-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/06/12 09:20, Stephan Beal wrote: > size_t does not have a specified size and causes all sorts of grief in > porting i/o-based APIs between 32/64 bits,
I have been one of the people complaining loudest about not using types like size_t. However the complaints are not directed to the internals of SQLite where it is absolutely appropriate to use an explicitly sized type for cases where a particular size is needed. The area where it does matter is in various APIs such as sqlite3_bind_text which takes an int for the length of the string. This should be size_t/ssize_t not int. In all the open source code I looked at at the time, they were all written as though size_t was used so there was arbitrary truncation going on. Various attacks were even possible due to the discrepancy in how sizes were measured between the rest of the program and SQLite. They have been somewhat mitigated since then, but I'm still sure that a dedicated cracker could figure out ways of exploiting this. Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk/sjjEACgkQmOOfHg372QTPwACggVC6nosFsJb2caXff1DEhkLh /zwAoNtgC/bMDnj9yXa6EkulX5QsizOR =PcBR -----END PGP SIGNATURE----- _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
