|
 |
ec7966 |
Subject: [PATCH] Fix a null pointer deference that can occur on a strange
|
|
|
ec7966 |
matchinfo() query.
|
|
|
ec7966 |
|
|
|
ec7966 |
---
|
|
|
ec7966 |
ext/fts3/fts3_snippet.c | 2 +-
|
|
|
ec7966 |
test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
|
|
|
ec7966 |
2 files changed, 36 insertions(+), 1 deletion(-)
|
|
|
ec7966 |
create mode 100644 test/fts3matchinfo2.test
|
|
|
ec7966 |
|
|
|
ec7966 |
diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c
|
|
|
ec7966 |
index a0771c0..5778620 100644
|
|
|
ec7966 |
--- a/ext/fts3/fts3_snippet.c
|
|
|
ec7966 |
+++ b/ext/fts3/fts3_snippet.c
|
|
|
ec7966 |
@@ -869,7 +869,7 @@ static void fts3ExprLHits(
|
|
|
ec7966 |
iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
|
|
|
ec7966 |
}
|
|
|
ec7966 |
|
|
|
ec7966 |
- while( 1 ){
|
|
|
ec7966 |
+ if( pIter ) while( 1 ){
|
|
|
ec7966 |
int nHit = fts3ColumnlistCount(&pIter);
|
|
|
ec7966 |
if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
|
|
|
ec7966 |
if( p->flag==FTS3_MATCHINFO_LHITS ){
|
|
|
ec7966 |
diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test
|
|
|
ec7966 |
new file mode 100644
|
|
|
ec7966 |
index 0000000..d6b3ad0
|
|
|
ec7966 |
--- /dev/null
|
|
|
ec7966 |
+++ b/test/fts3matchinfo2.test
|
|
|
ec7966 |
@@ -0,0 +1,35 @@
|
|
|
ec7966 |
+# 2020-05-14
|
|
|
ec7966 |
+#
|
|
|
ec7966 |
+# The author disclaims copyright to this source code. In place of
|
|
|
ec7966 |
+# a legal notice, here is a blessing:
|
|
|
ec7966 |
+#
|
|
|
ec7966 |
+# May you do good and not evil.
|
|
|
ec7966 |
+# May you find forgiveness for yourself and forgive others.
|
|
|
ec7966 |
+# May you share freely, never taking more than you give.
|
|
|
ec7966 |
+#
|
|
|
ec7966 |
+#***********************************************************************
|
|
|
ec7966 |
+# This file implements regression tests for the FTS3 module. The focus
|
|
|
ec7966 |
+# of this file is tables created with the "matchinfo=fts3" option.
|
|
|
ec7966 |
+#
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+set testdir [file dirname $argv0]
|
|
|
ec7966 |
+source $testdir/tester.tcl
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
|
|
|
ec7966 |
+ifcapable !fts3 { finish_test ; return }
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+set sqlite_fts3_enable_parentheses 1
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to
|
|
|
ec7966 |
+# chromium (which is not vulnerable) who kindly referred it to us.
|
|
|
ec7966 |
+#
|
|
|
ec7966 |
+do_execsql_test 1.0 {
|
|
|
ec7966 |
+ CREATE TABLE t_content(col0 INTEGER);
|
|
|
ec7966 |
+ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
|
|
|
ec7966 |
+ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
|
|
|
ec7966 |
+ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
|
|
|
ec7966 |
+} {/000000.*0000000/}
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+
|
|
|
ec7966 |
+set sqlite_fts3_enable_parentheses 0
|
|
|
ec7966 |
+finish_test
|
|
|
ec7966 |
\ No newline at end of file
|
|
|
ec7966 |
--
|
|
|
ec7966 |
2.24.1
|
|
|
ec7966 |
|