On Thu, Jun 24, 2010 at 6:45 AM, D. Richard Hipp wrote:
> -- Forwarded message --
> From: jur...@ramzes.net
> To: sqlite-users@sqlite.org
> Date: Thu, 24 Jun 2010 11:15:20 +0200
> Subject: CRITICAL bug in sqlite3VdbeExec() code
> Dear friends,
>
> This is my bug report.
>
> sqlite version: 3.6.23.1, Check-in [2e6a462ceb]
> file: vdbe.c
> line: 971
> function: sqlite3VdbeExec()
>
> description:
>
> Local variable "pOut is not properly initialized in some cases.
> For example:
>
>
Do you have an actual test cases where pOut is uninitialized? Or are you
basing your claim on the output of a static analysis tool?
>
> ...
> /* Opcode: Variable P1 P2 * P4 *
> **
> ** Transfer the values of bound parameter P1 into register P2
> **
> ** If the parameter is named, then its name appears in P4 and P3==1.
> ** The P4 value is used by sqlite3_bind_parameter_name().
> */
> case OP_Variable: {/* out2-prerelease */
> Mem *pVar; /* Value being transferred */
>
> assert( pOp->p1>0 && pOp->p1<=p->nVar );
> pVar = &p->aVar[pOp->p1 - 1];
> if( sqlite3VdbeMemTooBig(pVar) ){
>goto too_big;
> }
> sqlite3VdbeMemShallowCopy(pOut, pVar, MEM_Static); <<<--- ***
> HERE***
> UPDATE_MAX_BLOBSIZE(pOut);
> break;
> }
> ...
>
> Function sqlite3VdbeMemShallowCopy() is called with pOut == NULL, of
> course with access violation (in Windows version).
> "case OP_Variable" I have checked under M$ debugger (not coverable
> errors in my PHP/PDO-Sqlite script with parameters binding), but
> possible other cases in massive switch statement, I think ...
>
> greetings from Poland,
>
> JureKL.
> --- End forwarded message -
>
> D. Richard Hipp
> d...@hwaci.com
>
>
>
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
--
-
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
