Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Fix an OOB read in the INSTR() function introduced yesterday by check-in [3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
d49047c1b59bbfd05204af9973cdb0fa |
User & Date: | drh 2019-09-18 11:16:46 |
Context
2019-09-18
| ||
11:46 | Fix a "jump depends on unititialized value" valgrind error in fts5 triggered by corrupt database records. check-in: 6b6751cd90 user: dan tags: trunk | |
11:16 | Fix an OOB read in the INSTR() function introduced yesterday by check-in [3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3. check-in: d49047c1b5 user: drh tags: trunk | |
2019-09-17
| ||
21:28 | Do not change the OP_String8 opcode into OP_String until *after* any necessary encoding conversions are accomplished. Otherwise, a rerun of the prepared statement after an OOM can result in errors. Test case in TH3. check-in: 8efd62594e user: drh tags: trunk | |
Changes
Changes to src/func.c.
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
...
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
}else if( typeHaystack!=SQLITE_BLOB && typeNeedle!=SQLITE_BLOB ){ zHaystack = sqlite3_value_text(argv[0]); zNeedle = sqlite3_value_text(argv[1]); isText = 1; }else{ pC1 = sqlite3_value_dup(argv[0]); zHaystack = sqlite3_value_text(pC1); pC2 = sqlite3_value_dup(argv[1]); zNeedle = sqlite3_value_text(pC2); isText = 1; } if( zNeedle==0 || (nHaystack && zHaystack==0) ){ sqlite3_result_error_nomem(context); goto endInstr; } firstChar = zNeedle[0]; while( nNeedle<=nHaystack && (zHaystack[0]!=firstChar || memcmp(zHaystack, zNeedle, nNeedle)!=0) ){ N++; do{ nHaystack--; ................................................................................ } if( nNeedle>nHaystack ) N = 0; } sqlite3_result_int(context, N); endInstr: sqlite3_value_free(pC1); sqlite3_value_free(pC2); } /* ** Implementation of the printf() function. */ static void printfFunc( sqlite3_context *context, |
>
>
>
>
|
<
<
<
>
>
>
>
|
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
...
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
}else if( typeHaystack!=SQLITE_BLOB && typeNeedle!=SQLITE_BLOB ){ zHaystack = sqlite3_value_text(argv[0]); zNeedle = sqlite3_value_text(argv[1]); isText = 1; }else{ pC1 = sqlite3_value_dup(argv[0]); zHaystack = sqlite3_value_text(pC1); if( zHaystack==0 ) goto endInstrOOM; nHaystack = sqlite3_value_bytes(pC1); pC2 = sqlite3_value_dup(argv[1]); zNeedle = sqlite3_value_text(pC2); if( zNeedle==0 ) goto endInstrOOM; nNeedle = sqlite3_value_bytes(pC2); isText = 1; } if( zNeedle==0 || (nHaystack && zHaystack==0) ) goto endInstrOOM; firstChar = zNeedle[0]; while( nNeedle<=nHaystack && (zHaystack[0]!=firstChar || memcmp(zHaystack, zNeedle, nNeedle)!=0) ){ N++; do{ nHaystack--; ................................................................................ } if( nNeedle>nHaystack ) N = 0; } sqlite3_result_int(context, N); endInstr: sqlite3_value_free(pC1); sqlite3_value_free(pC2); return; endInstrOOM: sqlite3_result_error_nomem(context); goto endInstr; } /* ** Implementation of the printf() function. */ static void printfFunc( sqlite3_context *context, |