-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of the parameters to read is the amount of data to read. Since SQLite avoids standard types like size_t, a signed int is used instead. I observed a difference in behaviour between the Unix VFS and the Windows VFS - the former returns an error while the latter doesn't.
Looking through the code for both VFS I don't see any attempt to check the amount parameter is positive, and in both cases it silently gets passed to a routine expecting unsigned (size_t or DWORD). Obviously under normal circumstances a negative number would not be passed in, but I don't think we can be certain that there are absolutely no bugs that could lead to it happening. The consequences could be very serious, ranging from a simple buffer overflow to an exploit. Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBo/OsACgkQmOOfHg372QRPnwCfZlQB1+gzJ5opIRdSWIdMUVFN wbgAnRewU/Wdw3d4eF9C5YfocrfnZ997 =WoMo -----END PGP SIGNATURE----- _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users