New assert() statements to verify that Expr.iColumn is never used as an

array index when its value is negative. FossilOrigin-Name: 6084c5fb6d3fcedf35cd6c597a44ec7bf8b4a2576c7b277e5342d2a7905318e7
author: drh <> 2023-05-17 15:46:46 +0000
committer: drh <> 2023-05-17 15:46:46 +0000
commit: 60fd5c34abec24a39fdb9e467174944f8d245544 (patch)
tree: 61f9ec236d9c4b1fdd0dd010b5927aff73e69e14 /src
parent: 9c9b33cbaf65be1604bd419af0e3d00c52523fd8 (diff)
download: sqlite-60fd5c34abec24a39fdb9e467174944f8d245544.tar.gz
sqlite-60fd5c34abec24a39fdb9e467174944f8d245544.zip
3 files changed, 10 insertions, 3 deletions
diff --git a/src/build.c b/src/build.c
index 9be444c3c..d6d90ea5f 100644
--- a/src/build.c
+++ b/src/build.c
@@ -2234,7 +2234,7 @@ static void estimateIndexWidth(Index *pIdx){
   for(i=0; i<pIdx->nColumn; i++){
     i16 x = pIdx->aiColumn[i];
     assert( x<pIdx->pTable->nCol );
-    wIndex += x<0 ? 1 : aCol[pIdx->aiColumn[i]].szEst;
+    wIndex += x<0 ? 1 : aCol[x].szEst;
   }
   pIdx->szIdxRow = sqlite3LogEst(wIndex*4);
 }
diff --git a/src/delete.c b/src/delete.c
index f54bfdcc7..0c9e764e2 100644
--- a/src/delete.c
+++ b/src/delete.c
@@ -226,14 +226,20 @@ Expr *sqlite3LimitWhere(
     );
   }else{
     Index *pPk = sqlite3PrimaryKeyIndex(pTab);
+    assert( pPk!=0 );
+    assert( pPk->nKeyCol>=1 );
     if( pPk->nKeyCol==1 ){
-      const char *zName = pTab->aCol[pPk->aiColumn[0]].zCnName;
+      const char *zName;
+      assert( pPk->aiColumn[0]>=0 && pPk->aiColumn[0]<pTab->nCol );
+      zName = pTab->aCol[pPk->aiColumn[0]].zCnName;
       pLhs = sqlite3Expr(db, TK_ID, zName);
       pEList = sqlite3ExprListAppend(pParse, 0, sqlite3Expr(db, TK_ID, zName));
     }else{
       int i;
       for(i=0; i<pPk->nKeyCol; i++){
-        Expr *p = sqlite3Expr(db, TK_ID, pTab->aCol[pPk->aiColumn[i]].zCnName);
+        Expr *p;
+        assert( pPk->aiColumn[i]>=0 && pPk->aiColumn[i]<pTab->nCol );
+        p = sqlite3Expr(db, TK_ID, pTab->aCol[pPk->aiColumn[i]].zCnName);
         pEList = sqlite3ExprListAppend(pParse, pEList, p);
       }
       pLhs = sqlite3PExpr(pParse, TK_VECTOR, 0, 0);
diff --git a/src/expr.c b/src/expr.c
index c6bc847ab..f920b4015 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -67,6 +67,7 @@ char sqlite3ExprAffinity(const Expr *pExpr){
     if( op==TK_SELECT_COLUMN ){
       assert( pExpr->pLeft!=0 && ExprUseXSelect(pExpr->pLeft) );
       assert( pExpr->iColumn < pExpr->iTable );
+      assert( pExpr->iColumn >= 0 );
       assert( pExpr->iTable==pExpr->pLeft->x.pSelect->pEList->nExpr );
       return sqlite3ExprAffinity(
           pExpr->pLeft->x.pSelect->pEList->a[pExpr->iColumn].pExpr
author	drh <>	2023-05-17 15:46:46 +0000
committer	drh <>	2023-05-17 15:46:46 +0000
commit	60fd5c34abec24a39fdb9e467174944f8d245544 (patch)
tree	61f9ec236d9c4b1fdd0dd010b5927aff73e69e14 /src
parent	9c9b33cbaf65be1604bd419af0e3d00c52523fd8 (diff)
download	sqlite-60fd5c34abec24a39fdb9e467174944f8d245544.tar.gz sqlite-60fd5c34abec24a39fdb9e467174944f8d245544.zip