Fix additional cases of possible signed integer overflow, especially with
regard to negation.
FossilOrigin-Name: 2d5800bd8cfc7d7f5578a71b1aeaa74b2ec4b372
diff --git a/src/expr.c b/src/expr.c
index b938d96..f80ae2b 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -389,6 +389,7 @@
if( op!=TK_INTEGER || pToken->z==0
|| sqlite3GetInt32(pToken->z, &iValue)==0 ){
nExtra = pToken->n+1;
+ assert( iValue>=0 );
}
}
pNew = sqlite3DbMallocZero(db, sizeof(Expr)+nExtra);
@@ -614,6 +615,8 @@
*/
void sqlite3ExprDelete(sqlite3 *db, Expr *p){
if( p==0 ) return;
+ /* Sanity check: Assert that the IntValue is non-negative if it exists */
+ assert( !ExprHasProperty(p, EP_IntValue) || p->u.iValue>=0 );
if( !ExprHasAnyProperty(p, EP_TokenOnly) ){
sqlite3ExprDelete(db, p->pLeft);
sqlite3ExprDelete(db, p->pRight);
@@ -1223,13 +1226,6 @@
}
default: break;
}
- if( rc ){
- assert( ExprHasAnyProperty(p, EP_Reduced|EP_TokenOnly)
- || (p->flags2 & EP2_MallocedToken)==0 );
- p->op = TK_INTEGER;
- p->flags |= EP_IntValue;
- p->u.iValue = *pValue;
- }
return rc;
}
@@ -1954,6 +1950,7 @@
Vdbe *v = pParse->pVdbe;
if( pExpr->flags & EP_IntValue ){
int i = pExpr->u.iValue;
+ assert( i>=0 );
if( negFlag ) i = -i;
sqlite3VdbeAddOp2(v, OP_Integer, i, iMem);
}else{