Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Jens Alfke
> On Oct 6, 2017, at 1:32 PM, Kent Williams wrote: > > Instead of > > aMatchinfo = (unsigned int *)sqlite3_value_blob(apVal[0]); > > Something like: > > if((aMatchinfo = (unsigned int *)sqlite3_value_blob(apVal[0])) == 0) { > sqlite3_result_error(pCtx, > "invalid matchinf

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Kent Williams
I like that it checks aMatchinfo for internal consistency. The one thing that isn't in the new rankfunk. Instead of aMatchinfo = (unsigned int *)sqlite3_value_blob(apVal[0]); Something like: if((aMatchinfo = (unsigned int *)sqlite3_value_blob(apVal[0])) == 0) { sqlite3_result_error(pC

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Dan Kennedy
A few corrections on this page about FTS (hopefully not too nit-picky): 1) === BEGIN QUOTE === -- ("driver" may also appear in the title, but this alone will not satisfy the. -- query criteria). === END QUOTE === There should not be a dot in "the." 2) === BEGIN QUOTE === putting the keyword

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Dominique Pellé
Dan Kennedy wrote: On 10/06/2017 11:58 PM, Richard Hipp wrote: > >> On 10/6/17, Jens Alfke wrote: >> >>> Thanks for posting this — my adaptation of that sample code in my project >>> had the same bug. >>> >>> I’m not sure how the SQL in your application gets generated, but if you >>> allow untru

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Dan Kennedy
On 10/06/2017 11:58 PM, Richard Hipp wrote: On 10/6/17, Jens Alfke wrote: Thanks for posting this — my adaptation of that sample code in my project had the same bug. I’m not sure how the SQL in your application gets generated, but if you allow untrusted SQL, it’s still possible to create a que

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Richard Hipp
On 10/6/17, Kent Williams wrote: > > As for 'untrusted SQL' -- if you open your databases (or our clients' > databases) to unrestricted queries, you wouldn't need a malicious use of > full-text search to ruin everybody's day ;-) > That was my thinking too, for a long time. I figured that any exp

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Kent Williams
Luckily, any SQL we generate is done by our own developers, and runs through QA.  Not only that, we've got a guy who likes to find exploits for our backend software. As for 'untrusted SQL' -- if you open your databases (or our clients' databases) to unrestricted queries, you wouldn't need a ma

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Richard Hipp
On 10/6/17, Jens Alfke wrote: > Thanks for posting this — my adaptation of that sample code in my project > had the same bug. > > I’m not sure how the SQL in your application gets generated, but if you > allow untrusted SQL, it’s still possible to create a query that can cause > the rank function

Re: [sqlite] custom rank function with FTS3/FTS4: potential crash.

2017-10-06 Thread Jens Alfke
Thanks for posting this — my adaptation of that sample code in my project had the same bug. I’m not sure how the SQL in your application gets generated, but if you allow untrusted SQL, it’s still possible to create a query that can cause the rank function to crash. For example (assuming I have