Re: [sqlite] Fwd: CRITICAL bug in sqlite3VdbeExec() code

2010-06-24 Thread Richard Hipp 
On Thu, Jun 24, 2010 at 6:45 AM, D. Richard Hipp  wrote:

> -- Forwarded message --
> From: jur...@ramzes.net
> To: sqlite-users@sqlite.org
> Date: Thu, 24 Jun 2010 11:15:20 +0200
> Subject: CRITICAL bug in sqlite3VdbeExec() code
> Dear friends,
>
> This is my bug report.
>
> sqlite version: 3.6.23.1, Check-in [2e6a462ceb]
> file: vdbe.c
> line: 971
> function: sqlite3VdbeExec()
>
> description:
>
> Local variable "pOut is not properly initialized in some cases.
> For example:
>
>
Do you have an actual test cases where pOut is uninitialized?  Or are you
basing your claim on the output of a static analysis tool?


>
> ...
> /* Opcode: Variable P1 P2 * P4 *
> **
> ** Transfer the values of bound parameter P1 into register P2
> **
> ** If the parameter is named, then its name appears in P4 and P3==1.
> ** The P4 value is used by sqlite3_bind_parameter_name().
> */
> case OP_Variable: {/* out2-prerelease */
>  Mem *pVar;   /* Value being transferred */
>
>  assert( pOp->p1>0 && pOp->p1<=p->nVar );
>  pVar = >aVar[pOp->p1 - 1];
>  if( sqlite3VdbeMemTooBig(pVar) ){
>goto too_big;
>  }
>  sqlite3VdbeMemShallowCopy(pOut, pVar, MEM_Static); <<<--- ***
> HERE***
>  UPDATE_MAX_BLOBSIZE(pOut);
>  break;
> }
> ...
>
> Function sqlite3VdbeMemShallowCopy() is called with pOut == NULL, of
> course with access violation (in Windows version).
> "case OP_Variable" I have checked under M$ debugger (not coverable
> errors in my PHP/PDO-Sqlite script with parameters binding), but
> possible other cases in massive switch statement, I think ...
>
> greetings from Poland,
>
> JureKL.
> --- End forwarded message -
>
> D. Richard Hipp
> d...@hwaci.com
>
>
>
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
-
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Fwd: CRITICAL bug in sqlite3VdbeExec() code

2010-06-24 Thread D. Richard Hipp 
-- Forwarded message --
From: jur...@ramzes.net
To: sqlite-users@sqlite.org
Date: Thu, 24 Jun 2010 11:15:20 +0200
Subject: CRITICAL bug in sqlite3VdbeExec() code
Dear friends,

This is my bug report.

sqlite version: 3.6.23.1, Check-in [2e6a462ceb]
file: vdbe.c
line: 971
function: sqlite3VdbeExec()

description:

Local variable "pOut is not properly initialized in some cases.
For example:


...
/* Opcode: Variable P1 P2 * P4 *
**
** Transfer the values of bound parameter P1 into register P2
**
** If the parameter is named, then its name appears in P4 and P3==1.
** The P4 value is used by sqlite3_bind_parameter_name().
*/
case OP_Variable: {/* out2-prerelease */
  Mem *pVar;   /* Value being transferred */

  assert( pOp->p1>0 && pOp->p1<=p->nVar );
  pVar = >aVar[pOp->p1 - 1];
  if( sqlite3VdbeMemTooBig(pVar) ){
goto too_big;
  }
  sqlite3VdbeMemShallowCopy(pOut, pVar, MEM_Static); <<<--- ***  
HERE***
  UPDATE_MAX_BLOBSIZE(pOut);
  break;
}
...

Function sqlite3VdbeMemShallowCopy() is called with pOut == NULL, of  
course with access violation (in Windows version).
"case OP_Variable" I have checked under M$ debugger (not coverable  
errors in my PHP/PDO-Sqlite script with parameters binding), but  
possible other cases in massive switch statement, I think ...

greetings from Poland,

JureKL.
--- End forwarded message -

D. Richard Hipp
d...@hwaci.com



___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users