New submission from Erlend E. Aasland <erlend.aasl...@innova.no>:
In Modules/_sqlite/statement.c pysqlite_statement_create() and Modules/_sqlite/cursor.c pysqlite_cursor_executescript_impl(), we incorrectly use SQLITE_LIMIT_LENGTH to check statement length. However, the correct limit is *SQLITE_LIMIT_SQL_LENGTH*. ### Alternative 1: Quick fix is to check against SQLITE_LIMIT_SQL_LENGTH instead of SQLITE_LIMIT_LENGTH. ### Alternative 2: Let SQLite do the check for us, and instead add integer overflow check, since Py_ssize_t may be larger than int (sqlite3_prepare_v2() uses an int as the max statement length parameter). ### Alternative 3: As alternative 2, but alter the sqlite3_prepare_v2() call to accept _any_ length (max statement length = -1). See also: - https://sqlite.org/limits.html - https://sqlite.org/c3ref/c_limit_attached.html - https://sqlite.org/c3ref/prepare.html ---------- messages: 405975 nosy: erlendaasland, serhiy.storchaka priority: normal severity: normal status: open title: [sqlite3] SQLITE_LIMIT_LENGTH is incorrectly used to check statement length _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue45754> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
