SQLite

View Ticket
Login
Plaintext
Ticket Hash: f7b4edece25c994857dc139207f55a53c8319fae
Title: sqlite3_update_hook gives incorrect table name with shared cache
Status: Fixed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Unknown Resolution: Fixed
Last Modified: 2011-03-19 02:04:24
Version Found In: 3.7.5
Description:
The fourth argument to the sqlite3_update_hook() callback is suppose to be the name of the table that is being updated. However, this string pointer might point to deallocated memory if shared cache mode is in use. Here is the scenario:
  1. Two connections to the same database (call them A and B) in shared cache mode.
  2. Connection A prepares a statement that will invoke the update hook.
  3. Connection B makes a schema change but rolls back before committing.
  4. Connection A evaluates the prepared statement.

The prepared statement in step (2) contains a pointer to the table name string in the parsed schema. Step (3) causes the schema to be reparsed, which invalidates that string. But the rollback of step (3) means that the schema cookie is unchanged and so the prepared statement is not invalidated. Step (4) then runs the prepared statement and passes the invalid string to the update hook callback.

This problem was found by internal code review and has never been observed in the wild.