Fix a one-byte buffer overread that may follow a syntax error while preparing an SQL statement.

FossilOrigin-Name: 075003930da98419f671b7833a5850693529fb62

4 files changed, 18 insertions, 13 deletions

diff --git a/manifest b/manifest
index 46ac05701..be7faba13 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C The\s"make\sfuzztest"\starget\snow\suses\sfuzzcheck\sinstead\sof\sfuzzershell.
-D 2015-05-26T18:15:08.927
+C Fix\sa\sone-byte\sbuffer\soverread\sthat\smay\sfollow\sa\ssyntax\serror\swhile\spreparing\san\sSQL\sstatement.
+D 2015-05-26T18:58:57.869
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 3feb7cbdad8898fe7a8a24355b4a753029c3ec3b
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -306,7 +306,7 @@ F src/test_vfs.c 3b65d42e18b262805716bd96178c81da8f2d9283
 F src/test_vfstrace.c bab9594adc976cbe696ff3970728830b4c5ed698
 F src/test_wsd.c 41cadfd9d97fe8e3e4e44f61a4a8ccd6f7ca8fe9
 F src/threads.c 6bbcc9fe50c917864d48287b4792d46d6e873481
-F src/tokenize.c af8cbbca6db6b664ffecafa236b06629ef6d35c4
+F src/tokenize.c 27d60b6bf4a92d17c329a11ff9fe94081b2a8510
 F src/trigger.c 322f23aad694e8f31d384dcfa386d52a48d3c52f
 F src/update.c 487747b328b7216bb7f6af0695d6937d5c9e605f
 F src/utf.c fc6b889ba0779b7722634cdeaa25f1930d93820c
@@ -768,7 +768,7 @@ F test/minmax.test 42fbad0e81afaa6e0de41c960329f2b2c3526efd
 F test/minmax2.test b44bae787fc7b227597b01b0ca5575c7cb54d3bc
 F test/minmax3.test cc1e8b010136db0d01a6f2a29ba5a9f321034354
 F test/minmax4.test 936941484ebdceb8adec7c86b6cd9b6e5e897c1f
-F test/misc1.test 2bb46a3656e97f80c82880a94ea10d76a3b60cb0
+F test/misc1.test 3f1c479c5a093a6280f378c0fbff1c2701486660
 F test/misc2.test 00d7de54eda90e237fc9a38b9e5ccc769ebf6d4d
 F test/misc3.test cf3dda47d5dda3e53fc5804a100d3c82be736c9d
 F test/misc4.test 0d8be3466adf123a7791a66ba2bc8e8d229e87f3
@@ -1279,10 +1279,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 193364c81c301a41c16835108d23ad2ab84d9dd7
-R 72bebf492c55de7ece7f6fdbb9a7dd3f
-T *branch * test-using-fuzzcheck
-T *sym-test-using-fuzzcheck *
-T -sym-trunk *
-U drh
-Z 66f2916d8728b836edfc9ebde30c4bfc
+P 4a5f6f1f0128657fd8d4d99d0682edd5bac2a19e
+R 065e508f512bb407d5d12027502751ea
+U dan
+Z 196ef8f8d5bf66f74ab95e80a414f84a
diff --git a/manifest.uuid b/manifest.uuid
index 0f9ca58d3..2f41346a6 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4a5f6f1f0128657fd8d4d99d0682edd5bac2a19e
\ No newline at end of file
+075003930da98419f671b7833a5850693529fb62
\ No newline at end of file
diff --git a/src/tokenize.c b/src/tokenize.c
index 702cae03a..ae23bf0e7 100644
--- a/src/tokenize.c
+++ b/src/tokenize.c
@@ -450,7 +450,7 @@ int sqlite3RunParser(Parse *pParse, const char *zSql, char **pzErrMsg){
   }
 abort_parse:
   assert( nErr==0 );
-  if( zSql[i]==0 && pParse->rc==SQLITE_OK && db->mallocFailed==0 ){
+  if( pParse->rc==SQLITE_OK && db->mallocFailed==0 && zSql[i]==0 ){
     if( lastTokenParsed!=TK_SEMI ){
       sqlite3Parser(pEngine, TK_SEMI, pParse->sLastToken, pParse);
       pParse->zTail = &zSql[i];
diff --git a/test/misc1.test b/test/misc1.test
index 93f417721..25e9bd813 100644
--- a/test/misc1.test
+++ b/test/misc1.test
@@ -693,4 +693,12 @@ do_catchsql_test misc1-23.3 {
   DROP TABLE IF EXISTS t;
 } {0 {}}
 
+
+# At one point, running this would read one byte passed the end of a 
+# buffer, upsetting valgrind.
+#
+do_test misc1-24.0 {
+  list [catch { sqlite3_prepare_v2 db ! -1 dummy } msg] $msg
+} {1 {(1) unrecognized token: "!}}
+
 finish_test