SQLite

Changes On Branch original-uaf-fix
Login
Hide Diff Patch Unified Diff

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Changes In Branch original-uaf-fix Excluding Merge-Ins

This is equivalent to a diff from 230fedd9 to 193b14a5

2021-06-12
18:12
The sqlite3WithPush() routine might destroy its second argument if there was a prior OOM. Do not use the second argument of sqlite3WithPush() if this happens. (check-in: baa3f962 user: drh tags: trunk)
17:45
An alternative approach to the use-after-free problem. (Closed-Leaf check-in: 6796b7a2 user: drh tags: alternative-oom-fix)
16:17
Fix a use-after-free that could follow an OOM in ALTER TABLE. (Edit:) Still contains problems. (Closed-Leaf check-in: 193b14a5 user: dan tags: original-uaf-fix)
2021-06-11
13:18
Reapply two recent ALTER TABLE error checks that turned out to be necessary after all. dbsqlfuzz fc5a9deefda00dda914748985155a6d4c44174e5. (check-in: 230fedd9 user: drh tags: trunk)
12:41
Avoid bugs in some implementations of dlopen() by avoiding calls to dlopen() with a filename argument that exceeds FILENAME_MAX bytes. Forum post 08a0d6d9bf. (check-in: 01f3877c user: drh tags: trunk)
12:14
Fix a crash in new ALTER TABLE code that could follow an OOM. (check-in: 6f1f2a0a user: dan tags: trunk)
12:02
Remove an unreachable branch added by the previous commit. (check-in: 852ee0e9 user: dan tags: trunk)

Changes to src/alter.c. 

809
810
811
812
813
814
815


816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832

      ** here as the original will be expanded and resolved (flags SF_Expanded
      ** and SF_Resolved) below. And the parser code that uses the with-stack
      ** fails if the Select objects on it have already been expanded and
      ** resolved.  */
      pCopy = sqlite3WithDup(pParse->db, pWith);
      sqlite3WithPush(pParse, pCopy, 1);
    }


    for(i=0; i<pWith->nCte; i++){
      Select *p = pWith->a[i].pSelect;
      NameContext sNC;
      memset(&sNC, 0, sizeof(sNC));
      sNC.pParse = pParse;
      if( pCopy ) sqlite3SelectPrep(sNC.pParse, p, &sNC);
      sqlite3WalkSelect(pWalker, p);
      sqlite3RenameExprlistUnmap(pParse, pWith->a[i].pCols);
    }
    if( pCopy && pParse->pWith==pCopy ){
      pParse->pWith = pCopy->pOuter;
    }
  }
}

/*
** Unmap all tokens in the IdList object passed as the second argument.








>
>
|
|
|
|
|
|
|
|
|
<








809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826

827
828
829
830
831
832
833

      ** here as the original will be expanded and resolved (flags SF_Expanded
      ** and SF_Resolved) below. And the parser code that uses the with-stack
      ** fails if the Select objects on it have already been expanded and
      ** resolved.  */
      pCopy = sqlite3WithDup(pParse->db, pWith);
      sqlite3WithPush(pParse, pCopy, 1);
    }
    if( pParse->db->mallocFailed==0 ){
      assert( pCopy );
      for(i=0; i<pWith->nCte; i++){
        Select *p = pWith->a[i].pSelect;
        NameContext sNC;
        memset(&sNC, 0, sizeof(sNC));
        sNC.pParse = pParse;
        sqlite3SelectPrep(sNC.pParse, p, &sNC);
        sqlite3WalkSelect(pWalker, p);
        sqlite3RenameExprlistUnmap(pParse, pWith->a[i].pCols);
      }

      pParse->pWith = pCopy->pOuter;
    }
  }
}

/*
** Unmap all tokens in the IdList object passed as the second argument.