Hi All, We use SQLite in our application. Ours is an windows store application internally uses SQlite to store data (embedded). I use SQLitePCL library which is a C# .NET based library
I was asked to perform Fortify scans on the SQLite code of 3.8.8.3 I used the amalgamation code. Since it is a native component and written in C. i found lot of Buffer Overflow and memory leak errors. Also after college i have not touched c code , so my understanding of c code has reduced :) Just wanted to confirm my understanding and would like to solicit opinion from the community if the issues are real threat. For e.g. in the code SQLite3c line 16458 Error reported here is The function sqlite3OsOpenMalloc() in sqlite3.c allocates memory on line 16467 and fails to free it. SQLITE_PRIVATE int sqlite3OsOpenMalloc( sqlite3_vfs *pVfs, const char *zFile, sqlite3_file **ppFile, int flags, int *pOutFlags ){ int rc = SQLITE_NOMEM; sqlite3_file *pFile; pFile = (sqlite3_file *)sqlite3MallocZero(pVfs->szOsFile); if( pFile ){ rc = sqlite3OsOpen(pVfs, zFile, pFile, flags, pOutFlags); if( rc!=SQLITE_OK ){ sqlite3_free(pFile); }else{ *ppFile = pFile; } } return rc; } For memory leak .SQLitePCL and our application uses the disposable pattern to dispose the prepared statement after its use and the connection we also close once done. i am not sure if closing the DB connection and prepared statement enough to counter this problem. In Shell.c abYield = (int*)sqlite3_realloc(abYield, nAlloc*sizeof(int)); } abYield[iOp] = str_in_array(zOp, azYield); p->aiIndent[iOp] = 0; p->nIndent = iOp+1; if( str_in_array(zOp, azNext) ){ for(i=p2op; i<iOp; i++) p->aiIndent[i] += 2; } if( str_in_array(zOp, azGoto) && p2op<p->nIndent && (abYield[p2op] || sqlite3_column_int(pSql, 2)) ){ for(i=p2op+1; i<iOp; i++) p->aiIndent[i] += 2; } } p->iIndent = 0; sqlite3_free(abYield); sqlite3_reset(pSql); Its saying abYield has been allocated a memory and has not been freed. But i can see the sqlite3_free() function at the bottom which frees up the memory. Also i assume libraries like SQLitePCL won't use shell.c. Some Buffer Overflow errors like In Line 53855 of SQLite3.c assert( cbrk+size<=usableSize && cbrk>=iCellFirst ); testcase( cbrk+size==usableSize ); testcase( pc+size==usableSize ); put2byte(pAddr, cbrk); if( temp==0 ){ int x; if( cbrk==pc ) continue; temp = sqlite3PagerTempSpace(pPage->pBt->pPager); x = get2byte(&data[hdr+5]); memcpy(&temp[x], &data[x], (cbrk+size) - x); src = temp; } memcpy(&data[cbrk], &src[pc], size); } assert( cbrk>=iCellFirst ); put2byte(&data[hdr+5], cbrk); data[hdr+1] = 0; Usage of memcpy is discouraged in favor to memcpy_s() Similarly the tool is detecting lot of buffer overflow errors because of usage of gets() ,strcpy() etc. Since my application uses the emebedded database there is no way the input to these methods are being given from my application. I assume i am safe ? Anyone has come across with any security vulnerability with SQLIte ? Any help/input here will be hugely appreciated. Thanks and Best Regards, Saurav