Hi All,
We use SQLite in our application. Ours is an windows store application
internally uses SQlite to store data (embedded). I use SQLitePCL library
which is a C# .NET based library
I was asked to perform Fortify scans on the SQLite code of 3.8.8.3
I used the amalgamation code.
Since it is a native component and written in C. i found lot of Buffer
Overflow and memory leak errors. Also after college i have not touched c
code , so my understanding of c code has reduced :)
Just wanted to confirm my understanding and would like to solicit opinion
from the community if the issues are real threat.
For e.g. in the code SQLite3c line 16458
Error reported here is The function sqlite3OsOpenMalloc() in sqlite3.c
allocates memory on line 16467 and fails to free it.
SQLITE_PRIVATE int sqlite3OsOpenMalloc(
sqlite3_vfs *pVfs,
const char *zFile,
sqlite3_file **ppFile,
int flags,
int *pOutFlags
){
int rc = SQLITE_NOMEM;
sqlite3_file *pFile;
pFile = (sqlite3_file *)sqlite3MallocZero(pVfs->szOsFile);
if( pFile ){
rc = sqlite3OsOpen(pVfs, zFile, pFile, flags, pOutFlags);
if( rc!=SQLITE_OK ){
sqlite3_free(pFile);
}else{
*ppFile = pFile;
}
}
return rc;
}
For memory leak .SQLitePCL and our application uses the disposable pattern
to dispose the prepared statement after its use and the connection we also
close once done.
i am not sure if closing the DB connection and prepared statement enough to
counter this problem.
In Shell.c
abYield = (int*)sqlite3_realloc(abYield, nAlloc*sizeof(int));
}
abYield[iOp] = str_in_array(zOp, azYield);
p->aiIndent[iOp] = 0;
p->nIndent = iOp+1;
if( str_in_array(zOp, azNext) ){
for(i=p2op; i<iOp; i++) p->aiIndent[i] += 2;
}
if( str_in_array(zOp, azGoto) && p2op<p->nIndent
&& (abYield[p2op] || sqlite3_column_int(pSql, 2))
){
for(i=p2op+1; i<iOp; i++) p->aiIndent[i] += 2;
}
}
p->iIndent = 0;
sqlite3_free(abYield);
sqlite3_reset(pSql);
Its saying abYield has been allocated a memory and has not been freed.
But i can see the sqlite3_free() function at the bottom which frees up the
memory.
Also i assume libraries like SQLitePCL won't use shell.c.
Some Buffer Overflow errors like
In Line 53855 of SQLite3.c
assert( cbrk+size<=usableSize && cbrk>=iCellFirst );
testcase( cbrk+size==usableSize );
testcase( pc+size==usableSize );
put2byte(pAddr, cbrk);
if( temp==0 ){
int x;
if( cbrk==pc ) continue;
temp = sqlite3PagerTempSpace(pPage->pBt->pPager);
x = get2byte(&data[hdr+5]);
memcpy(&temp[x], &data[x], (cbrk+size) - x);
src = temp;
}
memcpy(&data[cbrk], &src[pc], size);
}
assert( cbrk>=iCellFirst );
put2byte(&data[hdr+5], cbrk);
data[hdr+1] = 0;
Usage of memcpy is discouraged in favor to memcpy_s()
Similarly the tool is detecting lot of buffer overflow errors because of
usage of gets() ,strcpy() etc.
Since my application uses the emebedded database there is no way the input
to these methods are being given from my application. I assume i am safe ?
Anyone has come across with any security vulnerability with SQLIte ?
Any help/input here will be hugely appreciated.
Thanks and Best Regards,
Saurav
