Skip to content

Commit

Permalink
Prevent use-after-free of the u.vtab.idxStr string following an OOM
Browse files Browse the repository at this point in the history 
while generating the OP_VFilter opcode.

FossilOrigin-Name: 751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
  • Loading branch information
drh committed Sep 17, 2020
1 parent f1ea425 commit bc2e951
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 7 deletions.
12 changes: 6 additions & 6 deletions manifest
View file
@@ -1,5 +1,5 @@
C DISTINCT\smay\snot\sbe\signored\sinside\sa\sUNION\sALL\scommon\stable\sexpression.\nFix\sfor\sticket\s[c51489c3b8f919c5]
D 2020-09-17T00:46:09.055
C Prevent\suse-after-free\sof\sthe\su.vtab.idxStr\sstring\sfollowing\san\sOOM\nwhile\sgenerating\sthe\sOP_VFilter\sopcode.
D 2020-09-17T11:32:14.578
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
Expand Down Expand Up @@ -624,7 +624,7 @@ F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
F src/walker.c 3df26a33dc4f54e8771600fb7fdebe1ece0896c2ad68c30ab40b017aa4395049
F src/where.c 23f47e845e304a41d0b221bf67bd170014ae08b673076813fcd945dda1a3d4af
F src/whereInt.h eb8c2847fb464728533777efec1682b3c074224293b2da73513c61a609efbeab
F src/wherecode.c 8b1176a3b7d4d61f78b0516bb7f6bb3803c658a6565663b8414c3b5d37a02eaa
F src/wherecode.c 9afd600ca9fe831f342121cca48ad8839c8a18ca4e0372518a0a3c8123a8f022
F src/whereexpr.c 264d58971eaf8256eb5b0917bcd7fc7a1f1109fdda183a8382308a1b18a2dce7
F src/window.c edd6f5e25a1e8f2b6f5305b7f5f7da7bb35f07f0d432b255b1d4c2fcab4205aa
F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
Expand Down Expand Up @@ -1880,7 +1880,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P 9ea3039b538ffd0f348c8fbc9452af1fbf899a1f668af9a2404bdd0f8dd21351
R 5bf1eaed1b0f62e19f1e327d7467bbe1
P 7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
R 64b915f5a215a95424570ee566dcd81b
U drh
Z 6e1d5387493b3a726ae70a6af2467d64
Z ee1bdda50dc146e98a6a3caca7097de2
2 changes: 1 addition & 1 deletion manifest.uuid
View file
@@ -1 +1 @@
7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903
751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a
3 changes: 3 additions & 0 deletions src/wherecode.c
View file
Expand Up @@ -1397,6 +1397,9 @@ Bitmask sqlite3WhereCodeOneLoopStart(
pLoop->u.vtab.needFree ? P4_DYNAMIC : P4_STATIC);
VdbeCoverage(v);
pLoop->u.vtab.needFree = 0;
/* An OOM inside of AddOp4(OP_VFilter) instruction above might have freed
** the u.vtab.idxStr. NULL it out to prevent a use-after-free */
if( db->mallocFailed ) pLoop->u.vtab.idxStr = 0;
pLevel->p1 = iCur;
pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext;
pLevel->p2 = sqlite3VdbeCurrentAddr(v);
Expand Down

0 comments on commit bc2e951

Please sign in to comment.