On 10/28/15, SQLite mailing list <sqlite-users at mailinglists.sqlite.org>
wrote:
> Hi, everyone.
>
> I've been auditing the OpenBSD codebase for calls to ctype functions
> with potentially signed chars. This is undefined on some platforms. I
> found a number of instances in Sqlite, so I cloned your repo and ran my
> script on it.
Thank you for the audit.
Please note that all instances you found are either in obscure or
deprecated extensions or in test code or in build infrastructure.
None of the identified problems are in the SQLite core - the part that
actually gets used. I don't know if this makes any difference to you
or not.
Some of the places you identified as problems really are not problems. Example:
> static int safe_isspace(char c){
> - return (c&0x80)==0 ? isspace(c) : 0;
> + return (c&0x80)==0 ? isspace((unsigned char)c) : 0;
> }
The original (c&0x80)==0 test makes isspace(c) safe. Indeed, that is
the whole point the safe_isspace() routine.
For this example, note also that FTS1 is deprecated code that is kept
for historical reference only, and not actually used for anything.
I will go through and make lots of little changes to the code to
pacify your analysis script. Let's hope that I don't break anything
in the process!
--
D. Richard Hipp
drh at sqlite.org
