Fix a buffer overrun in the previous commit.
FossilOrigin-Name: 43c59c85436dc8001c81f4aac7f5231b13d741cb
diff --git a/manifest b/manifest
index fe79529..3634881 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Because\sSQLite\sinternally\scalculates\squery\splan\scosts\susing\sa\slogarithmic\sscale,\svery\slarge\sestimated\ssorting\scosts\scan\scause\sall\sother\sestimated\scosts\sto\sbe\srounded\sdown\sto\szero.\sIn\sthese\scases\sbreak\sties\sbetween\splans\swith\sthe\ssame\stotal\scost\sby\scomparing\sthe\scosts\swith\ssorting\sexcluded.\sThis\sis\san\salternative\sfix\sfor\sthe\ssame\sproblem\sas\saddressed\sby\s[2af630c572].
-D 2014-08-08T16:52:28.259
+C Fix\sa\sbuffer\soverrun\sin\sthe\sprevious\scommit.
+D 2014-08-08T17:25:33.967
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
F Makefile.in 5eb79e334a5de69c87740edd56af6527dd219308
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -296,7 +296,7 @@
F src/wal.c 264df50a1b33124130b23180ded2e2c5663c652a
F src/wal.h df01efe09c5cb8c8e391ff1715cca294f89668a4
F src/walker.c 11edb74d587bc87b33ca96a5173e3ec1b8389e45
-F src/where.c 012ef65af2ae3e1061aa42bbe4eb549b409ee7e7
+F src/where.c ab20f9c24a422ee8900831b343c3d1e5e7aca87b
F src/whereInt.h 923820bee9726033a501a08d2fc69b9c1ee4feb3
F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
@@ -1185,10 +1185,7 @@
F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 36b7c5cefcad6bad044806092593c84876fee8bc
-R 97e5eb0484c42f8168a99aaa07e49072
-T *branch * query-planner-fix
-T *sym-query-planner-fix *
-T -sym-trunk *
+P 299b9570279ded7158d22349ef93384286a5c755
+R 1f8265817308d29fd5a420f3d8d1525f
U dan
-Z 10210eb3192fa621adfca2044e28b578
+Z 2535cee87377895ac3ecbfed51081b0b
diff --git a/manifest.uuid b/manifest.uuid
index 2b491ab..b3ea543 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-299b9570279ded7158d22349ef93384286a5c755
\ No newline at end of file
+43c59c85436dc8001c81f4aac7f5231b13d741cb
\ No newline at end of file
diff --git a/src/where.c b/src/where.c
index ece3154..9c30136 100644
--- a/src/where.c
+++ b/src/where.c
@@ -5471,6 +5471,7 @@
WhereLoop **pX; /* Used to divy up the pSpace memory */
LogEst *aSortCost = 0; /* Sorting and partial sorting costs */
char *pSpace; /* Temporary memory used by this routine */
+ int nSpace; /* Bytes of space allocated at pSpace */
pParse = pWInfo->pParse;
db = pParse->db;
@@ -5494,9 +5495,9 @@
}
/* Allocate and initialize space for aTo, aFrom and aSortCost[] */
- ii = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2;
- ii += sizeof(LogEst) * nOrderBy;
- pSpace = sqlite3DbMallocRaw(db, ii);
+ nSpace = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2;
+ nSpace += sizeof(LogEst) * nOrderBy;
+ pSpace = sqlite3DbMallocRaw(db, nSpace);
if( pSpace==0 ) return SQLITE_NOMEM;
aTo = (WherePath*)pSpace;
aFrom = aTo+mxChoice;
@@ -5513,8 +5514,10 @@
** the ORDER BY clause are already in order, where X is the array
** index. */
aSortCost = (LogEst*)pX;
- memset(aSortCost, 0, sizeof(LogEst) * (nOrderBy+1));
+ memset(aSortCost, 0, sizeof(LogEst) * nOrderBy);
}
+ assert( aSortCost==0 || &pSpace[nSpace]==(char*)&aSortCost[nOrderBy] );
+ assert( aSortCost!=0 || &pSpace[nSpace]==(char*)pX );
/* Seed the search with a single WherePath containing zero WhereLoops.
**
