "weekday N" modifier for date/time functions such that if
the argument is negative, it move the date backwards in time to the
matching weekday, rather than forwards.
drh [Sun, 28 Jun 2026 19:05:29 +0000 (19:05 +0000)]
Mark shadow tables when registering a new virtual table that already exists
after the schema has loaded. Test cases in TH3.
[bugs:/info/2026-06-26T12:45:51Z|Bug 2026-06-26T12:45:51Z].
drh [Sun, 28 Jun 2026 00:21:50 +0000 (00:21 +0000)]
Check for oversized iTermOff in fs5SegIterNextInit() and trigger a
corruption error if detected.
[bugs:/info/2026-06-27T18:46:54Z|Bug 2026-06-27T18:46:54Z]
drh [Sat, 27 Jun 2026 23:04:36 +0000 (23:04 +0000)]
Do not allow an integer overflow to bypass a leaf-term bound check
in the integrity-check function of FTS5.
[bugs:/info/2026-06-27T18:47:28Z|Bug 2026-06-27T18:47:28Z]
drh [Sat, 27 Jun 2026 20:30:17 +0000 (20:30 +0000)]
In the amatch.c and fuzzer.c extensions (both of which are experimental,
for testing purposes only, and are not part of any deliverable) treat
NULL inputs as empty strings.
[bugs:/info/2026-06-27T19:32:29Z|Bug 2026-06-27T19:32:29Z].
dan [Fri, 26 Jun 2026 19:31:46 +0000 (19:31 +0000)]
Fix a harmless "jump or move depends on uninitialised value" warning that could occur when using a virtual table as the RHS of an outer join within a trigger.
drh [Fri, 26 Jun 2026 15:27:30 +0000 (15:27 +0000)]
Enhance the documentation on sqlite3_set_authorizer() to make it clear
that the authorizer callback is not invoked for elements of an expression
in a generated column.
[bugs:/info/2026-06-26T12:42:48Z|Bugs 2026-06-26T12:42:48Z].
drh [Fri, 26 Jun 2026 13:00:38 +0000 (13:00 +0000)]
Fix the (non-deliverable, testing-use-only) closure extension so that it
parses quoted instantiation arguments correctly.
[bugs:/info/2026-06-26T10:06:27Z|Bug 2026-06-26T10:06:27Z]
dan [Fri, 26 Jun 2026 11:36:54 +0000 (11:36 +0000)]
Fix the size of an allocation in fts3 to take into account that when merging a phrase doclist, each entry may grow by up to 1 byte if the rhs position of the merged lists is stored. Bug [bugs:/info/2026-06-26T08:08:39Z | 2026-06-26T08:08:39Z].
drh [Fri, 26 Jun 2026 09:55:59 +0000 (09:55 +0000)]
Improved detection of corrupt freelist chains on btree pages.
Plus, add assert()s to verify that the min-heap does not overflow
inside of PRAGMA integrity_check.
dan [Thu, 25 Jun 2026 17:07:53 +0000 (17:07 +0000)]
Have API functions sqlite3_serialize, sqlite3_limit, sqlite3_busy_timeout, sqlite3_error_offset, sqlite3_db_name, sqlite3_get_autocommit, sqlite3_errcode, sqlite3_total_changes64, sqlite3_changes64, sqlite3_last_insert_rowid and sqlite3_expired take and hold the database mutex while running.
dan [Thu, 25 Jun 2026 16:24:06 +0000 (16:24 +0000)]
Also have functions sqlite3_db_name(), sqlite3_get_autocommit(), sqlite3_extended_errcode(), sqlite3_errcode(), sqlite3_total_changes64(), sqlite3_changese64(), sqlite3_last_insert_rowid() and sqlite3_expired() take the database mutex.
drh [Thu, 25 Jun 2026 15:17:15 +0000 (15:17 +0000)]
Change the undocumented and unsupported sqlite_log() SQL function so that
it is marked as unsafe and direct-only.
[bugs:/info/3311f8d5b8|Bug 2026-06-25T10:19:43Z].
drh [Thu, 25 Jun 2026 14:48:09 +0000 (14:48 +0000)]
Improve the sqlite3_str_vappendf() routine for additional robustness in the
face of over-sized inputs.
Probable fix for [bugs:/info/2026-06-25T11:29:23Z|Bug 2026-06-25T11:29:23Z].
dan [Wed, 24 Jun 2026 19:28:55 +0000 (19:28 +0000)]
When rolling back a journal that contains a super-journal pointer, only attempt to unlink the super-journal if (a) the filename looks like one that SQLite might have generated, and (b) the super-journal contains the name of the journal being rolled back. This is to limit the extent to which SQLite can be caused to delete arbitrary files by supplying it with a crafted hot-journal. Report [bugs:/info/2026-06-24T14:18:00Z | 2026-06-24T14:18:00Z].
drh [Wed, 24 Jun 2026 18:50:44 +0000 (18:50 +0000)]
Check for cells that extend of the end of a page when searching indexes.
This is a work-in-progress.
This check-in includes four NEVER() and ALWAYS() macros for which simple
test cases are needed.
dan [Wed, 24 Jun 2026 17:14:57 +0000 (17:14 +0000)]
When rolling back a journal that contains a super-journal pointer, only attempt to unlink the super-journal if the filename looks like one that SQLite might have generated. This is to limit the extent to which SQLite can be caused to delete arbitrary files by supplying it with a crafted hot-journal. Bug [bugs:/info/2026-06-24T14:18:00Z | 2026-06-24T14:18:00Z].
drh [Wed, 24 Jun 2026 13:46:37 +0000 (13:46 +0000)]
Fix a comment in os_kv.c so that it does not match "###" and thus does
not cause false-positives when searching the output of gcov. No
changes to code.
drh [Wed, 24 Jun 2026 13:45:04 +0000 (13:45 +0000)]
Fix the sqlite3ParseUri() for improved defenses against ridiculously long
URI inputs causing integer overflow problems.
[bugs:/info/2026-06-24T11:46:39Z|Bug 2026-06-24T11:46:39Z].
dan [Wed, 24 Jun 2026 13:42:39 +0000 (13:42 +0000)]
Revert the fixes to backup in [1f940357f7] and [e5db80350c] and instead fix the problem reported by forum post [forum:15d82885e2 | 15d82885e2] (that a call to sqlite3_deserialize() after sqlite3_backup_init() but before the first call to sqlite3_backup_step() on the destination db of a backup could cause a crash) by deferring caching the pointer to the destination Btree until after it is locked. This addresses bug [bugs:/info/2026-06-24T08:41:13Z | 2026-06-24T08:41:13Z].
drh [Wed, 24 Jun 2026 12:40:26 +0000 (12:40 +0000)]
Defend against integer overflow on oversized string inputs to
sqlite3_mprintf() and similar C-language interfaces when using
the "%!.*s" conversion. The problem is not reachable from SQL
due to string length restrictions in SQL. C-code is required.
[bugs:/info/2026-06-24T11:57:36Z|Bug 2026-06-24T11:57:36Z].
drh [Wed, 24 Jun 2026 12:22:22 +0000 (12:22 +0000)]
Update documentation to explain that a odd nByte parameter to
sqlite3_prepare16() is undefined behavior. In addition, always round
down the nByte parameter to an even number so that it in fact harmless
to give it an odd nByte value.
[bugs:/info/2026-06-24T11:25:24Z|Bug 2026-06-24T11:25:24Z].
dan [Wed, 24 Jun 2026 11:50:08 +0000 (11:50 +0000)]
Revert the fixes to backup in [1f940357f7] and [e5db80350c] and instead fix the problem reported by forum post [forum:15d82885e2 | 15d82885e2] (that a call to sqlite3_deserialize() after sqlite3_backup_init() but before the first call to sqlite3_backup_step() on the destination db of a backup could cause a crash) by deferring caching the pointer to the destination Btree until after it is locked. This addresses bug [bugs:/info/2026-06-24T08:41:13Z | 2026-06-24T08:41:13Z].
stephan [Wed, 24 Jun 2026 10:22:36 +0000 (10:22 +0000)]
Swap two lines to get the amalgamation building again with SQLITE_OMIT_FLOATING_POINT, noting that neither the shell nor the canonical library build with that flag. Reported in [forum:8c3df4da0d|forum post 2026-06-24T07:21:05Z].
stephan [Wed, 24 Jun 2026 09:09:02 +0000 (09:09 +0000)]
Teach the JS build to filter out various APIs/VFSes when passed omit-api='api names...'. Fully trimmed this saves just shy of 300kb from the JS. Make loud=1 mode distinctly louder when preprocessing.
stephan [Tue, 23 Jun 2026 20:42:48 +0000 (20:42 +0000)]
Add preprocessor guards to various JS files working towards the ability to build, e.g., with only one of various VFSes included. The makefile does not yet integrate these - this is an incremental step towards addressing the discussion in [https://github.com/sqlite/sqlite-wasm/pull/168|the downstream npm project's PR#168].
dan [Tue, 23 Jun 2026 20:12:17 +0000 (20:12 +0000)]
Merge the fixes for the use-after-free problem caused by executing an ATTACH when a backup operation was active, and for the OOB read in the unused spellfix1 extension.