diff --git a/manifest b/manifest index 278b587ac8..739315cf00 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C DISTINCT\smay\snot\sbe\signored\sinside\sa\sUNION\sALL\scommon\stable\sexpression.\nFix\sfor\sticket\s[c51489c3b8f919c5] -D 2020-09-17T00:46:09.055 +C Prevent\suse-after-free\sof\sthe\su.vtab.idxStr\sstring\sfollowing\san\sOOM\nwhile\sgenerating\sthe\sOP_VFilter\sopcode. +D 2020-09-17T11:32:14.578 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724 @@ -624,7 +624,7 @@ F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a F src/walker.c 3df26a33dc4f54e8771600fb7fdebe1ece0896c2ad68c30ab40b017aa4395049 F src/where.c 23f47e845e304a41d0b221bf67bd170014ae08b673076813fcd945dda1a3d4af F src/whereInt.h eb8c2847fb464728533777efec1682b3c074224293b2da73513c61a609efbeab -F src/wherecode.c 8b1176a3b7d4d61f78b0516bb7f6bb3803c658a6565663b8414c3b5d37a02eaa +F src/wherecode.c 9afd600ca9fe831f342121cca48ad8839c8a18ca4e0372518a0a3c8123a8f022 F src/whereexpr.c 264d58971eaf8256eb5b0917bcd7fc7a1f1109fdda183a8382308a1b18a2dce7 F src/window.c edd6f5e25a1e8f2b6f5305b7f5f7da7bb35f07f0d432b255b1d4c2fcab4205aa F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2 @@ -1880,7 +1880,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 9ea3039b538ffd0f348c8fbc9452af1fbf899a1f668af9a2404bdd0f8dd21351 -R 5bf1eaed1b0f62e19f1e327d7467bbe1 +P 7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903 +R 64b915f5a215a95424570ee566dcd81b U drh -Z 6e1d5387493b3a726ae70a6af2467d64 +Z ee1bdda50dc146e98a6a3caca7097de2 diff --git a/manifest.uuid b/manifest.uuid index 22a693b7d8..67e30802d8 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -7d2b590d3abd66a7e6ae9046198eb669e0fd2f223f7691281e9ad795a12b8903 \ No newline at end of file +751fe4edb2d4602e652523c2759de3f4fffd29d5c66cae68caf45b30fd8b750a \ No newline at end of file diff --git a/src/wherecode.c b/src/wherecode.c index 591f267e82..ae3a197570 100644 --- a/src/wherecode.c +++ b/src/wherecode.c @@ -1397,6 +1397,9 @@ Bitmask sqlite3WhereCodeOneLoopStart( pLoop->u.vtab.needFree ? P4_DYNAMIC : P4_STATIC); VdbeCoverage(v); pLoop->u.vtab.needFree = 0; + /* An OOM inside of AddOp4(OP_VFilter) instruction above might have freed + ** the u.vtab.idxStr. NULL it out to prevent a use-after-free */ + if( db->mallocFailed ) pLoop->u.vtab.idxStr = 0; pLevel->p1 = iCur; pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext; pLevel->p2 = sqlite3VdbeCurrentAddr(v);