From ad9f515f52f5a73130fefd056fe2a43daa42ef4b Mon Sep 17 00:00:00 2001 From: drh Date: Thu, 9 Aug 2018 21:45:45 +0000 Subject: [PATCH] Fix the isLikeOrGlob() routine in the WHERE clause processing logic so that it avoids signed/unsigned character comparisons, as that can lead to an incorrect answer if the ESCAPE clause is an invalid UTF8 string. Problem found by OSSFuzz. FossilOrigin-Name: 4195a3f8b5d2c2ec63771890c5aa7b5e2de60b9fa2273652730239b8577ae418 --- manifest | 14 +++++++------- manifest.uuid | 2 +- src/whereexpr.c | 8 ++++---- test/fuzzdata5.db | Bin 7196672 -> 7196672 bytes 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manifest b/manifest index 2ebf291cb5..778efc0056 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C When\sa\scolumn\smust\sbe\sa\sconstant\sdue\sto\sWHERE\sclause\sand\sthe\svalue\sof\sthat\ncolumn\sis\sbeing\scoded\sas\sa\sconstant,\smake\ssure\sthe\saffinity\sis\scorrect. -D 2018-08-09T18:36:54.837 +C Fix\sthe\sisLikeOrGlob()\sroutine\sin\sthe\sWHERE\sclause\sprocessing\slogic\sso\sthat\nit\savoids\ssigned/unsigned\scharacter\scomparisons,\sas\sthat\scan\slead\sto\san\nincorrect\sanswer\sif\sthe\sESCAPE\sclause\sis\san\sinvalid\sUTF8\sstring.\s\sProblem\nfound\sby\sOSSFuzz. +D 2018-08-09T21:45:45.368 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F Makefile.in 0a3a6c81e6fcb969ff9106e882f0a08547014ba463cb6beca4c4efaecc924ee6 @@ -586,7 +586,7 @@ F src/walker.c ba7225773931760cf60bf22f34d0cce2588df7ce5ce0f215a52eb88234b55ac4 F src/where.c 155809967fbab889374dedf970ea6561b8fb519fcb165d6ba00776552ecc5cde F src/whereInt.h b90ef9b9707ef750eab2a7a080c48fb4900315033274689def32d0cf5a81ebe4 F src/wherecode.c 2b6cd1b27736cc803060289e04ecf9849976106f4077aa67d1a2c0e3ec420159 -F src/whereexpr.c dc34f0df69418dedb4619f7ad61b7d31f447971223540b957a1b836a62c0ce7b +F src/whereexpr.c 5a57a974aeadef4443b39bd44594fdf0c884b62a4c72286de880999018df8317 F src/window.c 4b503da928dace3e845b891381a4d98eeb8c5744313ae3643df8d8d21fdcca65 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2 F test/affinity2.test a6d901b436328bd67a79b41bb0ac2663918fe3bd @@ -955,7 +955,7 @@ F test/fuzzdata1.db 7ee3227bad0e7ccdeb08a9e6822916777073c664 F test/fuzzdata2.db 128b3feeb78918d075c9b14b48610145a0dd4c8d6f1ca7c2870c7e425f5bf31f F test/fuzzdata3.db c6586d3e3cef0fbc18108f9bb649aa77bfc38aba F test/fuzzdata4.db b502c7d5498261715812dd8b3c2005bad08b3a26e6489414bd13926cd3e42ed2 -F test/fuzzdata5.db 5e8394be0245224340c26fc592746dd560479b0dcb12d4b43edf2c612848e748 +F test/fuzzdata5.db 3e7a403c9daea38f104410842b3b0761ad3706056df066e71c96399c17adf0a6 F test/fuzzdata6.db 92a80e4afc172c24f662a10a612d188fb272de4a9bd19e017927c95f737de6d7 F test/fuzzer1.test 3d4c4b7e547aba5e5511a2991e3e3d07166cfbb8 F test/fuzzer2.test a85ef814ce071293bce1ad8dffa217cbbaad4c14 @@ -1754,7 +1754,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 60bbca2b9a591800cd8e7b374e62d75b1df0e8fd2d2f71f9b4d5fd044da78be0 -R ef663a1df8c5f6cbefbb7dcd86b83b66 +P 7404ea83168e6c739ebe8fc5d65bbf0265432ccb35b3418bb0381d74362f7527 +R ead5801a282cafcaccf5c2894c10f6f8 U drh -Z 68dbd529c4e95246b96ffd22fa0b508e +Z 01aec118d9103a512fac51295e82f6a7 diff --git a/manifest.uuid b/manifest.uuid index e0abbb9304..90e55c90a4 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -7404ea83168e6c739ebe8fc5d65bbf0265432ccb35b3418bb0381d74362f7527 \ No newline at end of file +4195a3f8b5d2c2ec63771890c5aa7b5e2de60b9fa2273652730239b8577ae418 \ No newline at end of file diff --git a/src/whereexpr.c b/src/whereexpr.c index 752a0842c0..a72c94f2db 100644 --- a/src/whereexpr.c +++ b/src/whereexpr.c @@ -194,18 +194,18 @@ static int isLikeOrGlob( int *pisComplete, /* True if the only wildcard is % in the last character */ int *pnoCase /* True if uppercase is equivalent to lowercase */ ){ - const u8 *z = 0; /* String on RHS of LIKE operator */ + const u8 *z = 0; /* String on RHS of LIKE operator */ Expr *pRight, *pLeft; /* Right and left size of LIKE operator */ ExprList *pList; /* List of operands to the LIKE operator */ - int c; /* One character in z[] */ + u8 c; /* One character in z[] */ int cnt; /* Number of non-wildcard prefix characters */ - char wc[4]; /* Wildcard characters */ + u8 wc[4]; /* Wildcard characters */ sqlite3 *db = pParse->db; /* Database connection */ sqlite3_value *pVal = 0; int op; /* Opcode of pRight */ int rc; /* Result code to return */ - if( !sqlite3IsLikeFunction(db, pExpr, pnoCase, wc) ){ + if( !sqlite3IsLikeFunction(db, pExpr, pnoCase, (char*)wc) ){ return 0; } #ifdef SQLITE_EBCDIC diff --git a/test/fuzzdata5.db b/test/fuzzdata5.db index f111a43b95a6a2f9ca7abee1f5c2148f868d2e48..021bed7166148b708a7262cda877832d24ec1e6a 100644 GIT binary patch delta 6271 zcmb_gd017~wLkmba~Opy0$v7@%LQb(7q}Ok7zD0zl|g2l2R7ow=4=JU0Td8*$FxZ_ zn#7ex;t-RXq-`{&^}MDg(R)tP^oyqEYnt@+B~6;X4&Q59lfDk|JsaLSU_jgV{(I+x z-#z=c*4}5YwTHF#-gjEF?!*6w6Jv8EDX~YIc&6a13}?biT}K;ak~2gFC4yQ6wF)W= zst6h+Xt1Cmf`$qjCTO^zlLUO!S|aE?K}!WK6SQ1VpP=&vT_9+MpngFY3c5(pNAUt`T&tpsj+U zf7%3HCuqB%>jm8)=te;|eUEMyQ`*|lw_!R(4ANI1D*94HS#LqK>P?6iy&jS1wTO~l zBS{G(dNtyg`U1pTdO6}3dMV;(`aHz%>$4I6MW2cIlI}jVFnTlocW4Wv*{hY_DN?>< zU1|Bk@|dN?l4D7-gp*&BE95+Rfb@`cq>)ULekkolrO{_mAPrWoW>q8=o?gwWi4$(F zW)<+q)vN?g|7c_IyvTsVDy2627yB2qINIFnMr?s(tCT)LWRJuIrdy@FJIt!KHBG*z z6(dc)lt2=^w1%b5oHo%wOQtu=8A!BBHFwk(SJn74ooAfxIc~%(r*m1Qzsc`(YQJ8? z{>@6VwX1Dx79m+s(#~=qt)1CPrukk$GGM5kC6E~~+|H(vbkmA-_-Ic-5KMb(=JA8x87!HRY^8AiHTs+O^XT_lQEmJT+WBD?mNovemr z6p#DI>1cD#@I(cQtWwq;g9nNliha~KH&6(hcC%tK7tZcx2gw}B>}6Fkv&XACdOY|y zv?DMJL@)arnF;-UtezBT*ZbK0gw#TAKbs0S4zMXOuooS$7*6bEinH8`1vplj0{@%~hm4#R*^!Na>^9ES9?6*owuoMgX z23V9_VU_$?iV4rkDt3D_-QJAA0{HF#%OdmP7XvIq_F1Jl@JrN?y-9&`NEu|wqzrt6 zEIqAseBd*RGm49CfqCQRIbEh_b_Pn|>x1l?z11q^j5#P1CqP}H+neQ$4Xg#ekJ;l&Mwf zhLm0LvD&W=vF($TPFXs<3{IY5?a=iU+opLQW3MZUigP!9oIM7f6D;cZF#9{<+Ly!Z zgiN-=6KB{KWs58w+CHkMVeOY9;|ogQJ+yQHuHcW-k4{Z8WeJdaiFqRS zVp$n;RZb=x4VoGQJ(rj>d(U`haxy*c7qemled8OF$#}C0-8gyI1bX4hCDuxIgF|Dp zf_GV^dTb3wF0tteF@c>EbsTN$w&PBPbt(fp;8BfLNB2y8!{P95$hQTyYoBW@MJ5WA zy@AW>(;u=hD8I}m5!tjX0X{myC&Bj1ERk5XBbV7(i(-+b1Ic&Udj2&Q46mUEnvR=S z!)v$!-FTU0X&=4DD&?vv6Q3+|dvnTcdeptlY@0s$ZpM@2vFWx6rT}ZrZqOs4%V13; zVys)OmvPIuX|Naw7`UZ+US}~R-1K(>w7$+ufCvHEk?X zLQqyaCcE+m?t(A8!L}>G6Xe1lvi&4z+#eehw=4lJu@BLv!8h3(WY9I8iXV}~Mj=lJ?6E6g_ANtsZYX{y+C42gFlU|B)IsLn)8EGx(#WiTdwrQrkCN=Fc-<(dze(u(1(5c97Q_tgI&#j zQ!jI=Z?X2w<<67IN~tV;IZu1%lg?BETYsA$1Sfxx-wes?3g&A;zvyhUDCM&BwMC}F zB%O-RtmI>We_R)mcpzLc^_2zv9Q;x)aEI_Rqodhf+HI4^y9ohr`uaXbw|* z;jvKlIhY)whQez>YASSE@a_3<^%bQBLqM|m;az6Ul@J-N>c=D1xk@t%qQ?bWz!jlR zfk>Mg41Ww!=V;q(>M5cuMSE&YrDedQ)VGu+_f%S`VQaY-vI6GCsyt@-g!77>&K$?V z`T8>L)mZgnB%xY&nu`8!g}fQ69ZH&;LgAII6~WN8MokD_sIMIj-evtAvB$sF7zz6V zSu&Kk)M)tdg_01fPhVr!TL8H;R7{}|5;4zk-5IE2a|CgUqWf2ly8p%W_^H}&XQ)?G zg4z^m=)n$+u2F|AaAU370sGu)m3F&EZH*%9wAE|W6(LHyEPW#sQ0HBE_(a7b@N80B z;6l4vd;EMwIe0EsEYxmqQai}tE<7G|8#@rYjAe)&Mg!tz!;iShC`R016d|rRW+Ap4 zxrplw7h;={jYy3w#8x8{akVi6ag~vZxYBSUE;mvTmm1R%ml%nNEk*)jvk{NjXxInw zr@@$tSZ~B4)*3O0)kZYpA_Gs1iGCvrae*-z(P!8Yi;YM`uMv)zX9OYU8VaJ@kP%&m z6*1eeAZ8eN97&v^n_o%S2N2Wry@;v$9z>_!Ck;x8DS9s!9J=X=WPK;%bbSkAlHP%s zptmE&>FW@q_5b%{*Wf>%yYTdNQAfKIF6d}e!V5Y<{7zsS;&Xwmh|dN%;<JcqY(_cshXRy@XQ%9Jqv&0X&W+JQ?sH4hL}H5>5o%h))D?_!7Pmz~M`G5E5 ziZ#N8>t&N+^7#dkaQe}TPVJ}L)RV-%Wn$^f_b;ldtJFEJh*&t&qvn94huf|5brs&} zQ7hm^k6Hrzw)lfXM4HZI>Fc$SvZE;;=vIHe_N^W2HH*9x>%!ID>gMv>W52@dhl>u`#Ye<9; zxOuiE1O^ZDAkqKO+;){}e=`w3}1-0Y#Z2ODAonL|C=kiTqrMcGkmJTeXo4{&a{E zBTL^&H>E8oE#Tf@5(~M-{Lji%Svpc?3N~BeNE!c$Vn;JaiTPITxdr^7OyW)V5eqoB z#?`|>H9x4t-Q}7Z-lrsB9lP1cEu!_*@s}+m(X8_c(W07p8d0Xp(oy@E<4?D6SxNe8 zfRhQlxr9e6)9{R6YmVGwMBA~9uTn?~ytA4cio?`2z4jk)a4oM?lE11sooF{(`6II8 zl%nAP(&YzEug!AF0N#K}7 zqP1I{oDgLOc6)SQZw$eWZSDP2jdb9gZ&A|B?*2oQQ2xGskH)rgR~X5}s{)=xpy56H zJ9#;h?k8(Sd7qkS+L#0Lz@ca2y;{HEdNY`2)KwoIrj`27G9~@JY zf)!&X`qBp8_w0{==P>Ug1#sptuZGiyc`A6`#AuC4j?G$Wcwx>FUX97*{v*5?uVr36 z!mksh2se>saP`yDY4Gi%yhg@MuYbH43XWqu78eAz7!6g&_#C`u89K&mFw?w#jIUIb zVp%$s4!%=79-e=kr)eFJ^S7*{X;unc9p*dW#xO2Z1Sed1l1GFL1sN51+KDoS`>ox^ z0=V%c->%HZUId$**HjCF!IM11ycg*;n~sIkCwVF9jwau?}@U01npEndW=uJ`x&7F6aq{ga$F!@P%?ASOA3 zjm=gmc6HdQun1!ldTVuRg-@K zqy#vHu1hK5FcjeSAiSWdT~+)@cYEAmQGMUCmK(uFJGQ>cQIry5ti$nHzVmcpScuVP zzGk#k`hyL;t%+Tp;m@!ecoQ~jc}89~-2FI4vcinD=p$2tg-`?U#NwA{WcbrlgAKd~ z!^)1**#_pN+ee4v#SNK%aCiLyX6ZbOtb|sbuf#n0WgYjy<=RI&KPLz6!iCoufU9qE zA2d7@gXfwzd7cSb;QA34WT*Dxk9fWuKY%Vp>qCrw?CxKGHuAHP0%NaL;x}Q-+k7fa ud7CGaJ&^l0pNnyJ)7!i{s23eWMqAE?_8;>?Ncb_255o9-AZdbq@_zuO-8TdP delta 6218 zcmb_gdstQ1l|TF5b9f0{5%BU5xxD0YFL1B;f{R`*f+ENp#5Wt!5H@EkC_X?DPg*V<>TwI6HkJ#=2P4&mR!iLp77l-Mgx|3u-V3>RiBbDpS^NzO18ln81O)GDYf zs3K^PpuvKM2pTGAn4mKR4Hq;*&`3dTg3c5)O3+z?MhhAvXsn>K1+@zrCuqE&34$gH zI!DkXLFWpZET}`!6hTu3O%pU-&2Z z@o5uui=gd-ZWVN!p!W&d@jSg>%xa?;+c3QqF-TvFsOZgzvfhYj)$0*0dJQ7cS0hS# zr6eVc>#Gny(@POQ)qRMc=t~hl)Qb^+pf5!HzFvU%UEO(fMfCmn*Qu?DW-nIEi;`L- z>w3#4mPaj3mRw7cWd`{@xk)aQuacu=5AjGJNEf6QhzcjU)|G)Y_(40%fb|<$I!T4W zjjR$PH?iWd0*@p6Qud0{fCFrsSeZB3Dy21+uP$HSB4<1%kYtte zKW8?yZEEm0tQ&9erv&D}@l7nvmN?x(QNFIJMRU2kIx33%IC9;CN3JIRFN zc2-8_!EifEAQ>>)&gPJG)5`Zrj&@-yyCf5*R^Q2NR+6i=scfA^amkXf!G}HUU*YK; z?39u(OAoZdoBb>r-tT6|pkyx#)qdN}LI}yzKImb8uqYl`IyS=;NrH9lY$l9%votMp zH@iX(DQJvRM{YwH%pkp8NlErXw zA3H)8K~^7I6|-_3l1JY zm#g5+0k%@9l%?TVICp^gaCp=KmIbu~EDbbM_}Bo;CoAFm0~oIr@b>|hp_HR|=;?#l zxbz^)k;|-7Grq;b&_Na@FSknN_!cuGJKO8>WVt+24_|hP|5xv6d_cAV9VBI}THk!W{em;ce zx4_?rST0!u&S92CnxSc!Eg((s;4n_=MtF7@+Zy2QVdf(B5PAs7I>GTvk7uW*#-^Dnc&QBhnALx*!?{!YP z2c9o82T-FUT5}5)Ovrt(%pc`dUOqmjG z|7G?SqU^X!=?dFy0o(J;1LNOgHcMa-W`CALInX{^!xp0l0?$ zlmi&jB(p66(ylUh#D08NCIgk51t)@L$3X8@mYUN)WlC+%{MYnK5Z#>lj+OVWz&oQIA> zb`QM!GTTf-OdpFN zV=|aCWsvVHE??m>o1T3S<3h)>rkRziYfF*IoMu)u)K+KN^m+F(4x64a&G>7|iXOA+ z>Gv?X$fOP4Lpd=*snbkh4jL4xr%Wv`TPB8gq`pqlMap$-r^q8rS=ehGR6w%X4Zs!u` z5}Q6t`{<{vaOUEIsg{H056aG;X3#lvI(qJAaPk%EZfJWO(^)<|@ir?YdGOZTtT-lj zN(?hR{ywovcWIgLum`PVq4wOnEXzU`Xuo`qt^Vgh%nxa6{L7o0tBb}z^F9-&doj68 z5{~Y+j%}^GI{UXxG==JzVB;s7B6UoyY0Y(I{-*NDLPK9N@l6$7_ud=5X#0NC)kMfL?X~y1-isoo+U37=Tg|?$g8YU zAAGcJnJ2{QMWajg3V8ODuCnNrXw{?>UdMq0j`9k91t_0(Rg!Y3`?RZEDZ}l#3&<_| zN8tX`GCS10Wlx?Nc;>~iZ+`QNai~CF{y*C@Pv7ZkFiU{rSj~i~kHFa(YOwa_J6&Be zS*>j*Y8xR{+BJ(h+d^vKwJ`N2P`erh+@e+mH#amK-lkwI#P1rr~N?}tkv>L1`n znEDJnJVT9z#xS*y)M}{tI8hpLi%&Mcv)2?`50TNTemYWJqBLMb^i;!ka7L)JAkwA= z!@q~9i?y9L^&C-}(fle?s0DbG`ctLp9;Njf_LgTMYhh`u%41rlW93av&2=0p)z@e* z#;R8$NvqbAu41@1L;gI~4#kZPq41*}Wx>$BNlge|p>LW<&c1=p*wf#tkA$H>whYBi zH5%S|wm1a3=c(yXH&0C^8%+Hacm$slv6OIrJ~Uo)%y3d-z}HO#{JD(y+1mT_)axlh zRFQ@s>eT2ab<_fHY*ssA$fd5*?o_F*QKU`VxJg|XqHK|+uZ9B3+=PeEl&u7JhuQ>} z+tupRm&!`OeWh%LcBez_B!hdfn(s02RF&9mtU>HFY7y@@$`Ct@BE)S*A>vkJ0b;w6 zi@3!wPhxFGHX=2$5L=B*#EnJ<;szrXalMg(xYlqWt}&7jn~em-CLj8%N zWS|rALSQrE`2Zfz63zv1;1bRTJcv&O@)1V^IB*GP0#3xo12}vMUk%{!C0HK|q-k5b z)DlI;La`4X8sX`1qg#z39q^lO)r<9DQjb~#mwQwOVdkafk#PQzvM%kPcB*HIolmcw((;w7YASRUmqaXF=v8yU(aY`DQoRe_>{ZJM zGyi#EXnT2Zh)CBvW$8=Rkg~fW9_Wtp`P#R3t2Zq2Zq$bB`_x6D%e)T9#PWcWKD8Na zed+?T3trrZmOR?07RWnI$*4nW9E5&7J`PGo?6E;bI#!SSVOXen;Zyovy&LNL)um(y zjP$FOWV`mueszU~?9oyN)DL8`4U_GSVvd;zgAvFZ52Gj-GlEdo9g!I9+ zui^U3>sRd>?TtH0H2+c6L6m;n3;m|bceVHj)e5WDc1#Vnfa8`uO6xnWR#}w+b5(07 z5klbh#ikG#JkFCt4#_%}phqH}#s+fr5jBsHgBpG!ifARL)p$#gK8QWnntJ&}>+X%~ zC7R`o`lC=nOtG65MUtfp!O+9`eK7vCT7s2e$v4!+vTQ{?GbqX0P;cCPi+1B#by0{S z%hIVGrk#IO1+5-Mds;WGXL+fYC~rz|-UV}wpT;@R;)K)t9eKqlB^ zE}Avksa&(Wo7x>+eJY(qOe!ryk?@Jf(Bg+8jTty~Qna>T_#-Xaoj$b%Xl=c5 zbC9s|U`4UX(iv`w`~{gA{LevTrgnQ4KddNGvUJvFwg{_sCy_rLqRf(|?_`)v6Ec~| zXcyD@Myobn!1IDh4CHzFUzAu`8u6Jz_gi7a$A7NOMpq|@QmgjNa(+Z6ab^e!j?#{} zS~ytAk0|!L!c)cjm3Y*#o1J`0wB8#2f`ufQI`0uJs*$G?B}tY}*e8R3zKP4qoG%7B znZT>fJX%S_<9xL_dXExqcMIR35C^=uksC^~DQQOT-{8n*UZKqWLUS(BZnyGNvXUZ8 zUl}wdRCsqZelFnP3v&kik!Zsm+(ML86d3ql1z`Kdco(jvxCpp(DLxV|%~+NMj&KsK zecHtdQ8Li%i3xsR2ySwlkIgpHfpflHNi)s;hc2PyE&G0r?cmNZ?M6SJOQ7zSeP)=? z%vRn*1;#wQDd3S-C2PXfH~V?~ghY}ydyvOjNH$==QsMH5-EJ5CY)%cIrIX%}_DM(=(bdshB1>wq;KUfO!AkPoF&ykVt^P+m#Y%c% z*EODnd1CY$U!1kmDkUDg<0ZF0^adH28KMtJQl!z1HGSWB_4wyMImQn7uWQ_uz8(2} znKl0OY)3;@?!F)cb6fPD@#-K$H6NuU@ylJS@i8hPMJ6zOZ3cO=DBJzbtz= z#Mp|nA$CJU`Ep1Ja0=a5Q)a+$fZK!ca;AEN_f$`N++a~{e@oLF!NwNseS@PYCB$gM z@mag)d|_CKLCwd^ri$`l18-_#*JhSy+6}x0TevneKL_sqag1k&8JjRhW(&TA8h9TT zzcw?oJR>dGz&kKhb}Un5{J_r-{;iPHy GiT?&dGbXhF