/ Check-in [7cac614d]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 7cac614d5df55eb092b863163483b6782b942b21bd15fd787576fef5619fa849
User & Date: drh 2019-01-17 14:34:46
Context
2019-01-17
15:40
Revamp the SrcList allocator routines to be methods of Parse instead of being methods of the "sqlite3" object, so that they can leave better error messages when the SrcList object grows too large. check-in: df08d472 user: drh tags: trunk
14:34
Limit the size of SrcList objects to 200 entries (compile-time configurable using -DSQLITE_MAX_SRCLIST=n). The maximum number of tables in a join has always been 64, so this is not a real constraint on capability. Limiting the size of a SrcList prevents DOS attacks (discovered by OSSFuzz) using crazy nexted CTE joins. check-in: 7cac614d user: drh tags: trunk
04:40
Fix a corner-case for the logic that cause an insert of a NULL into an INTEGER PRIMARY KEY column to be converted into a valid integer key, when the NULL results from a CASE expression that lacks an ELSE clause. check-in: 9a425051 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/build.c.

  3819   3819     if( pList==0 ) return -1;
  3820   3820     for(i=0; i<pList->nId; i++){
  3821   3821       if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
  3822   3822     }
  3823   3823     return -1;
  3824   3824   }
  3825   3825   
         3826  +/*
         3827  +** Maximum size of a SrcList object.
         3828  +** The SrcList object is used to represent the FROM clause of a
         3829  +** SELECT statement, and the query planner cannot deal with more
         3830  +** than 64 tables in a join.  So any value larger than 64 here
         3831  +** is sufficient for most uses.  Smaller values, like say 10, are
         3832  +** appropriate for small and memory-limited applications.
         3833  +*/
         3834  +#ifndef SQLITE_MAX_SRCLIST
         3835  +# define SQLITE_MAX_SRCLIST 200
         3836  +#endif
         3837  +
  3826   3838   /*
  3827   3839   ** Expand the space allocated for the given SrcList object by
  3828   3840   ** creating nExtra new slots beginning at iStart.  iStart is zero based.
  3829   3841   ** New slots are zeroed.
  3830   3842   **
  3831   3843   ** For example, suppose a SrcList initially contains two entries: A,B.
  3832   3844   ** To append 3 new entries onto the end, do this:
................................................................................
  3857   3869     assert( iStart<=pSrc->nSrc );
  3858   3870   
  3859   3871     /* Allocate additional space if needed */
  3860   3872     if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
  3861   3873       SrcList *pNew;
  3862   3874       int nAlloc = pSrc->nSrc*2+nExtra;
  3863   3875       int nGot;
         3876  +
         3877  +    if( pSrc->nSrc+nExtra>=SQLITE_MAX_SRCLIST ){
         3878  +      /* FIXME: Return a better error than SQLITE_NOMEM when the size
         3879  +      ** of a SrcList object gets to be too big.  To fix this will require
         3880  +      ** replumbing to pass Parse* instead of sqlite3* as the first parameter
         3881  +      ** to the SrcList allocators.  As this never comes up in real-world
         3882  +      ** usage, the fix is a low priority. */
         3883  +      sqlite3OomFault(db);
         3884  +      return pSrc;
         3885  +    }
         3886  +    if( nAlloc>SQLITE_MAX_SRCLIST ) nAlloc = SQLITE_MAX_SRCLIST;
  3864   3887       pNew = sqlite3DbRealloc(db, pSrc,
  3865   3888                  sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
  3866   3889       if( pNew==0 ){
  3867   3890         assert( db->mallocFailed );
  3868   3891         return pSrc;
  3869   3892       }
  3870   3893       pSrc = pNew;

Changes to test/join.test.

   667    667   jointest join-12.2 30 {0 1}
   668    668   jointest join-12.3 63 {0 1}
   669    669   jointest join-12.4 64 {0 1}
   670    670   jointest join-12.5 65 {1 {at most 64 tables in a join}}
   671    671   jointest join-12.6 66 {1 {at most 64 tables in a join}}
   672    672   jointest join-12.7 127 {1 {at most 64 tables in a join}}
   673    673   jointest join-12.8 128 {1 {at most 64 tables in a join}}
   674         -jointest join-12.9 1000 {1 {at most 64 tables in a join}}
   675    674   
   676         -# If SQLite is built with SQLITE_MEMDEBUG, then the huge number of realloc()
   677         -# calls made by the following test cases are too time consuming to run.
   678         -# Without SQLITE_MEMDEBUG, realloc() is fast enough that these are not
   679         -# a problem.
   680         -ifcapable pragma&&compileoption_diags {
   681         -  if {[lsearch [db eval {PRAGMA compile_options}] MEMDEBUG]<0} {
   682         -    jointest join-12.10 65534 {1 {at most 64 tables in a join}}
   683         -    jointest join-12.11 65535 {1 {too many references to "t14": max 65535}}
   684         -    jointest join-12.12 65536 {1 {too many references to "t14": max 65535}}
   685         -    jointest join-12.13 65537 {1 {too many references to "t14": max 65535}}
   686         -  }
   687         -}
          675  +# As of 2019-01-17, the number of elements in a SrcList is limited
          676  +# to 200.  The following tests still run, but the answer is now
          677  +# an SQLITE_NOMEM error.
          678  +#
          679  +# jointest join-12.9 1000 {1 {at most 64 tables in a join}}
          680  +#
          681  +#  If SQLite is built with SQLITE_MEMDEBUG, then the huge number of realloc()
          682  +#  calls made by the following test cases are too time consuming to run.
          683  +#  Without SQLITE_MEMDEBUG, realloc() is fast enough that these are not
          684  +#  a problem.
          685  +#
          686  +# ifcapable pragma&&compileoption_diags {
          687  +#    if {[lsearch [db eval {PRAGMA compile_options}] MEMDEBUG]<0} {
          688  +#     jointest join-12.10 65534 {1 {at most 64 tables in a join}}
          689  +#     jointest join-12.11 65535 {1 {too many references to "t14": max 65535}}
          690  +#     jointest join-12.12 65536 {1 {too many references to "t14": max 65535}}
          691  +#     jointest join-12.13 65537 {1 {too many references to "t14": max 65535}}
          692  +#   }
          693  +# }
   688    694   
   689    695   
   690    696   #-------------------------------------------------------------------------
   691    697   # Test a problem with reordering tables following a LEFT JOIN.
   692    698   #
   693    699   do_execsql_test join-13.0 {
   694    700     CREATE TABLE aa(a);

Changes to test/with1.test.

  1067   1067   do_execsql_test 21.2 {
  1068   1068     SELECT printf('',
  1069   1069        EXISTS (WITH RECURSIVE Table0 AS (WITH Table0 AS (SELECT DISTINCT 1)
  1070   1070                                          SELECT *, * FROM Table0 ORDER BY 1 DESC)
  1071   1071                SELECT * FROM Table0  NATURAL JOIN  Table0));
  1072   1072   } {{}}
  1073   1073   
         1074  +# 2019-01-17
         1075  +# Make sure crazy nexted CTE joins terminate with an error quickly.
         1076  +#
         1077  +do_catchsql_test 22.1 {
         1078  +  WITH RECURSIVE c AS (
         1079  +     WITH RECURSIVE c AS (
         1080  +        WITH RECURSIVE c AS (
         1081  +           WITH RECURSIVE c AS (
         1082  +               WITH  c AS (VALUES(0))
         1083  +               SELECT 1 FROM c LEFT JOIN c ON ltrim(1)
         1084  +           )
         1085  +           SELECT 1 FROM c,c,c,c,c,c,c,c,c
         1086  +        )
         1087  +        SELECT  2 FROM c,c,c,c,c,c,c,c,c
         1088  +     )
         1089  +     SELECT 3 FROM c,c,c,c,c,c,c,c,c
         1090  +  )
         1091  +  SELECT 4 FROM c,c,c,c,c,c,c,c,c;
         1092  +} {1 {out of memory}}
         1093  +
  1074   1094   finish_test