/ Check-in [8efd6259]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Do not change the OP_String8 opcode into OP_String until *after* any necessary encoding conversions are accomplished. Otherwise, a rerun of the prepared statement after an OOM can result in errors. Test case in TH3.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 8efd62594eae725decb719aa7777c020f982b7cdc2c92bab3b91bf349a5bc298
User & Date: drh 2019-09-17 21:28:54
Context
2019-09-18
11:16
Fix an OOB read in the INSTR() function introduced yesterday by check-in [3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3. check-in: d49047c1 user: drh tags: trunk
2019-09-17
21:28
Do not change the OP_String8 opcode into OP_String until *after* any necessary encoding conversions are accomplished. Otherwise, a rerun of the prepared statement after an OOM can result in errors. Test case in TH3. check-in: 8efd6259 user: drh tags: trunk
13:30
Test cases for ticket [587791f92620090e] check-in: ca0e3a83 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbe.c.

  1139   1139   ** into a String opcode before it is executed for the first time.  During
  1140   1140   ** this transformation, the length of string P4 is computed and stored
  1141   1141   ** as the P1 parameter.
  1142   1142   */
  1143   1143   case OP_String8: {         /* same as TK_STRING, out2 */
  1144   1144     assert( pOp->p4.z!=0 );
  1145   1145     pOut = out2Prerelease(p, pOp);
  1146         -  pOp->opcode = OP_String;
  1147   1146     pOp->p1 = sqlite3Strlen30(pOp->p4.z);
  1148   1147   
  1149   1148   #ifndef SQLITE_OMIT_UTF16
  1150   1149     if( encoding!=SQLITE_UTF8 ){
  1151   1150       rc = sqlite3VdbeMemSetStr(pOut, pOp->p4.z, -1, SQLITE_UTF8, SQLITE_STATIC);
  1152   1151       assert( rc==SQLITE_OK || rc==SQLITE_TOOBIG );
  1153   1152       if( rc ) goto too_big;
................................................................................
  1163   1162       pOp->p4.z = pOut->z;
  1164   1163       pOp->p1 = pOut->n;
  1165   1164     }
  1166   1165   #endif
  1167   1166     if( pOp->p1>db->aLimit[SQLITE_LIMIT_LENGTH] ){
  1168   1167       goto too_big;
  1169   1168     }
         1169  +  pOp->opcode = OP_String;
  1170   1170     assert( rc==SQLITE_OK );
  1171   1171     /* Fall through to the next case, OP_String */
  1172   1172   }
  1173   1173     
  1174   1174   /* Opcode: String P1 P2 P3 P4 P5
  1175   1175   ** Synopsis: r[P2]='P4' (len=P1)
  1176   1176   **