Segmentation fault can result from setting error message parameter to NULL when calling sqlite3session_diff

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Segmentation fault can result from setting error message parameter to NULL when calling sqlite3session_diff

Micah Moore
Hello,

We have found a minor bug in the session extension. The problem can occur
in sqlite3session_diff, when there is a table schema mismatch, if no error
pointer is provided.

According to the documentation of sqlite3session_diff:

> ** If the operation successful, SQLITE_OK is returned. Otherwise, an
SQLite
> ** error code. In this case, if argument pzErrMsg is not NULL, *pzErrMsg
> ** may be set to point to a buffer containing an English language error
> ** message...

If an application calls sqlite3session_diff and encounters a schema
mismatch error, while having provided NULL for the pzErrMsg parameter, a
segmentation fault occurs.

We believe this is caused here, in sqlite3session.c: L#1627

      if( bMismatch ){
        *pzErrMsg = sqlite3_mprintf("table schemas do not match");
        rc = SQLITE_SCHEMA;
      }

There is no check that pzErrMsg is not NULL here prior to assignment.

There's an easy work-around: providing a pzErrMsg out parameter when
calling sqlite3session_diff resolves the crash.

Cheers,
Micah
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users