Re: [sqlite] Fwd: CRITICAL bug in sqlite3VdbeExec() code

Thu, 24 Jun 2010 04:20:20 -0700 

On Thu, Jun 24, 2010 at 6:45 AM, D. Richard Hipp <d...@hwaci.com> wrote:

> ---------- Forwarded message ----------
> From: jur...@ramzes.net
> To: sqlite-users@sqlite.org
> Date: Thu, 24 Jun 2010 11:15:20 +0200
> Subject: CRITICAL bug in sqlite3VdbeExec() code
> Dear friends,
>
> This is my bug report.
>
> sqlite version: 3.6.23.1, Check-in [2e6a462ceb]
> file: vdbe.c
> line: 971
> function: sqlite3VdbeExec()
>
> description:
>
> Local variable "pOut is not properly initialized in some cases.
> For example:
>
>
Do you have an actual test cases where pOut is uninitialized?  Or are you
basing your claim on the output of a static analysis tool?


>
> ...
> /* Opcode: Variable P1 P2 * P4 *
> **
> ** Transfer the values of bound parameter P1 into register P2
> **
> ** If the parameter is named, then its name appears in P4 and P3==1.
> ** The P4 value is used by sqlite3_bind_parameter_name().
> */
> case OP_Variable: {            /* out2-prerelease */
>  Mem *pVar;       /* Value being transferred */
>
>  assert( pOp->p1>0 && pOp->p1<=p->nVar );
>  pVar = &p->aVar[pOp->p1 - 1];
>  if( sqlite3VdbeMemTooBig(pVar) ){
>    goto too_big;
>  }
>  sqlite3VdbeMemShallowCopy(pOut, pVar, MEM_Static); <<<--- !!!!***
> HERE***!!!!
>  UPDATE_MAX_BLOBSIZE(pOut);
>  break;
> }
> ...
>
> Function sqlite3VdbeMemShallowCopy() is called with pOut == NULL, of
> course with access violation (in Windows version).
> "case OP_Variable" I have checked under M$ debugger (not coverable
> errors in my PHP/PDO-Sqlite script with parameters binding), but
> possible other cases in massive switch statement, I think ...
>
> greetings from Poland,
>
> JureKL.
> ----------- End forwarded message ---------
>
> D. Richard Hipp
> d...@hwaci.com
>
>
>
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
---------------------
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to