Hello everyone,
in Ubuntu (or when compiling your own sqlite with CFLAGS="-fstack-protector",
this is the default in Ubuntu), the following program triggers a stack overflow.
#include <sqlite3.h>
#include <stdio.h>
double d = 0x1.fffffffffffffp+1023;
int main(int argc, char* argv[])
{
// Let's assume this one is fine :)
fprintf(stdout, "%.53f\n", d);
char * c = sqlite3_mprintf(" %.53f ", d);
// Should this one look like the above one?
fprintf(stderr, "%s\n", c);
sqlite3_free(c);
return 0;
}
During the conversion of floats there is a point where the variable bufpt
(which originally points to the format string buffer)is set to point to 'buf'.
// In function sqlite3VXPrintf
...
char buf[etBUFSIZE]; /* Conversion buffer */
...
case etFLOAT:
case etEXP:
case etGENERIC:
realvalue = va_arg(ap,double);
(... lots of code here ...)
bufpt = buf;
/*
** If the field type is etGENERIC, then convert to either etEXP
** or etFLOAT, as appropriate.
*/
...
etBUFSIZE is by default 350 (or 50 #ifdef SQLITE_PRINT_BUF_SIZE).
Without fully understanding the code, I think it (erroneously?) assumes that
buf has enough room for a float conversion. But it happens that in this
conversion we need 363 bytes and 350 falls short, thus later on
*(bufpt++) = et_getdigit(&realvalue,&nsd);
goes beyond the allocated buffer of 'buf'.
In Ubuntu this issue is detected immediately thanks to stack protection enabled
by default but it goes unnoticed in other environments (though it can be
reproduced in Debian too using -fstack-protector, as said above)
Is this a known limitation with this routine, a bug or simply my fault? :)
Kind regards,
P.S.: The obvious workaround is using snprintf or similar, but sqlite3_mprintf
is so handy!
--
Roger Ferrer Ibáñez - roger.fer...@bsc.es
WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.
http://www.bsc.es/disclaimer.htm
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
