Be careful not to use the result of sqlite3_value_blob() after changing

the representation of an object.  Ticket #2290. (CVS 3834)

FossilOrigin-Name: e14374e4e6f14a90ecb53c2e7c86908a220c6d68

manifest

@@ -1,5 +1,5 @@
-C Fix\scrash\sin\sdelete\swhen\sexisting\srow\shas\snull\sfields.\s\sPrevious\scode\nassumed\sthat\sthe\srow\shad\svalues\sin\sall\scolumns,\ssigh.\s\sFixes\sbug\nhttp://www.sqlite.org/cvstrac/tktview?tn=2289\s.\s(CVS\s3833)
-D 2007-04-09T20:45:41
+C Be\scareful\snot\sto\suse\sthe\sresult\sof\ssqlite3_value_blob()\safter\schanging\nthe\srepresentation\sof\san\sobject.\s\sTicket\s#2290.\s(CVS\s3834)
+D 2007-04-10T13:51:18
 F Makefile.in 8cab54f7c9f5af8f22fd97ddf1ecfd1e1860de62
 F Makefile.linux-gcc 2d8574d1ba75f129aba2019f0b959db380a90935
 F README 9c4e2d6706bdcc3efdd773ce752a8cdab4f90028
@@ -67,7 +67,7 @@ F src/date.c 74b76691bddf58b634f6bf4a77c8c58234268c6e
 F src/delete.c 151d08386bf9c9e7f92f6b9106c71efec2def184
 F src/experimental.c 1b2d1a6cd62ecc39610e97670332ca073c50792b
 F src/expr.c a8740c24af3f39f2d502be1a1c640c96435eaac0
-F src/func.c 94372fe3cf26b81d4dcdc15f98ff240c37c8c708
+F src/func.c 007d957c057bb42b0d37aa6ad4be0e1c67a8871b
 F src/hash.c 67b23e14f0257b69a3e8aa663e4eeadc1a2b6fd5
 F src/hash.h 1b3f7e2609141fd571f62199fc38687d262e9564
 F src/insert.c 967be8c143d64c904ba4e6f66760824898a75e3c
@@ -234,7 +234,7 @@ F test/fts2j.test f68d7611f76309bc8b94170f3740d9fbbc061d9b
 F test/fts2k.test 222d0b3bc8667753f18406aaea9906a6098ea016
 F test/fts2l.test 4c53c89ce3919003765ff4fd8d98ecf724d97dd3
 F test/fts2m.test 4b30142ead6f3ed076e880a2a464064c5ad58c51
-F test/func.test 019d706b2458dfdf239c74cc31143446de1ee44a
+F test/func.test 865febfd5b968f62b85c841c6a305b20346f7f44
 F test/hook.test 7e7645fd9a033f79cce8fdff151e32715e7ec50a
 F test/in.test 369cb2aa1eab02296b4ec470732fe8c131260b1d
 F test/index.test e65df12bed94b2903ee89987115e1578687e9266
@@ -413,7 +413,7 @@ F www/audit.tcl 90e09d580f79c7efec0c7d6f447b7ec5c2dce5c0
 F www/autoinc.tcl b357f5ba954b046ee35392ce0f884a2fcfcdea06
 F www/c_interface.tcl b51b08591554c16a0c3ef718364a508ac25abc7e
 F www/capi3.tcl 7a7cc225fe02eb7ab861a6019b08baa0014409e1
-F www/capi3ref.tcl 24fc13e145bdc07a77051d944534a97a957267ab
+F www/capi3ref.tcl 89dd0e0dd41729b8180d38cc28c722b3e4ed8bd6
 F www/changes.tcl 91b7c26fa6872ccc85fb60d7a8554c06f5439246
 F www/common.tcl 2b793e5c31486c8a01dd27dc0a631ad93704438e
 F www/compile.tcl 276546d7eb445add5a867193bbd80f6919a6b084
@@ -457,7 +457,7 @@ F www/tclsqlite.tcl bb0d1357328a42b1993d78573e587c6dcbc964b9
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl 97e2b5cd296f7d8057e11f44427dea8a4c2db513
-P cad9faf3ad99b68be4618dff4b3497b15b9e6d9d
-R 66cd54d39dd95145a99973d21d5eff33
-U shess
-Z 50d829f2eb908722f9e9fda676f48500
+P 81be7290a4db7b74a533aaf95c7389eb4bde6a88
+R 2b4707c8870f2a324132e4edcdf8905d
+U drh
+Z 24df7c4f8c69db5a5c90263a033c10d0

manifest.uuid

@@ -1 +1 @@
-81be7290a4db7b74a533aaf95c7389eb4bde6a88
+e14374e4e6f14a90ecb53c2e7c86908a220c6d68

src/func.c

@@ -16,7 +16,7 @@
 ** sqliteRegisterBuildinFunctions() found at the bottom of the file.
 ** All other code has file scope.
 **
-** $Id: func.c,v 1.138 2007/03/17 17:52:42 drh Exp $
+** $Id: func.c,v 1.139 2007/04/10 13:51:18 drh Exp $
 */
 #include "sqliteInt.h"
 #include <ctype.h>
@@ -656,8 +656,8 @@ static void hexFunc(
   const unsigned char *pBlob;
   char *zHex, *z;
   assert( argc==1 );
-  pBlob = sqlite3_value_blob(argv[0]);
   n = sqlite3_value_bytes(argv[0]);
+  pBlob = sqlite3_value_blob(argv[0]);
   z = zHex = sqlite3_malloc(n*2 + 1);
   if( zHex==0 ) return;
   for(i=0; i<n; i++, pBlob++){

test/func.test

@@ -11,7 +11,7 @@
 # This file implements regression tests for SQLite library.  The
 # focus of this file is testing built-in functions.
 #
-# $Id: func.test,v 1.59 2007/03/17 17:52:42 drh Exp $
+# $Id: func.test,v 1.60 2007/04/10 13:51:19 drh Exp $
 
 set testdir [file dirname $argv0]
 source $testdir/tester.tcl
@@ -325,6 +325,9 @@ do_test func-9.5 {
 do_test func-9.10 {
   execsql {SELECT hex(x'00112233445566778899aAbBcCdDeEfF')}
 } {00112233445566778899AABBCCDDEEFF}
+do_test func-9.11 {
+  execsql {SELECT hex(replace('abcdefg','ef','12'))}
+} {61626364313267}
 
 # Use the "sqlite_register_test_function" TCL command which is part of
 # the text fixture in order to verify correct operation of some of

www/capi3ref.tcl

@@ -1,4 +1,4 @@
-set rcsid {$Id: capi3ref.tcl,v 1.53 2007/03/17 10:26:59 danielk1977 Exp $}
+set rcsid {$Id: capi3ref.tcl,v 1.54 2007/04/10 13:51:19 drh Exp $}
 source common.tcl
 header {C/C++ Interface For SQLite Version 3}
 puts {
@@ -429,6 +429,18 @@ int sqlite3_column_type(sqlite3_stmt*, int iCol);
 <tr><td> BLOB </td><td>    TEXT </td><td>  Add a \\000 terminator if needed</td></tr>
 </table>
 </blockquote>
+
+  Note that when type conversions occur, pointers returned by prior
+  calls to sqlite3_column_blob(), sqlite3_column_text(), and/or
+  sqlite3_column_text16() may be invalidated.  So, for example, if
+  you initially call sqlite3_column_text() and get back a pointer to
+  a UTF-8 string, then you call sqlite3_column_text16(), after the
+  call to sqlite3_column_text16() the pointer returned by the prior
+  call to sqlite3_column_text() will likely point to deallocated memory.
+  Attempting to use the original pointer might lead to heap corruption
+  or a segfault.  Note also that calls  to sqlite3_column_bytes()
+  and sqlite3_column_bytes16() can also cause type conversion that
+  and deallocate prior buffers.  Use these routines carefully.
 }
 
 api {} {