Hi,
I found a null pointer access problem in *sqlite3Init *function in version
3.26.0.
The poc is simple:
> .open .
.selftest
The GDB debug traces are:
> #0 0x000055d76316ae12 in sqlite3Init (db=0x55d76509de18,
> pzErrMsg=0x7fffa3d64ac0) at sqlite3.c:123082
#1 0x000055d7631a22d7 in sqlite3_table_column_metadata (db=0x55d76509de18,
> zDbName=0x55d7631fa22e "main", zTableName=0x55d763200574 "selftest",
> zColumnName=0x0, pzDataType=0x0, pzCollSeq=0x0, pNotNull=0x0,
> pPrimaryKey=0x0, pAutoinc=0x0) at sqlite3.c:156312
#2 0x000055d7630e73f3 in do_meta_command (zLine=0x55d765090970
> ".selftest", p=0x7fffa3d68090) at shell.c:14816
#3 0x000055d7630ea430 in process_input (p=0x7fffa3d68090,
> in=0x55d76506f6d0) at shell.c:15712
#4 0x000055d7630e669c in do_meta_command (zLine=0x55d7650909f0 ".read",
> p=0x7fffa3d68090) at shell.c:14369
#5 0x000055d7630ea430 in process_input (p=0x7fffa3d68090, in=0x0) at
> shell.c:15712
#6 0x000055d7630ec173 in main (argc=1, argv=0x7fffa3d69668) at
> shell.c:16479
When we invoke "*.open .*", sqlite3 will fail to open "." database.
However, sqlite3 will still create db("struct sqlite3") object without full
initialization and not destroy it in "*shell.c:11306*".
Then when we invoke "*.selftest"*, when the routine go to *sqlite3Init*
function, it will call "*ENC(db) = SCHEMA_ENC(db)*;",
which is a macro: "*#define SCHEMA_ENC(db) ((db)->aDb[0].pSchema->enc)*".
"SCHEMA_ENC(db)" will access "pSchema" field, which has not been
initialized yet for the failure create "." database.
Attach is the poc sql file.
I used the following command:
./sqlite3
sqlite >.read crash.sql
--
Best regards,
Xingwei Lin
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
