SQLite
Check-in [6ee8cb6a]
Not logged in
Overview
SHA3-256:6ee8cb6ae5fd076ec226bb184b5690ba29f9df8cfaef47aaf13336873b4c1f6c
Date: 2017-10-21 14:17:31
User: drh
Comment:Catch and avoid a 16-bit integer overflow on the number of columns in a common table expression. This fixes a problem found by OSS-Fuzz. The test case is in TH3.
Tags And Properties
Context
2017-10-22
07:57
[7bd20a20] Avoid running tests that use sqlite_dbpage with SQLITE_OMIT_VIRTUAL_TABLE builds. (user: dan, tags: trunk)
2017-10-21
17:17
[fb3ee1b7] Merge all the enhancements and bug fixes from trunk, since none are destablizing. Call this the second beta. (user: drh, tags: branch-3.21)
14:17
[6ee8cb6a] Catch and avoid a 16-bit integer overflow on the number of columns in a common table expression. This fixes a problem found by OSS-Fuzz. The test case is in TH3. (user: drh, tags: trunk)
13:29
[6ec82acd] Remove unnecessary "#if SQLITE_MAX_COLUMN". SQLITE_MAX_COLUMN is always defined. (user: drh, tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/select.c.

1685
1686
1687
1688
1689
1690
1691

1692
1693
1694
1695
1696
1697
1698
  Hash ht;                    /* Hash table of column names */

  sqlite3HashInit(&ht);
  if( pEList ){
    nCol = pEList->nExpr;
    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
    testcase( aCol==0 );

  }else{
    nCol = 0;
    aCol = 0;
  }
  assert( nCol==(i16)nCol );
  *pnCol = nCol;
  *paCol = aCol;







>







1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
  Hash ht;                    /* Hash table of column names */

  sqlite3HashInit(&ht);
  if( pEList ){
    nCol = pEList->nExpr;
    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
    testcase( aCol==0 );
    if( nCol>32767 ) nCol = 32767;
  }else{
    nCol = 0;
    aCol = 0;
  }
  assert( nCol==(i16)nCol );
  *pnCol = nCol;
  *paCol = aCol;