SQLite

Check-in [01868ebc]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Ensure that the replace() SQL function always returns a TEXT value even when its first argument is numeric and its second argument is an empty string. Fix for the issue reported by forum post 3776b48e71.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 01868ebcd25fadb2034da234c0636e82d07c5abc902ef66493cadfc988e74d7b
User & Date: drh 2024-01-20 13:18:22
Context
2024-03-06
20:52
Ensure that the replace() SQL function always returns a TEXT value even when its first argument is numeric and its second argument is an empty string. Fix for the issue reported by forum post 3776b48e71. (check-in: a7c98c8f user: mistachkin tags: branch-3.45)
2024-01-20
15:13
When doing a text-affinity comparison between two values where one or both have both a text and a numeric type, make sure the numeric type does not confuse the answer. This is a deeper fix to the problem observed by forum pose 3776b48e71. The problem bisects to [25f2246be404f38b] on 2014-08-24, prior to version 3.8.7. (check-in: 709841f8 user: drh tags: trunk)
13:18
Ensure that the replace() SQL function always returns a TEXT value even when its first argument is numeric and its second argument is an empty string. Fix for the issue reported by forum post 3776b48e71. (check-in: 01868ebc user: drh tags: trunk)
12:13
When backing out a character in a constructed string in JSON, first make sure the string has not been reset by on OOM. dbsqlfuzz 2fffbea91a5376526ea118d4fe4188c8dd35e317. (check-in: 666690eb user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/func.c.
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
  if( zPattern==0 ){
    assert( sqlite3_value_type(argv[1])==SQLITE_NULL
            || sqlite3_context_db_handle(context)->mallocFailed );
    return;
  }
  if( zPattern[0]==0 ){
    assert( sqlite3_value_type(argv[1])!=SQLITE_NULL );
    sqlite3_result_value(context, argv[0]);
    return;
  }
  nPattern = sqlite3_value_bytes(argv[1]);
  assert( zPattern==sqlite3_value_text(argv[1]) );  /* No encoding change */
  zRep = sqlite3_value_text(argv[2]);
  if( zRep==0 ) return;
  nRep = sqlite3_value_bytes(argv[2]);







|







1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
  if( zPattern==0 ){
    assert( sqlite3_value_type(argv[1])==SQLITE_NULL
            || sqlite3_context_db_handle(context)->mallocFailed );
    return;
  }
  if( zPattern[0]==0 ){
    assert( sqlite3_value_type(argv[1])!=SQLITE_NULL );
    sqlite3_result_text(context, (const char*)zStr, nStr, SQLITE_TRANSIENT);
    return;
  }
  nPattern = sqlite3_value_bytes(argv[1]);
  assert( zPattern==sqlite3_value_text(argv[1]) );  /* No encoding change */
  zRep = sqlite3_value_text(argv[2]);
  if( zRep==0 ) return;
  nRep = sqlite3_value_bytes(argv[2]);
Changes to test/func.test.
1038
1039
1040
1041
1042
1043
1044



1045
1046
1047
1048
1049
1050
1051
  }
} {{This is the larger-main test string}}
do_test func-21.8 {
  execsql {
    SELECT replace('aaaaaaa', 'a', '0123456789');
  }
} {0123456789012345678901234567890123456789012345678901234567890123456789}




ifcapable tclvar {
  do_test func-21.9 {
    # Attempt to exploit a buffer-overflow that at one time existed 
    # in the REPLACE function. 
    set ::str "[string repeat A 29998]CC[string repeat A 35537]"
    set ::rep [string repeat B 65536]







>
>
>







1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
  }
} {{This is the larger-main test string}}
do_test func-21.8 {
  execsql {
    SELECT replace('aaaaaaa', 'a', '0123456789');
  }
} {0123456789012345678901234567890123456789012345678901234567890123456789}
do_execsql_test func-21.9 {
  SELECT typeof(replace(1,'',0));
} {text}

ifcapable tclvar {
  do_test func-21.9 {
    # Attempt to exploit a buffer-overflow that at one time existed 
    # in the REPLACE function. 
    set ::str "[string repeat A 29998]CC[string repeat A 35537]"
    set ::rep [string repeat B 65536]