SQLite

Artifact [580eefd3]
Login
Download Hex Parsed

Artifact 580eefd3a106fa0817ae2c2b25797a9841fc8b8938e6df86f44b4b878334c885:

Ticket change [580eefd3] - New ticket [be436a7f] Use-after-free on schema change where RTREE is used inside of a trigger. by drh 2017-08-17 02:25:13. 
D 2017-08-17T02:25:13.239
J icomment If\sa\svirtual\stable\sinvokes\ssqlite3_step()\sas\spart\sof\sits\sxConnect\smethod\r\n(as\sRTREE\sdoes)\sand\sif\sthat\svirtual\stable\sis\sused\sinside\sof\sa\strigger\sand\r\nif\san\sexternal\sschema\schange\soccurs\son\sthe\sfirst\suse\sof\sthat\strigger,\sthen\r\nthe\sxConnect\smethod\swill\sprovoke\sa\sschema\sreset\sthat\swill\sdelete\sa\spointer\r\nto\sthe\strigger\sout\sfrom\sunder\sthe\squery\splanner,\sresulting\sin\sa\suse-after-free\r\nand\sa\sprobable\ssegfault.\s\sThe\sfollowing\sC\scode\sdemonstrates\sthe\sproblems:\r\n\r\n<blockquote><verbatim>\r\n#include\s<stdio.h>\r\n#include\s<unistd.h>\r\n#include\s"sqlite3.h"\r\n\r\nint\smain(int\sargc,\schar\s*argv){\r\n\s\ssqlite3\s*db1,\s*db2;\r\n\s\sunlink("test.db");\r\n\s\sprintf("VERSION:\s%s\\n",\ssqlite3_libversion());\r\n\s\ssqlite3_open("test.db",\s&db1);\r\n\s\ssqlite3_exec(db1,\s\r\n\s\s\s"CREATE\sVIRTUAL\sTABLE\sr1\sUSING\srtree(id,\sx1,\sx2,\sy1,\sy2);\\n"\r\n\s\s\s"CREATE\sTABLE\st1(id,\sx1,\sx2,\sy1,\sy2);\\n"\r\n\s\s\s"CREATE\sTABLE\slog(l);\\n"\r\n\s\s\s"CREATE\sTRIGGER\str1\sAFTER\sINSERT\sON\st1\sBEGIN\\n"\r\n\s\s\s"\s\sINSERT\sINTO\sr1\sVALUES(new.id,\snew.x1,\snew.x2,\snew.y1,\snew.y2);\\n"\r\n\s\s\s"\s\sINSERT\sINTO\slog\sVALUES('r1:\s'\s||\snew.id);\\n"\r\n\s\s\s"END;",\s0,\s0,\s0);\r\n\s\ssqlite3_close(db1);\r\n\s\ssqlite3_open("test.db",\s&db1);\r\n\s\ssqlite3_open("test.db",\s&db2);\r\n\s\ssqlite3_exec(db1,\s"INSERT\sINTO\slog\sVALUES('startup');",\s0,\s0,\s0);\r\n\s\ssqlite3_exec(db2,\s"CREATE\sTABLE\snewtab(a,b);",\s0,\s0,\s0);\r\n\s\ssqlite3_exec(db1,\s"INSERT\sINTO\st1\sVALUES(1,2,3,4,5);",\s0,\s0,\s0);\r\n\s\ssqlite3_close(db1);\r\n\s\ssqlite3_close(db2);\r\n\s\sreturn\s0;\r\n}\r\n</verbatim></blockquote>\r\n\r\nThis\sproblem\sappears\sto\shave\sexisted\sin\sthe\svirtual\stable\simplementation\r\nforever.\s\sThe\stest\sprogram\sabove\sfirst\sbegan\sto\sfail\swith\r\ncheck-in\s[ebc9433f]\son\s2010-02-16\s(SQLite\sversion\s3.6.23)\sbecause\sthat\r\ncheck-in\swas\sthe\sfirst\sto\scause\sRTREE\sto\sinvoke\ssqlite3_step()\sfrom\swithin\r\nits\sxConnect\smethod.
J login drh
J mimetype text/x-fossil-wiki
J severity Severe
J status Open
J title Use-after-free\son\sschema\schange\swhere\sRTREE\sis\sused\sinside\sof\sa\strigger
J type Code_Defect
K be436a7f4587ce517ddc36f3670073563ecc6622
U drh
Z 738e3217450821192b62d7feeaf900f8