On 07/09/14 10:02, skywind mailing lists wrote: > I have seen that SQLite uses normally parameters of type "int" to pass the > size of a variable
Correct. It should be using size_t or ssize_t, but the SQLite developers chose not to do that, especially as at the time of the decision those weren't always available types. I have whined about this over the years, including showing that all open source callers treated the parameter as though it was (s)size_t and would have >2GB values truncated. Code was added to the SQLite routines to mitigate those scenarios, essentially potentially resulting in data truncation. However you'll notice that various SQLite limits are set to 1GB or similar so they wouldn't have gone in in the first place. I believe but cannot prove that there are potential exploits in this. > Is it possible to change the fourth parameter in sqlite3_bind_XXX No. It would change the size of the parameter which would break the ABI. You couldn't take something that compiled/linked against current SQLite and then swap out the shared library for a new one changed like you request. The only solution would be to add new entry points with different names that do take (s)size_t. This could be handled like how the UNIX world introduced 64 bit file sizes and offsets, using the preprocessor to point at the appropriately sized routines for aware code. Roger _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
