Fix a reference to freed memory that can occur following an OOM error in

where.c.

FossilOrigin-Name: 929b6047391411c6f539e47afe6b63d16e352ccb

3 files changed, 13 insertions, 15 deletions

diff --git a/manifest b/manifest
index e4b28f7c9..ea8a92ea2 100644
--- a/manifest
+++ b/manifest
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-C Back\sout\spart\sof\sthe\schange\sin\s[23ea2b700fd6d28d]\ssince\sTH3\sreveals\ssome\nproblems\sin\sOOM\ssituations.
-D 2009-11-16T21:28:45
+C Fix\sa\sreference\sto\sfreed\smemory\sthat\scan\soccur\sfollowing\san\sOOM\serror\sin\nwhere.c.
+D 2009-11-16T22:54:51
 F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0
 F Makefile.in 53f3dfa49f28ab5b80cb083fb7c9051e596bcfa1
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@@ -219,7 +219,7 @@ F src/vdbeblob.c 84f924700a7a889152aeebef77ca5f4e3875ffb4
 F src/vdbemem.c 1e16e3a16e55f4c3452834f0e041726021aa66e0
 F src/vtab.c 456fc226614569f0e46f216e33265bea268bd917
 F src/walker.c 3112bb3afe1d85dc52317cb1d752055e9a781f8f
-F src/where.c d5c9692fc228bdc4826f50971b3801068cd4513b
+F src/where.c 5a8ed38834465e47c9e28ea5462f3ad8b90000c7
 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
 F test/alias.test 4529fbc152f190268a15f9384a5651bbbabc9d87
 F test/all.test 14165b3e32715b700b5f0cbf8f6e3833dda0be45
@@ -771,14 +771,14 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff
 F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
 F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f
-P 1c9243b0760741f48b15efb0da661255177aed8b
-R 2a3aeb21f4a3bbfe7cfca935b177d6e0
+P 15d215d62df72c1bf1e605629692ee40d96546a6
+R d253a6762b5dd3d0bde3393a87de556c
 U drh
-Z 9c2b416f8f787b6f334bf09d3499d0a9
+Z 12a310b917e34b7cdac3faa62159e6fc
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (GNU/Linux)
 
-iD8DBQFLAcQQoxKgR168RlERAs/sAJ9LLCrNdB5gT6NALFZz9zKR408UXQCfQ3la
-6skLmIYJc1m0uPoQURk432Y=
-=7uKK
+iD8DBQFLAdg+oxKgR168RlERAgPrAJ9mhwpaoSYOxmJuy6MMcqfG8OzxTQCfVnkP
+04+k4Lpu0ZIEUGV/hFCqsz8=
+=itlO
 -----END PGP SIGNATURE-----
diff --git a/manifest.uuid b/manifest.uuid
index 8baca8ef5..a8f7033d3 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-15d215d62df72c1bf1e605629692ee40d96546a6
\ No newline at end of file
+929b6047391411c6f539e47afe6b63d16e352ccb
\ No newline at end of file
diff --git a/src/where.c b/src/where.c
index 90df4c495..84cbd4636 100644
--- a/src/where.c
+++ b/src/where.c
@@ -2594,15 +2594,13 @@ static void disableTerm(WhereLevel *pLevel, WhereTerm *pTerm){
 ** Code an OP_Affinity opcode to apply the column affinity string zAff
 ** to the n registers starting at base. 
 **
-** Buffer zAff was allocated using sqlite3DbMalloc(). It is the 
-** responsibility of this function to arrange for it to be eventually
-** freed using sqlite3DbFree().
+** This routine assumes that zAff is dynamic and makes its own copy.
 */
 static void codeApplyAffinity(Parse *pParse, int base, int n, char *zAff){
   Vdbe *v = pParse->pVdbe;
   assert( v!=0 );
   sqlite3VdbeAddOp2(v, OP_Affinity, base, n);
-  sqlite3VdbeChangeP4(v, -1, zAff, P4_DYNAMIC);
+  sqlite3VdbeChangeP4(v, -1, zAff, 0);
   sqlite3ExprCacheAffinityChange(pParse, base, n);
 }
 
@@ -3130,7 +3128,6 @@ static Bitmask codeOneLoopStart(
       sqlite3ExprCacheRemove(pParse, regBase+nEq);
       sqlite3ExprCode(pParse, pRight, regBase+nEq);
       sqlite3VdbeAddOp2(v, OP_IsNull, regBase+nEq, addrNxt);
-      zAff = sqlite3DbStrDup(pParse->db, zAff);
       if( zAff 
        && sqlite3CompareAffinity(pRight, zAff[nConstraint])==SQLITE_AFF_NONE
       ){
@@ -3142,6 +3139,7 @@ static Bitmask codeOneLoopStart(
       codeApplyAffinity(pParse, regBase, nEq+1, zAff);
       nConstraint++;
     }
+    sqlite3DbFree(pParse->db, zAff);
 
     /* Top of the loop body */
     pLevel->p2 = sqlite3VdbeCurrentAddr(v);