View Ticket
13:45 Ticket [0eb70d77] Invalid pointer passed to the authorizer callback status still Fixed with 3 other changes (artifact: ee1c6f48 user: drh)
13:23 Fixed ticket [0eb70d77]. (artifact: 7fe0235d user: drh)
Make sure the authorizer callback gets a valid pointer to "ROWID" for the column-name parameter when doing an UPDATE that changes the rowid. Fix for ticket [0eb70d77cb05bb2272]. (check-in: 26a59bb8 user: drh tags: trunk)
13:03 New ticket [0eb70d77] Invalid pointer passed to the authorizer callback. (artifact: 6ec5e901 user: drh)

Ticket Hash: 0eb70d77cb05bb227203136b38199c957bb32e63
Title: Invalid pointer passed to the authorizer callback
Status: Fixed Type: Code_Defect
Severity: Important Priority: Immediate
Subsystem: Unknown Resolution: Fixed
Last Modified: 2013-05-06 13:45:39
Version Found In:
User Comments:
drh added on 2013-05-06 13:03:05:

The UPDATE statement in the following code reads past the end of an array and passes an invalid pointer to the authorizer callback:

CREATE TABLE t1(a,b,c,d,e,f,g,h);
UPDATE t1 SET rowid=rowid+100;

The problem can be seen by running the script above in the sqlite3 command-line shell using valgrind. This problem has been in the code since version 2.7.6 circa 2003-01-25 and appears to have been added by check-in [45de93f913a18026a]. The problem has not been noticed before now because it is obscure and mostly harmless - unless the authorizer is used on an UPDATE statement that changes the ROWID the worst that can happen is a single read past the end of an array.

drh added on 2013-05-06 13:45:39:

An additional requirement for hitting this bug is that the number of columns in the table being updated must be a multiple of 8.