Hi all,
There seems to be a bug in dbd_st_split_statement, around line 1374
of dbdimp.c in revision 14828 (at the end of the statement parsing loop):
/* If this segment also, ended the string, set ch
so we bail out early */
if ('\0' == *statement)
break;
This code is (also) reached when ch (the current character) is 0, but
statement points to the *next* character. In some rare cases, that
means statement may point to unallocated memory, with the usual
consequences. It is quite difficult to trigger, but it does actually happen :-/
I'm not quite sure what the point of the test is. I guess the goal
would be to check ch rather than *statement, but this is redundant
with the test at the beginning of the while(1) loop (which could BTW
be rewritten while(ch) or while (ch>0) to keep the exact same
semantics). Or the test at the start could be removed and a test on
ch instead of *statement at the end, though I haven't checked if the
test at the beginning might not catch a few other cases.
Let me know if I missed something...
Jacques.
