Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
| Comment: | Avoid doing comparisons with pointers that might have been previously been passed to realloc() and/or free(). |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
f20396adb2cff12a17a3fc90b36241ae |
| User & Date: | drh 2015-12-08 16:08:10 |
|
2015-12-08
| ||
| 16:58 | Changes to avoid undefined behavior in memset() and memcpy() and in the comparisons of pointers from different allocations. All problems are found by analysis tools - none have been seen in the wild. (check-in: 901d0b8f user: drh tags: trunk) | |
| 16:08 | Avoid doing comparisons with pointers that might have been previously been passed to realloc() and/or free(). (check-in: f20396ad user: drh tags: trunk) | |
| 04:18 | Add a test case of the form "WHERE a<2 OR a<3" using PRAGMA count_changes. This test case was failing before the 3.9.0 release. (check-in: 177862c1 user: drh tags: trunk) | |
Changes to src/printf.c.
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 ... 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 ... 804 805 806 807 808 809 810 811 812 813 814 815 816 817 ... 821 822 823 824 825 826 827 828 829 830 831 832 833 834 ... 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 ... 900 901 902 903 904 905 906 907 908 909 910 911 912 913 |
return 0;
}
if( p->mxAlloc==0 ){
N = p->nAlloc - p->nChar - 1;
setStrAccumError(p, STRACCUM_TOOBIG);
return N;
}else{
char *zOld = (p->zText==p->zBase ? 0 : p->zText);
i64 szNew = p->nChar;
szNew += N + 1;
if( szNew+p->nChar<=p->mxAlloc ){
/* Force exponential buffer size growth as long as it does not overflow,
** to avoid having to call this routine too often */
szNew += p->nChar;
}
if( szNew > p->mxAlloc ){
................................................................................
if( p->db ){
zNew = sqlite3DbRealloc(p->db, zOld, p->nAlloc);
}else{
zNew = sqlite3_realloc64(zOld, p->nAlloc);
}
if( zNew ){
assert( p->zText!=0 || p->nChar==0 );
if( p->zText==p->zBase && p->nChar>0 ) memcpy(zNew, p->zText, p->nChar);
p->zText = zNew;
p->nAlloc = sqlite3DbMallocSize(p->db, zNew);
}else{
sqlite3StrAccumReset(p);
setStrAccumError(p, STRACCUM_NOMEM);
return 0;
}
}
return N;
................................................................................
** Append N copies of character c to the given string buffer.
*/
void sqlite3AppendChar(StrAccum *p, int N, char c){
testcase( p->nChar + (i64)N > 0x7fffffff );
if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){
return;
}
while( (N--)>0 ) p->zText[p->nChar++] = c;
}
/*
** The StrAccum "p" is not large enough to accept N new bytes of z[].
** So enlarge if first, then do the append.
**
................................................................................
*/
static void SQLITE_NOINLINE enlargeAndAppend(StrAccum *p, const char *z, int N){
N = sqlite3StrAccumEnlarge(p, N);
if( N>0 ){
memcpy(&p->zText[p->nChar], z, N);
p->nChar += N;
}
}
/*
** Append N bytes of text from z to the StrAccum object. Increase the
** size of the memory allocation for StrAccum if necessary.
*/
void sqlite3StrAccumAppend(StrAccum *p, const char *z, int N){
................................................................................
/*
** Finish off a string by making sure it is zero-terminated.
** Return a pointer to the resulting string. Return a NULL
** pointer if any kind of error was encountered.
*/
char *sqlite3StrAccumFinish(StrAccum *p){
if( p->zText ){
p->zText[p->nChar] = 0;
if( p->mxAlloc>0 && p->zText==p->zBase ){
p->zText = sqlite3DbMallocRaw(p->db, p->nChar+1 );
if( p->zText ){
memcpy(p->zText, p->zBase, p->nChar+1);
}else{
setStrAccumError(p, STRACCUM_NOMEM);
}
}
}
return p->zText;
}
/*
** Reset an StrAccum string. Reclaim all malloced memory.
*/
void sqlite3StrAccumReset(StrAccum *p){
if( p->zText!=p->zBase ){
sqlite3DbFree(p->db, p->zText);
}
p->zText = 0;
}
/*
** Initialize a string accumulator.
**
................................................................................
void sqlite3StrAccumInit(StrAccum *p, sqlite3 *db, char *zBase, int n, int mx){
p->zText = p->zBase = zBase;
p->db = db;
p->nChar = 0;
p->nAlloc = n;
p->mxAlloc = mx;
p->accError = 0;
}
/*
** Print into memory obtained from sqliteMalloc(). Use the internal
** %-conversion extensions.
*/
char *sqlite3VMPrintf(sqlite3 *db, const char *zFormat, va_list ap){
|
| > | > > > > | > | > > > |
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 ... 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 ... 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 ... 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 ... 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 ... 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 |
return 0;
}
if( p->mxAlloc==0 ){
N = p->nAlloc - p->nChar - 1;
setStrAccumError(p, STRACCUM_TOOBIG);
return N;
}else{
char *zOld = p->bMalloced ? p->zText : 0;
i64 szNew = p->nChar;
assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
szNew += N + 1;
if( szNew+p->nChar<=p->mxAlloc ){
/* Force exponential buffer size growth as long as it does not overflow,
** to avoid having to call this routine too often */
szNew += p->nChar;
}
if( szNew > p->mxAlloc ){
................................................................................
if( p->db ){
zNew = sqlite3DbRealloc(p->db, zOld, p->nAlloc);
}else{
zNew = sqlite3_realloc64(zOld, p->nAlloc);
}
if( zNew ){
assert( p->zText!=0 || p->nChar==0 );
if( !p->bMalloced && p->nChar>0 ) memcpy(zNew, p->zText, p->nChar);
p->zText = zNew;
p->nAlloc = sqlite3DbMallocSize(p->db, zNew);
p->bMalloced = 1;
}else{
sqlite3StrAccumReset(p);
setStrAccumError(p, STRACCUM_NOMEM);
return 0;
}
}
return N;
................................................................................
** Append N copies of character c to the given string buffer.
*/
void sqlite3AppendChar(StrAccum *p, int N, char c){
testcase( p->nChar + (i64)N > 0x7fffffff );
if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){
return;
}
assert( (p->zText==p->zBase)==(p->bMalloced==0) );
while( (N--)>0 ) p->zText[p->nChar++] = c;
}
/*
** The StrAccum "p" is not large enough to accept N new bytes of z[].
** So enlarge if first, then do the append.
**
................................................................................
*/
static void SQLITE_NOINLINE enlargeAndAppend(StrAccum *p, const char *z, int N){
N = sqlite3StrAccumEnlarge(p, N);
if( N>0 ){
memcpy(&p->zText[p->nChar], z, N);
p->nChar += N;
}
assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
}
/*
** Append N bytes of text from z to the StrAccum object. Increase the
** size of the memory allocation for StrAccum if necessary.
*/
void sqlite3StrAccumAppend(StrAccum *p, const char *z, int N){
................................................................................
/*
** Finish off a string by making sure it is zero-terminated.
** Return a pointer to the resulting string. Return a NULL
** pointer if any kind of error was encountered.
*/
char *sqlite3StrAccumFinish(StrAccum *p){
if( p->zText ){
assert( (p->zText==p->zBase)==(p->bMalloced==0) );
p->zText[p->nChar] = 0;
if( p->mxAlloc>0 && p->bMalloced==0 ){
p->zText = sqlite3DbMallocRaw(p->db, p->nChar+1 );
if( p->zText ){
memcpy(p->zText, p->zBase, p->nChar+1);
p->bMalloced = 1;
}else{
setStrAccumError(p, STRACCUM_NOMEM);
}
}
}
return p->zText;
}
/*
** Reset an StrAccum string. Reclaim all malloced memory.
*/
void sqlite3StrAccumReset(StrAccum *p){
assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
if( p->bMalloced ){
sqlite3DbFree(p->db, p->zText);
p->bMalloced = 0;
}
p->zText = 0;
}
/*
** Initialize a string accumulator.
**
................................................................................
void sqlite3StrAccumInit(StrAccum *p, sqlite3 *db, char *zBase, int n, int mx){
p->zText = p->zBase = zBase;
p->db = db;
p->nChar = 0;
p->nAlloc = n;
p->mxAlloc = mx;
p->accError = 0;
p->bMalloced = 0;
}
/*
** Print into memory obtained from sqliteMalloc(). Use the internal
** %-conversion extensions.
*/
char *sqlite3VMPrintf(sqlite3 *db, const char *zFormat, va_list ap){
|
Changes to src/sqliteInt.h.
2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 |
sqlite3 *db; /* Optional database for lookaside. Can be NULL */ char *zBase; /* A base allocation. Not from malloc. */ char *zText; /* The string collected so far */ int nChar; /* Length of the string so far */ int nAlloc; /* Amount of space allocated in zText */ int mxAlloc; /* Maximum allowed allocation. 0 for no malloc usage */ u8 accError; /* STRACCUM_NOMEM or STRACCUM_TOOBIG */ }; #define STRACCUM_NOMEM 1 #define STRACCUM_TOOBIG 2 /* ** A pointer to this structure is used to communicate information ** from sqlite3Init and OP_ParseSchema into the sqlite3InitCallback. |
> |
2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 |
sqlite3 *db; /* Optional database for lookaside. Can be NULL */
char *zBase; /* A base allocation. Not from malloc. */
char *zText; /* The string collected so far */
int nChar; /* Length of the string so far */
int nAlloc; /* Amount of space allocated in zText */
int mxAlloc; /* Maximum allowed allocation. 0 for no malloc usage */
u8 accError; /* STRACCUM_NOMEM or STRACCUM_TOOBIG */
u8 bMalloced; /* zText points to allocated space */
};
#define STRACCUM_NOMEM 1
#define STRACCUM_TOOBIG 2
/*
** A pointer to this structure is used to communicate information
** from sqlite3Init and OP_ParseSchema into the sqlite3InitCallback.
|