Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Ensure that UTF16 strings are properly zero-terminated before returning them in an sqlite3_value_text16() request, even if the string is invalid UTF16 because it was formed from an arbitrary and/or odd-length BLOB. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
3a16ddf91f0c9c516a7fc2a9d4a4f69a |
| User & Date: | drh 2019-05-03 19:34:41 |
References
|
2019-05-16
| ||
| 01:22 | Make sure the OP_Concat opcode always correctly zero-terminates a UTF16 string, even if the input strings are ill-formed. This is a followup to check-in [3a16ddf91f0c9c516a7] that fixes a case the previous check-in missed. Also add assert()s to prove correct zero termination. (check-in: d612fb78 user: drh tags: trunk) | |
Context
|
2019-05-04
| ||
| 01:41 | In the sqlite3_value or Mem object, make the MEM_IntReal type completely independent from MEM_Int and MEM_Real. This helps avoid problems when inserting non-float values into a "REAL" column. (check-in: 5a8a23ee user: drh tags: trunk) | |
|
2019-05-03
| ||
| 19:34 | Ensure that UTF16 strings are properly zero-terminated before returning them in an sqlite3_value_text16() request, even if the string is invalid UTF16 because it was formed from an arbitrary and/or odd-length BLOB. (check-in: 3a16ddf9 user: drh tags: trunk) | |
| 18:50 | Fix a memory-leak/segfault caused by using OP_OpenDup and OP_OpenEphemeral on the same VM cursor. (check-in: a9b90aa1 user: dan tags: trunk) | |
Changes
Changes to src/vdbemem.c.
266 266 pMem->flags &= (MEM_Null|MEM_Int|MEM_Real|MEM_IntReal); 267 267 return SQLITE_OK; 268 268 } 269 269 270 270 /* 271 271 ** It is already known that pMem contains an unterminated string. 272 272 ** Add the zero terminator. 273 +** 274 +** Three bytes of zero are added. In this way, there is guaranteed 275 +** to be a double-zero byte at an even byte boundary in order to 276 +** terminate a UTF16 string, even if the initial size of the buffer 277 +** is an odd number of bytes. 273 278 */ 274 279 static SQLITE_NOINLINE int vdbeMemAddTerminator(Mem *pMem){ 275 - if( sqlite3VdbeMemGrow(pMem, pMem->n+2, 1) ){ 280 + if( sqlite3VdbeMemGrow(pMem, pMem->n+3, 1) ){ 276 281 return SQLITE_NOMEM_BKPT; 277 282 } 278 283 pMem->z[pMem->n] = 0; 279 284 pMem->z[pMem->n+1] = 0; 285 + pMem->z[pMem->n+2] = 0; 280 286 pMem->flags |= MEM_Term; 281 287 return SQLITE_OK; 282 288 } 283 289 284 290 /* 285 291 ** Change pMem so that its MEM_Str or MEM_Blob value is stored in 286 292 ** MEM.zMalloc, where it can be safely written. ................................................................................ 346 352 return SQLITE_OK; /* Nothing to do */ 347 353 }else{ 348 354 return vdbeMemAddTerminator(pMem); 349 355 } 350 356 } 351 357 352 358 /* 353 -** Add MEM_Str to the set of representations for the given Mem. Numbers 354 -** are converted using sqlite3_snprintf(). Converting a BLOB to a string 355 -** is a no-op. 359 +** Add MEM_Str to the set of representations for the given Mem. This 360 +** routine is only called if pMem is a number of some kind, not a NULL 361 +** or a BLOB. 356 362 ** 357 363 ** Existing representations MEM_Int and MEM_Real are invalidated if 358 364 ** bForce is true but are retained if bForce is false. 359 365 ** 360 366 ** A MEM_Null value will never be passed to this function. This function is 361 367 ** used for converting values to text for returning to the user (i.e. via 362 368 ** sqlite3_value_text()), or for ensuring that values to be used as btree