The fourth argument to the sqlite3_update_hook() callback is suppose to be
the name of the table that is being updated. However, this string pointer
might point to deallocated memory if shared cache mode is in use. Here
is the scenario:
1. Two connections to the same database (call them A and B) in shared
cache mode.
2. Connection A prepares a statement that will invoke the update hook.
3. Connection B makes a schema change but rolls back before committing.
4. Connection A evaluates the prepared statement.
The prepared statement in step (2) contains a pointer to the table name
string in the parsed schema. Step (3) causes the schema to be reparsed,
which invalidates that string. But the rollback of step (3) means that
the schema cookie is unchanged and so the prepared statement is not
invalidated. Step (4) then runs the prepared statement and passes the
invalid string to the update hook callback.
This problem was found by internal code review and has never been observed
in the wild.
|