From 7887d7f24d176b75a77dd8a86abcdbb70a83b957 Mon Sep 17 00:00:00 2001 From: dan Date: Wed, 24 Aug 2016 12:22:17 +0000 Subject: [PATCH] Fix a buffer overrun in the code for handling IN(...) operators when the LHS of the operator contains indexed columns or expressions. FossilOrigin-Name: f41a0391b732a8c4ad188163f34a0f4a22237bb5 --- manifest | 16 ++++++++-------- manifest.uuid | 2 +- src/wherecode.c | 3 ++- test/rowvalue.test | 9 +++++++++ 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/manifest b/manifest index c7b9d98ca9..b6792e8020 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C The\sprevious\sOOM\sfix\swas\sbad.\s\sBack\sit\sout\sand\sreplace\sit\swith\sa\sbetter\sone. -D 2016-08-24T00:51:48.043 +C Fix\sa\sbuffer\soverrun\sin\sthe\scode\sfor\shandling\sIN(...)\soperators\swhen\sthe\sLHS\sof\sthe\soperator\scontains\sindexed\scolumns\sor\sexpressions. +D 2016-08-24T12:22:17.962 F Makefile.in cfd8fb987cd7a6af046daa87daa146d5aad0e088 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc d66d0395c38571aab3804f8db0fa20707ae4609a @@ -466,7 +466,7 @@ F src/wal.h 6dd221ed384afdc204bc61e25c23ef7fd5a511f2 F src/walker.c 2d2cc7fb0f320f7f415215d7247f3c584141ac09 F src/where.c c7cdfd54f383090bb801cdd50d36de1a24684bb2 F src/whereInt.h 14dd243e13b81cbb0a66063d38b70f93a7d6e613 -F src/wherecode.c 0c99e2e97c23ec0b0d64071b3590d3a5e6091a96 +F src/wherecode.c 5a5528c39be09593cada6ae465d7a0f48db0077f F src/whereexpr.c aa54bf11adf6bc7e52f56281f436ab5fd421ce16 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2 F test/affinity2.test a6d901b436328bd67a79b41bb0ac2663918fe3bd @@ -1019,7 +1019,7 @@ F test/rollbackfault.test 0e646aeab8840c399cfbfa43daab46fd609cf04a F test/rowallock.test 3f88ec6819489d0b2341c7a7528ae17c053ab7cc F test/rowhash.test 0bc1d31415e4575d10cacf31e1a66b5cc0f8be81 F test/rowid.test 5b7509f384f4f6fae1af3c8c104c8ca299fea18d -F test/rowvalue.test c2b4d043f4253711c8a2c6aa126a3f6d71182969 +F test/rowvalue.test 7d8482dde9023973615eaaca65647f33d70c1f01 F test/rowvalue2.test 875068299fd4dd50ef0a47786462c8e1f4065f9a F test/rowvalue3.test 01399b7bf150b0d41abce76c18072da777c2500c F test/rowvalue4.test 9b40c9be9bdde30fc66cddbfdf6a5af37de4ccac @@ -1520,7 +1520,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 25f6ed8de4df9c9890d4a352a6d11084433e82ea -R 19a9e7a69bf070f3aad327c389d879a1 -U drh -Z c33731cf7b01c5dd25f3f1c4114950f7 +P 1e3bc3698a4b779e6af8e3c727929c4dbddf3edb +R 66ed27e8c4688d763f7b5bcfa14b1684 +U dan +Z b0da933895eae6df1437a965446c74bb diff --git a/manifest.uuid b/manifest.uuid index 6e72ba55fc..14c9bf29a3 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -1e3bc3698a4b779e6af8e3c727929c4dbddf3edb \ No newline at end of file +f41a0391b732a8c4ad188163f34a0f4a22237bb5 \ No newline at end of file diff --git a/src/wherecode.c b/src/wherecode.c index fbf6ad1946..65079872e1 100644 --- a/src/wherecode.c +++ b/src/wherecode.c @@ -471,7 +471,7 @@ static int codeEqualityTerm( if( pIn ){ int iMap = 0; /* Index in aiMap[] */ pIn += i; - for(i=iEq;inLTerm; i++, pIn++){ + for(i=iEq;inLTerm; i++){ int iOut = iReg; if( pLoop->aLTerm[i]->pExpr==pX ){ if( eType==IN_INDEX_ROWID ){ @@ -489,6 +489,7 @@ static int codeEqualityTerm( }else{ pIn->eEndLoopOp = OP_Noop; } + pIn++; } } }else{ diff --git a/test/rowvalue.test b/test/rowvalue.test index 642a7843aa..f716c26c8b 100644 --- a/test/rowvalue.test +++ b/test/rowvalue.test @@ -219,5 +219,14 @@ foreach {tn q res} { do_execsql_test 9.$tn "SELECT c FROM t2 WHERE $q" $res } +do_execsql_test 10.0 { + CREATE TABLE dual(dummy); INSERT INTO dual(dummy) VALUES('X'); + CREATE TABLE t3(a TEXT,b TEXT,c TEXT,d TEXT,e TEXT,f TEXT); + CREATE INDEX t3x ON t3(b,c,d,e,f); + + SELECT a FROM t3 + WHERE (c,d) IN (SELECT 'c','d' FROM dual) + AND (a,b,e) IN (SELECT 'a','b','d' FROM dual); +} finish_test