SQLite

Check-in [003e4eee6b]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:For an IN operator used with a RIGHT JOIN, use the number of terms in the vector, not the number of equality terms, to size the column map. dbsqlfuzz 14cfdad6ca45e607163f54049ddf5065183dc657.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | branch-3.39
Files: files | file ages | folders
SHA3-256: 003e4eee6b53a4dee3b8593dc052661d56bd426c8fc184b8a6b5e760a7f9e003
User & Date: drh 2022-08-03 16:04:12.587
Context
2022-08-03
17:27
Improvement on the previous check-in. (check-in: 0d0c31117a user: drh tags: branch-3.39)
16:04
For an IN operator used with a RIGHT JOIN, use the number of terms in the vector, not the number of equality terms, to size the column map. dbsqlfuzz 14cfdad6ca45e607163f54049ddf5065183dc657. (check-in: 003e4eee6b user: drh tags: branch-3.39)
15:58
For an IN operator used with a RIGHT JOIN, use the number of terms in the vector, not the number of equality terms, to size the column map. dbsqlfuzz 14cfdad6ca45e607163f54049ddf5065183dc657, CVE-2022-3195. This problem was injected by [a193749730d6cfba] which was part of the RIGHT JOIN enhancement for version 3.39.0. (check-in: b184c8d922 user: drh tags: trunk)
2022-08-01
13:17
Bump the version number up to 3.39.3. (check-in: d0f7f22a8f user: drh tags: branch-3.39)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/wherecode.c. 
618
619
620
621
622
623
624
625

626
627
628
629
630
631
632

        if( !db->mallocFailed ){
          aiMap = (int*)sqlite3DbMallocZero(pParse->db, sizeof(int)*nEq);
          eType = sqlite3FindInIndex(pParse, pX, IN_INDEX_LOOP, 0, aiMap,&iTab);
          pExpr->iTable = iTab;
        }
        sqlite3ExprDelete(db, pX);
      }else{
        aiMap = (int*)sqlite3DbMallocZero(pParse->db, sizeof(int)*nEq);

        eType = sqlite3FindInIndex(pParse, pX, IN_INDEX_LOOP, 0, aiMap, &iTab);
      }
      pX = pExpr;
    }

    if( eType==IN_INDEX_INDEX_DESC ){
      testcase( bRev );








|
>








618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633

        if( !db->mallocFailed ){
          aiMap = (int*)sqlite3DbMallocZero(pParse->db, sizeof(int)*nEq);
          eType = sqlite3FindInIndex(pParse, pX, IN_INDEX_LOOP, 0, aiMap,&iTab);
          pExpr->iTable = iTab;
        }
        sqlite3ExprDelete(db, pX);
      }else{
        aiMap = (int*)sqlite3DbMallocZero(pParse->db,
                             sizeof(int)*sqlite3ExprVectorSize(pX->pLeft));
        eType = sqlite3FindInIndex(pParse, pX, IN_INDEX_LOOP, 0, aiMap, &iTab);
      }
      pX = pExpr;
    }

    if( eType==IN_INDEX_INDEX_DESC ){
      testcase( bRev );