-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/09/12 19:16, Roger Binns wrote: > Looking through the code for both VFS I don't see any attempt to check > the amount parameter is positive, and in both cases it silently gets > passed to a routine expecting unsigned (size_t or DWORD).
http://www.sqlite.org/src/info/daebe3bd2d9bd7b6f876a8110cf5045eb3fee078 Can I suggest just returning IOError if the value is outside of reasonable bounds? Silently truncating it as that patch does still leaves the possibility of buffer overflow - for example a 1kb buffer could be passed in with a negative 1kb length and would result in a buffer overflow. As to how a negative number could end being passed in, someone could have their own VFS that calls through to the underlying SQLite provided ones. (That is considerably less work than doing your own entire VFS.) Or some combination of values could unintentionally cause it such as code trying to return a negative number as an error code but it being taken as is (an example is sectorsize where again signed and unsigned are mixed). Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBp5BgACgkQmOOfHg372QSNBQCeIOQ0lYodqgbHmOWgd3R96ZTc eqkAoMxiHoRBbnlZgFjMvUeAK3dIg1OU =rlUn -----END PGP SIGNATURE----- _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users