Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | In extensions rtree, fts3 and fts5, ensure that when dynamic buffers are bound to persistent SQL statements using SQLITE_STATIC, the binding is replaced with an SQL NULL before the buffer is freed. Otherwise, a user may obtain a pointer to the persistent statement using sqlite3_next_stmt() and attempt to access the freed buffer using sqlite3_expanded_sql() or similar. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
2a5f813bc61f9e780f2ccbda425611f6 |
| User & Date: | dan 2018-02-07 18:02:50.375 |
Context
|
2018-02-07
| ||
| 18:45 | Fix typo in comment. Skip tests added by check-in [4761db83b6] when running on Windows. (check-in: 468a389cdc user: mistachkin tags: trunk) | |
| 18:02 | In extensions rtree, fts3 and fts5, ensure that when dynamic buffers are bound to persistent SQL statements using SQLITE_STATIC, the binding is replaced with an SQL NULL before the buffer is freed. Otherwise, a user may obtain a pointer to the persistent statement using sqlite3_next_stmt() and attempt to access the freed buffer using sqlite3_expanded_sql() or similar. (check-in: 2a5f813bc6 user: dan tags: trunk) | |
| 16:14 | When the final connection disconnects from a wal mode database, check that the database file has not been moved or unlinked before deleting the wal and shm files. (check-in: 4761db83b6 user: dan tags: trunk) | |
Changes
Changes to ext/fts3/fts3_write.c.
| ︙ | |||
1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 | 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 | + |
sqlite3_stmt *pStmt;
int rc = fts3SqlStmt(p, SQL_INSERT_SEGMENTS, &pStmt, 0);
if( rc==SQLITE_OK ){
sqlite3_bind_int64(pStmt, 1, iBlock);
sqlite3_bind_blob(pStmt, 2, z, n, SQLITE_STATIC);
sqlite3_step(pStmt);
rc = sqlite3_reset(pStmt);
sqlite3_bind_null(pStmt, 2);
}
return rc;
}
/*
** Find the largest relative level number in the table. If successful, set
** *pnMax to this value and return SQLITE_OK. Otherwise, if an error occurs,
|
| ︙ | |||
1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 | 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 | + |
char *zEnd = sqlite3_mprintf("%lld %lld", iEndBlock, nLeafData);
if( !zEnd ) return SQLITE_NOMEM;
sqlite3_bind_text(pStmt, 5, zEnd, -1, sqlite3_free);
}
sqlite3_bind_blob(pStmt, 6, zRoot, nRoot, SQLITE_STATIC);
sqlite3_step(pStmt);
rc = sqlite3_reset(pStmt);
sqlite3_bind_null(pStmt, 6);
}
return rc;
}
/*
** Return the size of the common prefix (if any) shared by zPrev and
** zNext, in bytes. For example,
|
| ︙ | |||
3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 | 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 | + |
*pRC = rc;
return;
}
sqlite3_bind_int(pStmt, 1, FTS_STAT_DOCTOTAL);
sqlite3_bind_blob(pStmt, 2, pBlob, nBlob, SQLITE_STATIC);
sqlite3_step(pStmt);
*pRC = sqlite3_reset(pStmt);
sqlite3_bind_null(pStmt, 2);
sqlite3_free(a);
}
/*
** Merge the entire database so that there is one segment for each
** iIndex/iLangid combination.
*/
|
| ︙ | |||
4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 | 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 | + |
if( rc==SQLITE_OK ){
sqlite3_bind_int64(pChomp, 1, iNewStart);
sqlite3_bind_blob(pChomp, 2, root.a, root.n, SQLITE_STATIC);
sqlite3_bind_int64(pChomp, 3, iAbsLevel);
sqlite3_bind_int(pChomp, 4, iIdx);
sqlite3_step(pChomp);
rc = sqlite3_reset(pChomp);
sqlite3_bind_null(pChomp, 2);
}
}
sqlite3_free(root.a);
sqlite3_free(block.a);
return rc;
}
|
| ︙ | |||
4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 | 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 | + |
rc = fts3SqlStmt(p, SQL_REPLACE_STAT, &pReplace, 0);
if( rc==SQLITE_OK ){
sqlite3_bind_int(pReplace, 1, FTS_STAT_INCRMERGEHINT);
sqlite3_bind_blob(pReplace, 2, pHint->a, pHint->n, SQLITE_STATIC);
sqlite3_step(pReplace);
rc = sqlite3_reset(pReplace);
sqlite3_bind_null(pReplace, 2);
}
return rc;
}
/*
** Load an incr-merge hint from the database. The incr-merge hint, if one
|
| ︙ |
Changes to ext/fts5/fts5_index.c.
| ︙ | |||
754 755 756 757 758 759 760 761 762 763 764 765 766 767 | 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 | + |
if( p->rc ) return;
}
sqlite3_bind_int64(p->pWriter, 1, iRowid);
sqlite3_bind_blob(p->pWriter, 2, pData, nData, SQLITE_STATIC);
sqlite3_step(p->pWriter);
p->rc = sqlite3_reset(p->pWriter);
sqlite3_bind_null(p->pWriter, 2);
}
/*
** Execute the following SQL:
**
** DELETE FROM %_data WHERE id BETWEEN $iFirst AND $iLast
*/
|
| ︙ | |||
2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 | 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 | + |
sqlite3_bind_blob(pIdxSelect, 2, pTerm, nTerm, SQLITE_STATIC);
if( SQLITE_ROW==sqlite3_step(pIdxSelect) ){
i64 val = sqlite3_column_int(pIdxSelect, 0);
iPg = (int)(val>>1);
bDlidx = (val & 0x0001);
}
p->rc = sqlite3_reset(pIdxSelect);
sqlite3_bind_null(pIdxSelect, 2);
if( iPg<pSeg->pgnoFirst ){
iPg = pSeg->pgnoFirst;
bDlidx = 0;
}
pIter->iLeafPgno = iPg - 1;
|
| ︙ | |||
3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 | 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 | + |
sqlite3_stmt *pIdxSelect = fts5IdxSelectStmt(p);
if( p->rc==SQLITE_OK ){
u8 aBlob[2] = {0xff, 0xff};
sqlite3_bind_int(pIdxSelect, 1, iSegid);
sqlite3_bind_blob(pIdxSelect, 2, aBlob, 2, SQLITE_STATIC);
assert( sqlite3_step(pIdxSelect)!=SQLITE_ROW );
p->rc = sqlite3_reset(pIdxSelect);
sqlite3_bind_null(pIdxSelect, 2);
}
}
#endif
}
}
return iSegid;
|
| ︙ | |||
3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 | 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 | + |
const char *z = (pWriter->btterm.n>0?(const char*)pWriter->btterm.p:"");
/* The following was already done in fts5WriteInit(): */
/* sqlite3_bind_int(p->pIdxWriter, 1, pWriter->iSegid); */
sqlite3_bind_blob(p->pIdxWriter, 2, z, pWriter->btterm.n, SQLITE_STATIC);
sqlite3_bind_int64(p->pIdxWriter, 3, bFlag + ((i64)pWriter->iBtPage<<1));
sqlite3_step(p->pIdxWriter);
p->rc = sqlite3_reset(p->pIdxWriter);
sqlite3_bind_null(p->pIdxWriter, 2);
}
pWriter->iBtPage = 0;
}
/*
** This is called once for each leaf page except the first that contains
** at least one term. Argument (nTerm/pTerm) is the split-key - a term that
|
| ︙ |
Changes to ext/fts5/fts5_storage.c.
| ︙ | |||
454 455 456 457 458 459 460 461 462 463 464 465 466 467 | 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 | + |
sqlite3_stmt *pReplace = 0;
rc = fts5StorageGetStmt(p, FTS5_STMT_REPLACE_DOCSIZE, &pReplace, 0);
if( rc==SQLITE_OK ){
sqlite3_bind_int64(pReplace, 1, iRowid);
sqlite3_bind_blob(pReplace, 2, pBuf->p, pBuf->n, SQLITE_STATIC);
sqlite3_step(pReplace);
rc = sqlite3_reset(pReplace);
sqlite3_bind_null(pReplace, 2);
}
}
return rc;
}
/*
** Load the contents of the "averages" record from disk into the
|
| ︙ | |||
1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 | 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 | + |
if( pVal ){
sqlite3_bind_value(pReplace, 2, pVal);
}else{
sqlite3_bind_int(pReplace, 2, iVal);
}
sqlite3_step(pReplace);
rc = sqlite3_reset(pReplace);
sqlite3_bind_null(pReplace, 1);
}
if( rc==SQLITE_OK && pVal ){
int iNew = p->pConfig->iCookie + 1;
rc = sqlite3Fts5IndexSetCookie(p->pIndex, iNew);
if( rc==SQLITE_OK ){
p->pConfig->iCookie = iNew;
}
}
return rc;
}
|
Changes to ext/fts5/test/fts5aa.test.
| ︙ | |||
589 590 591 592 593 594 595 | 589 590 591 592 593 594 595 596 597 | - + |
do_execsql_test 22.1 {
SELECT rowid FROM t9('a*')
} {1}
}
|
Changes to ext/rtree/rtree.c.
| ︙ | |||
781 782 783 784 785 786 787 788 789 790 791 792 793 794 | 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 | + |
}else{
sqlite3_bind_null(p, 1);
}
sqlite3_bind_blob(p, 2, pNode->zData, pRtree->iNodeSize, SQLITE_STATIC);
sqlite3_step(p);
pNode->isDirty = 0;
rc = sqlite3_reset(p);
sqlite3_bind_null(p, 2);
if( pNode->iNode==0 && rc==SQLITE_OK ){
pNode->iNode = sqlite3_last_insert_rowid(pRtree->db);
nodeHashInsert(pRtree, pNode);
}
}
return rc;
}
|
| ︙ |
Changes to ext/rtree/rtree1.test.
| ︙ | |||
605 606 607 608 609 610 611 612 | 605 606 607 608 609 610 611 612 613 | + |
INSERT INTO rt VALUES(1,2,3,4,5);
}
do_execsql_test 15.2 {
DROP TABLE t13;
COMMIT;
}
expand_all_sql db
finish_test
|
Changes to ext/rtree/rtree4.test.
| ︙ | |||
246 247 248 249 250 251 252 253 | 246 247 248 249 250 251 252 253 254 | + |
list $where [db eval "SELECT id FROM rx $where ORDER BY id"]
} [list $where [db eval "SELECT id FROM bx $where ORDER BY id"]]
}
do_rtree_integrity_test rtree4-$nDim.3 rx
}
expand_all_sql db
finish_test
|
Changes to ext/rtree/rtree5.test.
| ︙ | |||
75 76 77 78 79 80 81 82 | 75 76 77 78 79 80 81 82 83 | + |
SELECT * FROM t1 WHERE
x1=2147483643 AND x2=2147483647 AND
y1=-2147483648 AND y2=-2147483643
}
} {2 2147483643 2147483647 -2147483648 -2147483643}
do_rtree_integrity_test rtree5-1.14 t1
expand_all_sql db
finish_test
|
Changes to ext/rtree/rtree6.test.
| ︙ | |||
154 155 156 157 158 159 160 | 154 155 156 157 158 159 160 161 162 | - + |
x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND
x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND
x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND
x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND
x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>0.5 AND x1>1.1
} {}
|
Changes to ext/rtree/rtreeG.test.
| ︙ | |||
55 56 57 58 59 60 61 62 63 64 65 66 67 68 | 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | + |
do_execsql_test rtreeG-1.4 {
DROP TABLE t1;
} {}
do_test rtreeG-1.4log {
set ::log
} {}
expand_all_sql db
db close
sqlite3_shutdown
test_sqlite3_log
sqlite3_initialize
sqlite3 db test.db
finish_test
|
Changes to test/fts3aa.test.
| ︙ | |||
246 247 248 249 250 251 252 253 | 246 247 248 249 250 251 252 253 254 | + |
do_execsql_test 9.1 {
CREATE VIRTUAL TABLE t9 USING fts4(a, "", '---');
}
do_execsql_test 9.2 {
CREATE VIRTUAL TABLE t10 USING fts3(<, b, c);
}
expand_all_sql db
finish_test
|
Changes to test/tester.tcl.
| ︙ | |||
2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 | 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 | + + + + + + + + + + |
# [finish_test ; return] in the callers context.
#
proc test_find_sqldiff {} {
set prog [test_find_binary sqldiff]
if {$prog==""} { return -code return }
return $prog
}
# Call sqlite3_expanded_sql() on all statements associated with database
# connection $db. This sometimes finds use-after-free bugs if run with
# valgrind or address-sanitizer.
proc expand_all_sql {db} {
set stmt ""
while {[set stmt [sqlite3_next_stmt $db $stmt]]!=""} {
sqlite3_expanded_sql $stmt
}
}
# If the library is compiled with the SQLITE_DEFAULT_AUTOVACUUM macro set
# to non-zero, then set the global variable $AUTOVACUUM to 1.
set AUTOVACUUM $sqlite_options(default_autovacuum)
# Make sure the FTS enhanced query syntax is disabled.
|
| ︙ |