aboutsummaryrefslogtreecommitdiff
path: root/src/func.c
diff options
context:
space:
mode:
authordrh <drh@noemail.net>2019-09-18 11:16:46 +0000
committerdrh <drh@noemail.net>2019-09-18 11:16:46 +0000
commit9d70284022fbc4d7fecb4c4b60f98589e6897a9f (patch)
tree6990ba64620756b093c3c71465c10757e089c654 /src/func.c
parentec722c1088769846a58cc3c2b277222249e92c08 (diff)
downloadsqlite-9d70284022fbc4d7fecb4c4b60f98589e6897a9f.tar.gz
sqlite-9d70284022fbc4d7fecb4c4b60f98589e6897a9f.zip
Fix an OOB read in the INSTR() function introduced yesterday by check-in
[3fb40f518086c1e8] and detected by OSSFuzz. The test case is in TH3. FossilOrigin-Name: d49047c1b59bbfd05204af9973cdb0fab51b4d2661b550aec10d917fff94dc9b
Diffstat (limited to 'src/func.c')
-rw-r--r--src/func.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/func.c b/src/func.c
index cb5085d3a..3201b6df8 100644
--- a/src/func.c
+++ b/src/func.c
@@ -224,14 +224,15 @@ static void instrFunc(
}else{
pC1 = sqlite3_value_dup(argv[0]);
zHaystack = sqlite3_value_text(pC1);
+ if( zHaystack==0 ) goto endInstrOOM;
+ nHaystack = sqlite3_value_bytes(pC1);
pC2 = sqlite3_value_dup(argv[1]);
zNeedle = sqlite3_value_text(pC2);
+ if( zNeedle==0 ) goto endInstrOOM;
+ nNeedle = sqlite3_value_bytes(pC2);
isText = 1;
}
- if( zNeedle==0 || (nHaystack && zHaystack==0) ){
- sqlite3_result_error_nomem(context);
- goto endInstr;
- }
+ if( zNeedle==0 || (nHaystack && zHaystack==0) ) goto endInstrOOM;
firstChar = zNeedle[0];
while( nNeedle<=nHaystack
&& (zHaystack[0]!=firstChar || memcmp(zHaystack, zNeedle, nNeedle)!=0)
@@ -248,6 +249,10 @@ static void instrFunc(
endInstr:
sqlite3_value_free(pC1);
sqlite3_value_free(pC2);
+ return;
+endInstrOOM:
+ sqlite3_result_error_nomem(context);
+ goto endInstr;
}
/*
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 19:18:58 +0000