From ba28b5ab0a73e80522d279eb651ac92f4c861bfe Mon Sep 17 00:00:00 2001 From: drh Date: Sun, 12 Mar 2017 20:28:44 +0000 Subject: [PATCH] Fix a possible NULL pointer dereference in following an OOM error in sqlite3ExprIsInteger(). Problem found by OSS-Fuzz. FossilOrigin-Name: 5ec655e8e817c1ed3bfb2e576745a7cef441494ad7baf1bf9f8895e98ac19c5a --- manifest | 12 ++++++------ manifest.uuid | 2 +- src/expr.c | 1 + 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/manifest b/manifest index 29e9c47ab1..fe7c037a95 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Remove\san\sobsolete\sassert()\sin\sthe\sIN\soperator\scode\sgeneration. -D 2017-03-12T19:39:00.634 +C Fix\sa\spossible\sNULL\spointer\sdereference\sin\sfollowing\san\sOOM\serror\nin\ssqlite3ExprIsInteger().\sProblem\sfound\sby\sOSS-Fuzz. +D 2017-03-12T20:28:44.701 F Makefile.in 2dae2a56457c2885425a480e1053de8096aff924 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 9020fa41eb91f657ae0cc44145d0a2f3af520860 @@ -351,7 +351,7 @@ F src/ctime.c a9984df73898c042a5cfc8f9d8e7723d02bc35c9 F src/date.c ee676e7694dfadbdd2fde1a258a71be8360ba5ae F src/dbstat.c 19ee7a4e89979d4df8e44cfac7a8f905ec89b77d F src/delete.c 0d9d5549d42e79ce4d82ff1db1e6c81e36d2f67c -F src/expr.c 7eac40b592672a1f3e0565ac1e66fbb87218436c134d8b2460f989b550e2eb73 +F src/expr.c f12a581f342a6fd85d14c31e4fb84f16b3dd107f54d7728dddb62cebc79d7ce1 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007 F src/fkey.c 2e9aabe1aee76273aff8a84ee92c464e095400ae F src/func.c c67273e1ec08abbdcc14c189892a3ff6eeece86b @@ -1562,7 +1562,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 3299a26160c239255608d1e2b15a221e28b18a3d -R 0614fda50e45b1c812e74d7f5befdd87 +P 18bf6aca2ac86478fd12d5020f3a41cfd2bd2dc3defe2298411f79ad308a6f73 +R ca6b9859462ac91c5f6d6ceb39023c31 U drh -Z 926534de7c008338fc48290e21b48744 +Z af1824315a47164e92b4aa40f4d2923c diff --git a/manifest.uuid b/manifest.uuid index 64bc83d667..d832e1d80a 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -18bf6aca2ac86478fd12d5020f3a41cfd2bd2dc3defe2298411f79ad308a6f73 \ No newline at end of file +5ec655e8e817c1ed3bfb2e576745a7cef441494ad7baf1bf9f8895e98ac19c5a \ No newline at end of file diff --git a/src/expr.c b/src/expr.c index e074f2f443..ce948be69e 100644 --- a/src/expr.c +++ b/src/expr.c @@ -1860,6 +1860,7 @@ int sqlite3ExprContainsSubquery(Expr *p){ */ int sqlite3ExprIsInteger(Expr *p, int *pValue){ int rc = 0; + if( p==0 ) return 0; /* Can only happen following on OOM */ /* If an expression is an integer literal that fits in a signed 32-bit ** integer, then the EP_IntValue flag will have already been set */