Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Remove two incorrect assert() statements from the logic used to derive column names and types from subqueries. This allows the SQL associated with CVE-2020-13871 (ticket [c8d3b9f0a750a529]) to be tested. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | branch-3.28a |
| Files: | files | file ages | folders |
| SHA3-256: |
d2e672203704aa18fdc652e9567eb29b |
| User & Date: | dan 2021-07-13 15:30:48 |
Context
|
2022-08-10
| ||
| 17:03 | Merge the branch-3.28a fixes into branch-3.28. (check-in: ba6bf331 user: drh tags: branch-3.28) | |
|
2021-07-13
| ||
| 15:30 | Remove two incorrect assert() statements from the logic used to derive column names and types from subqueries. This allows the SQL associated with CVE-2020-13871 (ticket [c8d3b9f0a750a529]) to be tested. (Closed-Leaf check-in: d2e67220 user: dan tags: branch-3.28a) | |
|
2021-07-12
| ||
| 14:38 | Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. This fix is associated with CVE-2020-15358. (check-in: 9e001b63 user: dan tags: branch-3.28a) | |
|
2019-08-10
| ||
| 14:16 | Remove two incorrect assert() statements from the logic used to derive column names and types from subqueries. (check-in: 712e4771 user: drh tags: trunk) | |
Changes
Changes to src/select.c.
| ︙ | ︙ | |||
1639 1640 1641 1642 1643 1644 1645 | char const *zOrigDb = 0; char const *zOrigTab = 0; char const *zOrigCol = 0; #endif assert( pExpr!=0 ); assert( pNC->pSrcList!=0 ); | < < | 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 |
char const *zOrigDb = 0;
char const *zOrigTab = 0;
char const *zOrigCol = 0;
#endif
assert( pExpr!=0 );
assert( pNC->pSrcList!=0 );
switch( pExpr->op ){
case TK_COLUMN: {
/* The expression is a column. Locate the table the column is being
** extracted from in NameContext.pSrcList. This table may be real
** database table or a subquery.
*/
Table *pTab = 0; /* Table structure column is extracted from */
|
| ︙ | ︙ | |||
1962 1963 1964 1965 1966 1967 1968 |
/* If the column contains an "AS <name>" phrase, use <name> as the name */
}else{
Expr *pColExpr = sqlite3ExprSkipCollate(pEList->a[i].pExpr);
while( pColExpr->op==TK_DOT ){
pColExpr = pColExpr->pRight;
assert( pColExpr!=0 );
}
| < | 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 |
/* If the column contains an "AS <name>" phrase, use <name> as the name */
}else{
Expr *pColExpr = sqlite3ExprSkipCollate(pEList->a[i].pExpr);
while( pColExpr->op==TK_DOT ){
pColExpr = pColExpr->pRight;
assert( pColExpr!=0 );
}
if( pColExpr->op==TK_COLUMN ){
/* For columns use the column name name */
int iCol = pColExpr->iColumn;
Table *pTab = pColExpr->y.pTab;
assert( pTab!=0 );
if( iCol<0 ) iCol = pTab->iPKey;
zName = iCol>=0 ? pTab->aCol[iCol].zName : "rowid";
|
| ︙ | ︙ |
Changes to test/colname.test.
| ︙ | ︙ | |||
395 396 397 398 399 400 401 402 403 404 405 406 407 408 |
} {Bbb 123}
ifcapable vtab {
do_execsql_test colname-9.320 {
CREATE TABLE t2 AS SELECT BBb FROM (SELECT aaa AS Bbb FROM t1);
SELECT name FROM pragma_table_info('t2');
} {Bbb}
}
# Issue detected by OSSFuzz on 2017-12-24 (Christmas Eve)
# caused by check-in https://sqlite.org/src/info/6b2ff26c25
#
# Prior to being fixed, the following CREATE TABLE was dereferencing
# a NULL pointer and segfaulting.
#
| > > > > > > | 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 |
} {Bbb 123}
ifcapable vtab {
do_execsql_test colname-9.320 {
CREATE TABLE t2 AS SELECT BBb FROM (SELECT aaa AS Bbb FROM t1);
SELECT name FROM pragma_table_info('t2');
} {Bbb}
}
do_execsql_test colname-9.330 { -- added 2019-08-10 to invalidate
DROP TABLE IF EXISTS t1; -- a couple assert()s that were
CREATE TABLE t1(a); -- added by ticket 3b44500725
INSERT INTO t1 VALUES(17),(2),(99),(-3),(7);
SELECT (SELECT avg(a) UNION SELECT min(a) OVER()) FROM t1;
} {17}
# Issue detected by OSSFuzz on 2017-12-24 (Christmas Eve)
# caused by check-in https://sqlite.org/src/info/6b2ff26c25
#
# Prior to being fixed, the following CREATE TABLE was dereferencing
# a NULL pointer and segfaulting.
#
|
| ︙ | ︙ |
Changes to test/window1.test.
| ︙ | ︙ | |||
1163 1164 1165 1166 1167 1168 1169 |
13 M cc NULL JM |
3 C cc 1 {} |
4 D cc 8.25 {} |
12 L cc 'xyZ' L |
11 K cc 'xyz' K |
}
| | > > > | > > > | > > > > > > > | 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 |
13 M cc NULL JM |
3 C cc 1 {} |
4 D cc 8.25 {} |
12 L cc 'xyZ' L |
11 K cc 'xyz' K |
}
#-------------------------------------------------------------------------
# Test that the SQL in ticket [c8d3b9f0a75] - CVE-2020-13871 - does not
# cause a problem for this version.
#
reset_db
do_execsql_test 30.0 {
CREATE TABLE a(b);
}
do_execsql_test 30.1 {
SELECT(SELECT b FROM a GROUP BY b HAVING(NULL AND b IN((SELECT COUNT() OVER(ORDER BY b) = lead(b) OVER(ORDER BY 3.100000 * SUM(DISTINCT CASE WHEN b LIKE 'SM PACK' THEN b * b ELSE 0 END) / b))))) FROM a EXCEPT SELECT b FROM a ORDER BY b, b, b;
}
finish_test
|