Fix a theoretical OOB memory access in sqlite3_stmt_scanstatus_v2().

FossilOrigin-Name: 87be9580747b405c2c534beadb0f95cee0d4f34e0245f90e157a6b7ada38e092
This commit is contained in:
dan 2024-03-25 18:30:15 +00:00
parent 791b6f36cc
commit eb5bd4db91
4 changed files with 22 additions and 10 deletions

View File

@ -1,5 +1,5 @@
C Revert\sthe\sprevious\schange.\s\sInstead,\sdo\sa\spre-check\sof\sthe\sCREATE\sTABLE\nstatement\sthat\sis\sthe\ssecond\sargument\sto\ssqlite3_declare_vtab()\sand\sif\nthe\sfirst\stwo\skeywords\sare\snot\s"CREATE"\sand\s"TABLE",\sthen\sraise\san\nSQLITE_MISUSE\serror.
D 2024-03-25T18:24:28.496
C Fix\sa\stheoretical\sOOB\smemory\saccess\sin\ssqlite3_stmt_scanstatus_v2().
D 2024-03-25T18:30:15.250
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@ -823,7 +823,7 @@ F src/vacuum.c 604fcdaebe76f3497c855afcbf91b8fa5046b32de3045bab89cc008d68e40104
F src/vdbe.c 651aa0f31027d5d0a133eb7b41d11c41dc3b88ecb760b770430da0e477ae3b6c
F src/vdbe.h c2d78d15112c3fc5ab87f5e8e0b75d2db1c624409de2e858c3d1aafb1650bb4f
F src/vdbeInt.h 949669dfd8a41550d27dcb905b494f2ccde9a2e6c1b0b04daa1227e2e74c2b2c
F src/vdbeapi.c 8f57d60c89da0b60e6d4e272358c511f6bae4e24330bdb11f8b42f986d1bf21b
F src/vdbeapi.c 80235ac380e9467fec1cb0883354d841f2a771976e766995f7e0c77f845406df
F src/vdbeaux.c 6385727adf51a649e4993098870a62c3945fe21dbc0e0fd9013772aff930b8fb
F src/vdbeblob.c 13f9287b55b6356b4b1845410382d6bede203ceb29ef69388a4a3d007ffacbe5
F src/vdbemem.c 213bf303826c0ef702e3a2a69dab2309d84b8381b822c6787885859fd7cd4c4e
@ -1560,7 +1560,7 @@ F test/savepoint6.test f41279c5e137139fa5c21485773332c7adb98cd7
F test/savepoint7.test cde525ea3075283eb950cdcdefe23ead4f700daa
F test/savepointfault.test f044eac64b59f09746c7020ee261734de82bf9b2
F test/scanstatus.test b249328caf4d317e71058006872b8012598a5fa045b30bf24a81eeff650ab49e
F test/scanstatus2.test 317670daf7f3eef48a9598cb7800ba8eccab51949cf52bca3f7da3b83a0c1c8c
F test/scanstatus2.test 688adc0c3ab1ffadead218cbce6446b10aa892004a8ea5e3640d59257fb836f2
F test/schema.test 5dd11c96ba64744de955315d2e4f8992e447533690153b93377dffb2a5ef5431
F test/schema2.test 906408621ea881fdb496d878b1822572a34e32c5
F test/schema3.test 8ed4ae66e082cdd8b1b1f22d8549e1e7a0db4527a8e6ee8b6193053ee1e5c9ce
@ -2182,8 +2182,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P 715fcf033a6c0c64fa3076d58be8c39246aebef922c1a44a31831b40e165015e
R 56888bcd4145065d254cef5a88e451fc
U drh
Z d2c55463ac4c41ce779d550b765c534c
P 6a2ff8351244da2336055454dfad2dd40534b7cfb51e840f7f8cf2ddacf8649e
R 1054addf5a80b70d64920561ede27990
U dan
Z b1b40567e29d2af418e3b643400eabb8
# Remove this line to create a well-formed Fossil manifest.

View File

@ -1 +1 @@
6a2ff8351244da2336055454dfad2dd40534b7cfb51e840f7f8cf2ddacf8649e
87be9580747b405c2c534beadb0f95cee0d4f34e0245f90e157a6b7ada38e092

View File

@ -2404,7 +2404,6 @@ int sqlite3_stmt_scanstatus_v2(
}
if( flags & SQLITE_SCANSTAT_COMPLEX ){
idx = iScan;
pScan = &p->aScan[idx];
}else{
/* If the COMPLEX flag is clear, then this function must ignore any
** ScanStatus structures with ScanStatus.addrLoop set to 0. */
@ -2417,6 +2416,8 @@ int sqlite3_stmt_scanstatus_v2(
}
}
if( idx>=p->nScan ) return 1;
assert( pScan==0 || pScan==&p->aScan[idx] );
pScan = &p->aScan[idx];
switch( iScanStatusOp ){
case SQLITE_SCANSTAT_NLOOP: {

View File

@ -328,6 +328,17 @@ QUERY (nCycle=nnn)
--SCAN xy2 (nCycle=nnn)
}
#-------------------------------------------------------------------------
reset_db
# Check that an OOB parameter (45) does not cause asan or valgrind errors.
#
do_test 7.0 {
db eval {SELECT * FROM sqlite_schema}
set stmt [db version -last-stmt-ptr]
sqlite3_stmt_scanstatus -flags complex $stmt 1000000
} {}
#explain_i { SELECT (a % 2), group_concat(b) FROM t1 GROUP BY 1 }
#puts_debug_info { SELECT (a % 2), group_concat(b) FROM t1 GROUP BY 1 }