diff options
| author | drh <drh@noemail.net> | 2016-11-23 20:44:04 +0000 |
|---|---|---|
| committer | drh <drh@noemail.net> | 2016-11-23 20:44:04 +0000 |
| commit | 02e84703e8ba376aa2693c8473c20743c49291e7 (patch) | |
| tree | 0dda2b01a037b5f36d9781194e4a5d1716d0e124 | |
| parent | 5bb897448e086db37b7901b0c2d4745cf11a886d (diff) | |
| download | sqlite-02e84703e8ba376aa2693c8473c20743c49291e7.tar.gz sqlite-02e84703e8ba376aa2693c8473c20743c49291e7.zip | |
Fix a potential use-after-free error during parsing of malformed
CREATE TABLE statement.
FossilOrigin-Name: 0f956597995ca0007c51a32c71cf5fb723ed4134
| -rw-r--r-- | manifest | 14 | ||||
| -rw-r--r-- | manifest.uuid | 2 | ||||
| -rw-r--r-- | src/sqliteInt.h | 8 |
3 files changed, 12 insertions, 12 deletions
@@ -1,5 +1,5 @@ -C Fix\san\sfts5\sproblem\scausing\sa\scrash\sin\sphrase\squeries\swhere\sthe\sfirst\stoken\sof\nthe\sphrase\smatches\sone\sor\smore\srows\sbut\ssome\sother\stoken\swithin\sthe\sphrase\nmatches\szero. -D 2016-11-23T20:37:36.717 +C Fix\sa\spotential\suse-after-free\serror\sduring\sparsing\sof\smalformed\nCREATE\sTABLE\sstatement. +D 2016-11-23T20:44:04.507 F Makefile.in 6fd48ffcf7c2deea7499062d1f3747f986c19678 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434 F Makefile.msc 5151cc64c4c05f3455f4f692ad11410a810d937f @@ -392,7 +392,7 @@ F src/shell.c b80396d2fadce4681397707e30078bf416e1dec2 F src/sqlite.h.in 1011de924a6a7340c74e5442cb76f7b49c134512 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8 F src/sqlite3ext.h 8648034aa702469afb553231677306cc6492a1ae -F src/sqliteInt.h 8d241c2c0a1a7b6611d3e9398f41d69426da850d +F src/sqliteInt.h 9fbddc799b0ea6ca61fce4a0ef8ed2a11358d515 F src/sqliteLimit.h c0373387c287c8d0932510b5547ecde31b5da247 F src/status.c a9e66593dfb28a9e746cba7153f84d49c1ddc4b1 F src/table.c 5226df15ab9179b9ed558d89575ea0ce37b03fc9 @@ -1527,8 +1527,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 6492e57e65118bc6366bd92c553f4494a99f97e6 -Q +e78f6f3bbf4781850960fe6741f7cba480f2c27d -R 2ecb5339659ddc5da65f20f10c176e3c +P 4efd331e9c680e1eb9c2bf58c5f45c03c0a31772 +Q +c5dbc599b910c02a961675b12b273b8df6d29450 +R 468674797cdbc2f53ac3e01c305314f2 U drh -Z b30462f897983c9e3ad5fac73caa69b5 +Z 35e7fa15558d3919e253f6fa44eb958f diff --git a/manifest.uuid b/manifest.uuid index 4daf9f646..385d74c95 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4efd331e9c680e1eb9c2bf58c5f45c03c0a31772
\ No newline at end of file +0f956597995ca0007c51a32c71cf5fb723ed4134
\ No newline at end of file diff --git a/src/sqliteInt.h b/src/sqliteInt.h index 2d13f2635..98cfcb4e7 100644 --- a/src/sqliteInt.h +++ b/src/sqliteInt.h @@ -2946,15 +2946,15 @@ struct Parse { } aColCache[SQLITE_N_COLCACHE]; /* One for each column cache entry */ int aTempReg[8]; /* Holding area for temporary registers */ Token sNameToken; /* Token with unqualified schema object name */ - Token sLastToken; /* The last token parsed */ /************************************************************************ ** Above is constant between recursions. Below is reset before and after ** each recursion. The boundary between these two regions is determined - ** using offsetof(Parse,nVar) so the nVar field must be the first field - ** in the recursive region. + ** using offsetof(Parse,sLastToken) so the sLastToken field must be the + ** first field in the recursive region. ************************************************************************/ + Token sLastToken; /* The last token parsed */ ynVar nVar; /* Number of '?' variables seen in the SQL so far */ int nzVar; /* Number of available slots in azVar[] */ u8 iPkSortOrder; /* ASC or DESC for INTEGER PRIMARY KEY */ @@ -2988,7 +2988,7 @@ struct Parse { ** Sizes and pointers of various parts of the Parse object. */ #define PARSE_HDR_SZ offsetof(Parse,aColCache) /* Recursive part w/o aColCache*/ -#define PARSE_RECURSE_SZ offsetof(Parse,nVar) /* Recursive part */ +#define PARSE_RECURSE_SZ offsetof(Parse,sLastToken) /* Recursive part */ #define PARSE_TAIL_SZ (sizeof(Parse)-PARSE_RECURSE_SZ) /* Non-recursive part */ #define PARSE_TAIL(X) (((char*)(X))+PARSE_RECURSE_SZ) /* Pointer to tail */ |