[sqlite] Bug: Random crashes while preparing a statement (Valgrind always complains, reproducing code)

Jerome St-Louis Mon, 06 May 2013 05:21:23 -0700

Hi guys,


I found this crash in SQLite. Tested with latest amalgamation (
sqlite-autoconf-307160 ). Please assist.


Thanks,


Jerome
--------------------------------
#include <stdlib.h>
#include <stdio.h>
#include <sqlite3.h>

int main()
{
   sqlite3_stmt * stmt = NULL;
   sqlite3 * db = NULL;
   sqlite3_open_v2("test.sqlite", &db, SQLITE_OPEN_READWRITE, NULL);
   if(db)
   {
      printf("Database opened\n");
      sqlite3_prepare_v2(db, "UPDATE `Contacts` SET ROWID = ? WHERE
ROWID = ?", -1, &stmt, NULL);
      sqlite3_close(db);
   }
   return 0;
}

----------------------------------
Simply put create test.sqlite with:

*CREATE TABLE `Contacts`(*

* `Id` INTEGER PRIMARY KEY,*

* `Name` TEXT COLLATE NOCASE,*

* `OfficePhoneNumber` TEXT COLLATE NOCASE,*

* `CellPhoneNumber` TEXT COLLATE NOCASE,*

* `SecondCellPhoneNumber` TEXT COLLATE NOCASE,*

* `PagerNumber` TEXT COLLATE NOCASE,*

* `Email` TEXT COLLATE NOCASE,*

* `Active` INTEGER*

*);*


You'll get this Valgrind output:


==26691== Memcheck, a memory error detector
==26691== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==26691== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==26691== Command: ./a.out
==26691==
Database opened
==26691== *Invalid read of size 8*
==26691==    at 0x4EB1896: sqlite3Update (sqlite3.c:101044)
==26691==    by 0x4EC1816: yy_reduce (sqlite3.c:111245)
==26691==    by 0x4EC3F63: sqlite3Parser (sqlite3.c:112035)
==26691==    by 0x4EC4DAD: sqlite3RunParser (sqlite3.c:112872)
==26691==    by 0x4EA4B43: sqlite3Prepare (sqlite3.c:94461)
==26691==    by 0x4EA4E7F: sqlite3LockAndPrepare (sqlite3.c:94553)
==26691==    by 0x4EA5036: sqlite3_prepare_v2 (sqlite3.c:94629)
==26691==    by 0x4007E4: main (in /home/jerome/sqlite-autoconf-3071602/a.out)
==26691==  Address 0x5906f58 is 0 bytes after a block of size 392 alloc'd
==26691==    at 0x4C2C73C: malloc (vg_replace_malloc.c:270)
==26691==    by 0x4E4219A: sqlite3MemMalloc (sqlite3.c:15581)
==26691==    by 0x4E42BD5: mallocWithAlarm (sqlite3.c:18879)
==26691==    by 0x4E42C70: sqlite3Malloc (sqlite3.c:18912)
==26691==    by 0x4E4346C: sqlite3DbMallocRaw (sqlite3.c:19248)
==26691==    by 0x4E434CF: sqlite3DbRealloc (sqlite3.c:19267)
==26691==    by 0x4E8E14E: sqlite3AddColumn (sqlite3.c:81948)
==26691==    by 0x4EC04A4: yy_reduce (sqlite3.c:110843)
==26691==    by 0x4EC3F63: sqlite3Parser (sqlite3.c:112035)
==26691==    by 0x4EC4D17: sqlite3RunParser (sqlite3.c:112860)
==26691==    by 0x4EA4B43: sqlite3Prepare (sqlite3.c:94461)
==26691==    by 0x4EA4E7F: sqlite3LockAndPrepare (sqlite3.c:94553)

The problematic line is:

*rc = sqlite3AuthCheck(pParse, SQLITE_UPDATE, pTab->zName,
pTab->aCol[j].zName, db->aDb[iDb].zName);*

It looks like an invalid pointer read (4 bytes on 32 bit, 8 bytes on
64) on *pTab->aCol[j].zName*
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Bug: Random crashes while preparing a statement (Valgrind always complains, reproducing code)

Reply via email to