Re: [fossil-users] Crash report /vpatch

Andy Bradford Tue, 15 Jul 2014 20:37:26 -0700

[self-reply]

Is  this also  potentially  an  SQLITE3 bug.  Why  didn't  any of  these
functions  check  db  for  NULL  before  passing  it  on  down?  Finally
functionSearch gets pHash which is wrong  (0x140 is not accessible in my
debugger):


(gdb) list
90056     h = (sqlite3UpperToLower[(u8)zName[0]] + nName) % 
ArraySize(db->aFunc.a);
90057
90058     /* First search for a match amongst the application-defined functions.
90059     */
90060     p = functionSearch(&db->aFunc, h, zName, nName);
90061     while( p ){
90062       int score = matchQuality(p, nArg, enc);
90063       if( score>bestScore ){
90064         pBest = p;
90065         bestScore = score;
(gdb) print db  
$1 = (sqlite3 *) 0x0
(gdb) print db->aFunc
Cannot access memory at address 0x140

> #0  functionSearch (pHash=0x140, h=1, zFunc=0x3c019f39 "constant_time_cmp", 
>     nFunc=17) at ./src/sqlite3.c:89989
> #1  0x1c0933ef in sqlite3FindFunction (db=0x0, 
>     zName=0x3c019f39 "constant_time_cmp", nName=17, nArg=2, enc=1 '\001', 
>     createFlag=0 '\0') at ./src/sqlite3.c:90060
> #2  0x1c0a828a in sqlite3CreateFunc (db=0x0, 
>     zFunctionName=0x3c019f39 "constant_time_cmp", nArg=2, enc=1, 
>     pUserData=0x0, xFunc=0x1c03d680 <constant_time_cmp_function>, xStep=0, 
>     xFinal=0, pDestructor=0x0) at ./src/sqlite3.c:122759
> #3  0x1c0a8a87 in sqlite3_create_function_v2 (db=0x0, 
>     zFunc=0x3c019f39 "constant_time_cmp", nArg=2, enc=1, p=0x0, 
>     xFunc=0x1c03d680 <constant_time_cmp_function>, xStep=0, xFinal=0, 
>     xDestroy=0) at ./src/sqlite3.c:122835
> #4  0x1c0a8afa in sqlite3_create_function (db=0x0, 
>     zFunc=0x3c019f39 "constant_time_cmp", nArg=2, enc=1, p=0x0, 
>     xFunc=0x1c03d680 <constant_time_cmp_function>, xStep=0, xFinal=0)
>     at ./src/sqlite3.c:122808

Also, it looks like /info is a different case:

Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
43              for (s = str; *s; ++s)
(gdb) bt 
#0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
#1  0x1c010a76 in cgi_redirect (zURL=0x82c012d0 "/index") at cgi.c:405
#2  0x1c010ae3 in cgi_redirectf (zFormat=Could not find the frame base for 
"cgi_redirectf".
) at cgi.c:423
#3  0x1c03f8f3 in fossil_redirect_home () at main.c:1270
#4  0x1c03abb5 in info_page () at info.c:1925
#5  0x1c041e24 in main (argc=2, argv=0xcfbd5ed0) at main.c:725

Andy
-- 
TAI64 timestamp: 4000000053c5f36d


_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Crash report /vpatch

Reply via email to