SQLite Forum

A Null-pointer-crash found in sqlite3_unlock_notify

A Null-pointer-crash found in sqlite3_unlock_notify

(1) By PromptFuzz on 2023-10-10 03:04:47 [source]

Hi, i built the sqlite3 with -DSQLITE_ENABLE_API_ARMOR and -DSQLITE_ENABLE_UNLOCK_NOTIFY enabled, but a null-pointer-dereference bug still happened when i call sqlite3_unlock_notify().

For example, if i pass a NULL database connection to a sequence of sqlite3 APIs, sqlite3_unlock_notify() will crashed directly, where the other APIs can detect such error by DSQLITE_ENABLE_API_ARMOR flag.

It seems that the API sqlite3_unlock_notify() misses checking the paased db as other APIs do when enable the DSQLITE_ENABLE_API_ARMOR flag.

    sqlite3 *db = NULL;

    // Set the sqlite3 busy handler
    sqlite3_busy_handler(db, NULL, NULL);

    // Set sqlite3 limit
    sqlite3_limit(db, SQLITE_LIMIT_LENGTH, 1000);

    // Get the number of bind parameters in a prepared statement
    sqlite3_stmt *stmt = NULL;
    const char *sql = "SELECT * FROM table WHERE id = ?";
    sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);

    // Recover a database snapshot
    sqlite3_snapshot_recover(db, "main");

    // Register an unlock notify callback
    sqlite3_unlock_notify(db, NULL, NULL);