On Apr 2, 2010, at 8:34 AM, Daniel Lin wrote: > Let me describe the situation which I found: > > line 741 calculated as 17 bytes. > line 746 memcpy the zP4's original allocated size is 16 bytes only. > > So, on line 746, it will copy one byte unknown data on last byte to > the new buffer.
http://www.sqlite.org/src/ci/937b931a7c > > Or, this problem is occurs by the line 741, it calculate the wrong > number? > > On Fri, Apr 2, 2010 at 19:52, D. Richard Hipp <d...@hwaci.com> wrote: > > On Apr 2, 2010, at 6:15 AM, Daniel Lin wrote: > > I've read the test page which you provide. > But, I still think I'm right. Because Borland C++ Builder's Code > Guard detect by following method: > > 1. Make special tag on 'malloc' memory boundry. > 2. Check the memcpy is overrun the previous malloc boundry. > > I've traced back the callee & caller's code, I'm 80% sure your code > seems wrong on that line. > > That's why I still think your code has problem on that line. > And I still don't know why my modification will cause malfunction. > Is there any sample could show the malfunction? > > Maybe dmalloc could also help the checking issue. (But, I'm not sure > it could help on this overrun problem.) > > 0708 void sqlite3VdbeChangeP4(Vdbe *p, int addr, const char *zP4, > int n){ > ... > 0736 }else if( n==P4_KEYINFO ){ > 0737 KeyInfo *pKeyInfo; > 0738 int nField, nByte; > 0739 > 0740 nField = ((KeyInfo*)zP4)->nField; > 0741 nByte = sizeof(*pKeyInfo) + (nField-1)*sizeof(pKeyInfo- > >aColl[0]) + nField; > 0742 pKeyInfo = sqlite3Malloc( nByte ); > 0743 pOp->p4.pKeyInfo = pKeyInfo; > 0744 if( pKeyInfo ){ > 0745 u8 *aSortOrder; > 0746 memcpy((char*)pKeyInfo, zP4, nByte); > 0747 aSortOrder = pKeyInfo->aSortOrder; > 0748 if( aSortOrder ){ > 0749 pKeyInfo->aSortOrder = (unsigned char*)&pKeyInfo- > >aColl[nField]; > 0750 memcpy(pKeyInfo->aSortOrder, aSortOrder, nField); > 0751 } > 0752 pOp->p4type = P4_KEYINFO; > 0753 }else{ > 0754 p->db->mallocFailed = 1; > 0755 pOp->p4type = P4_NOTUSED; > 0756 } > > A pointer to the object to be copied is passed in as parameter zP4. > The size of the object is computed on line 741. Sufficient space to > copy the object is allocated on line 742. The copy occurs on line > 746. Lines 747 through 751 copy over some auxiliary information > into the tail the same memory allocation as is used by the original > object. The code is correct is stands. > > To see why your change will cause a malfunction, all you have to do > is run the test suite. > > Further discussion to sqlite-users@sqlite.org, please. > > > > > > On Fri, Apr 2, 2010 at 11:34, D. Richard Hipp <d...@hwaci.com> wrote: > > On Apr 1, 2010, at 9:34 PM, Daniel Lin wrote: > > Hi, Richard, > > Still not got your reply. > I've changed the line, and it works well. > So, I don't know when will the malfunction will occur. > > Have you ever used the codeguard like utility to check the sqlite at > runtime? > > > http://valgrind.org/ > http://www.sqlite.org/testing.html > > > > On Thu, Mar 25, 2010 at 08:47, Daniel Lin <dlin...@gmail.com> wrote: > Why, I found the nByte which calculated is 17 bytes. > But the data structure which come from is only 16 bytes. > > That let the code guard noticed me it maybe wrong. > > > On Wed, Mar 24, 2010 at 19:57, D. Richard Hipp <d...@hwaci.com> wrote: > > On Mar 24, 2010, at 7:11 AM, Daniel Lin wrote: > > About this bug, I found change the code to following will let it > workable. > But, I require your confirm. > > memcpy(pKeyInfo, zP4, sizeof(*pKeyInfo)); > > The SQLite code is correct as written. Your change will cause > SQLite to malfunction. > > Check-in http://www.sqlite.org/src/ci/be27897991 is an attempt to > suppress the warning from code guard. But as I have no way of > testing to see if the change obtained that goal. > > > > > On Wed, Mar 24, 2010 at 19:04, Daniel Lin <dlin...@gmail.com> wrote: > Dear Dr., > > I use Borland C++ Builder with code guard checking function enabled > mode . (on 32 bits Windows XP) > > I found in an amalgamation sqlite.c may cause memory overrun. > > SQLITE_PRIVATE void sqlite3VdbeChangeP4(Vdbe *p, int addr, const > char *zP4, int n){ > ... > pOp->p4.pKeyInfo = pKeyInfo; > if (pKeyInfo ){ > u8 *aSortOrder; > memcpy(pKeyInfo, zP4, nByte); /* this line force copy 17 bytes > from 16 bytes structure */ > aSortOrder = pKeyInfo->aSortOrder; > if( aSortOrder ){ > pKeyInfo->aSortOrder = (unsigned char*)&pKeyInfo->aColl[nField]; > memcpy(pKeyInfo->aSortOrder, aSortOrder, nField); > } > pOp->p4type = P4_KEYINFO; > > > D. Richard Hipp > d...@hwaci.com > > > > > > > D. Richard Hipp > d...@hwaci.com > > > > > > D. Richard Hipp > d...@hwaci.com > > > > D. Richard Hipp d...@hwaci.com _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
