Avoid doing comparisons with pointers that might have been previously been

passed to realloc() and/or free().

FossilOrigin-Name: f20396adb2cff12a17a3fc90b36241ae3fdfd62a

2 files changed, 14 insertions, 4 deletions

diff --git a/src/printf.c b/src/printf.c
index e34ddd3bd..969950c15 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -766,8 +766,9 @@ static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
     setStrAccumError(p, STRACCUM_TOOBIG);
     return N;
   }else{
-    char *zOld = (p->zText==p->zBase ? 0 : p->zText);
+    char *zOld = p->bMalloced ? p->zText : 0;
     i64 szNew = p->nChar;
+    assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
     szNew += N + 1;
     if( szNew+p->nChar<=p->mxAlloc ){
       /* Force exponential buffer size growth as long as it does not overflow,
@@ -788,9 +789,10 @@ static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
     }
     if( zNew ){
       assert( p->zText!=0 || p->nChar==0 );
-      if( p->zText==p->zBase && p->nChar>0 ) memcpy(zNew, p->zText, p->nChar);
+      if( !p->bMalloced && p->nChar>0 ) memcpy(zNew, p->zText, p->nChar);
       p->zText = zNew;
       p->nAlloc = sqlite3DbMallocSize(p->db, zNew);
+      p->bMalloced = 1;
     }else{
       sqlite3StrAccumReset(p);
       setStrAccumError(p, STRACCUM_NOMEM);
@@ -808,6 +810,7 @@ void sqlite3AppendChar(StrAccum *p, int N, char c){
   if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){
     return;
   }
+  assert( (p->zText==p->zBase)==(p->bMalloced==0) );
   while( (N--)>0 ) p->zText[p->nChar++] = c;
 }
 
@@ -825,6 +828,7 @@ static void SQLITE_NOINLINE enlargeAndAppend(StrAccum *p, const char *z, int N){
     memcpy(&p->zText[p->nChar], z, N);
     p->nChar += N;
   }
+  assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
 }
 
 /*
@@ -860,11 +864,13 @@ void sqlite3StrAccumAppendAll(StrAccum *p, const char *z){
 */
 char *sqlite3StrAccumFinish(StrAccum *p){
   if( p->zText ){
+    assert( (p->zText==p->zBase)==(p->bMalloced==0) );
     p->zText[p->nChar] = 0;
-    if( p->mxAlloc>0 && p->zText==p->zBase ){
+    if( p->mxAlloc>0 && p->bMalloced==0 ){
       p->zText = sqlite3DbMallocRaw(p->db, p->nChar+1 );
       if( p->zText ){
         memcpy(p->zText, p->zBase, p->nChar+1);
+        p->bMalloced = 1;
       }else{
         setStrAccumError(p, STRACCUM_NOMEM);
       }
@@ -877,8 +883,10 @@ char *sqlite3StrAccumFinish(StrAccum *p){
 ** Reset an StrAccum string.  Reclaim all malloced memory.
 */
 void sqlite3StrAccumReset(StrAccum *p){
-  if( p->zText!=p->zBase ){
+  assert( (p->zText==0 || p->zText==p->zBase)==(p->bMalloced==0) );
+  if( p->bMalloced ){
     sqlite3DbFree(p->db, p->zText);
+    p->bMalloced = 0;
   }
   p->zText = 0;
 }
@@ -904,6 +912,7 @@ void sqlite3StrAccumInit(StrAccum *p, sqlite3 *db, char *zBase, int n, int mx){
   p->nAlloc = n;
   p->mxAlloc = mx;
   p->accError = 0;
+  p->bMalloced = 0;
 }
 
 /*
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 338a57325..0d477dc06 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2952,6 +2952,7 @@ struct StrAccum {
   int  nAlloc;         /* Amount of space allocated in zText */
   int  mxAlloc;        /* Maximum allowed allocation.  0 for no malloc usage */
   u8   accError;       /* STRACCUM_NOMEM or STRACCUM_TOOBIG */
+  u8   bMalloced;      /* zText points to allocated space */
 };
 #define STRACCUM_NOMEM   1
 #define STRACCUM_TOOBIG  2