/ Check-in [f91471e7]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix some segfaults that could occur in obscure circumstances where error messages contained characters that could be mistaken for printf format specifiers.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: f91471e7234db490f97298b1ccb8d6c7fc45b089
User & Date: dan 2010-10-21 15:12:44
Context
2010-10-21
22:58
Make sure the estimated row count for ephemeral tables is initialized so that automatic indices can be used on those tables. check-in: d30f7b2d user: drh tags: trunk
15:49
Merge trunk changes into experimental branch. check-in: fd1e5cad user: dan tags: experimental
15:12
Fix some segfaults that could occur in obscure circumstances where error messages contained characters that could be mistaken for printf format specifiers. check-in: f91471e7 user: dan tags: trunk
12:34
Fix a typo-bug that prevented --disable-amalgamation from working in Makefile.in. Also fix an overly long line in Makfile.in. check-in: 2c3c4ba0 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/vdbeblob.c.

   227    227   
   228    228       sqlite3_bind_int64((sqlite3_stmt *)v, 1, iRow);
   229    229       rc = sqlite3_step((sqlite3_stmt *)v);
   230    230       if( rc!=SQLITE_ROW ){
   231    231         nAttempt++;
   232    232         rc = sqlite3_finalize((sqlite3_stmt *)v);
   233    233         sqlite3DbFree(db, zErr);
   234         -      zErr = sqlite3MPrintf(db, sqlite3_errmsg(db));
          234  +      zErr = sqlite3MPrintf(db, "%s", sqlite3_errmsg(db));
   235    235         v = 0;
   236    236       }
   237    237     } while( nAttempt<5 && rc==SQLITE_SCHEMA );
   238    238   
   239    239     if( rc==SQLITE_ROW ){
   240    240       /* The row-record has been opened successfully. Check that the
   241    241       ** column in question contains text or a blob. If it contains
................................................................................
   274    274       rc = SQLITE_ERROR;
   275    275     }
   276    276   
   277    277   blob_open_out:
   278    278     if( v && (rc!=SQLITE_OK || db->mallocFailed) ){
   279    279       sqlite3VdbeFinalize(v);
   280    280     }
   281         -  sqlite3Error(db, rc, zErr);
          281  +  sqlite3Error(db, rc, (zErr ? "%s" : 0), zErr);
   282    282     sqlite3DbFree(db, zErr);
   283    283     sqlite3StackFree(db, pParse);
   284    284     rc = sqlite3ApiExit(db, rc);
   285    285     sqlite3_mutex_leave(db->mutex);
   286    286     return rc;
   287    287   }
   288    288   

Changes to src/vtab.c.

   668    668           pTab->aCol = pParse->pNewTable->aCol;
   669    669           pTab->nCol = pParse->pNewTable->nCol;
   670    670           pParse->pNewTable->nCol = 0;
   671    671           pParse->pNewTable->aCol = 0;
   672    672         }
   673    673         db->pVTab = 0;
   674    674       }else{
   675         -      sqlite3Error(db, SQLITE_ERROR, zErr);
          675  +      sqlite3Error(db, SQLITE_ERROR, (zErr ? "%s" : 0), zErr);
   676    676         sqlite3DbFree(db, zErr);
   677    677         rc = SQLITE_ERROR;
   678    678       }
   679    679       pParse->declareVtab = 0;
   680    680     
   681    681       if( pParse->pVdbe ){
   682    682         sqlite3VdbeFinalize(pParse->pVdbe);

Changes to test/incrblob.test.

   672    672   do_test incrblob-8.6 {
   673    673     set rc [catch {sqlite3_blob_write $::b 0 etilqs 6} msg]
   674    674     lappend rc $msg
   675    675   } {0 {}}
   676    676   do_test incrblob-8.7 {
   677    677     execsql {SELECT b FROM t1 WHERE a = 314159}
   678    678   } {etilqs}
          679  +
          680  +# The following test case exposes an instance in the blob code where
          681  +# an error message was set using a call similar to sqlite3_mprintf(zErr),
          682  +# where zErr is an arbitrary string. This is no good if the string contains
          683  +# characters that can be mistaken for printf() formatting directives.
          684  +#
          685  +do_test incrblob-9.1 {
          686  +  list [catch { db incrblob t1 "A tricky column name %s%s" 1 } msg] $msg
          687  +} {1 {no such column: "A tricky column name %s%s"}}
   679    688   
   680    689   
   681    690   finish_test

Changes to test/vtab1.test.

  1158   1158     do_test vtab1-16.$tn {
  1159   1159       set echo_module_fail(xRename,t2) "the xRename method has failed"
  1160   1160       catchsql { ALTER TABLE echo_t2 RENAME TO another_name }
  1161   1161     } "1 {echo-vtab-error: the xRename method has failed}"
  1162   1162     unset echo_module_fail(xRename,t2)
  1163   1163     incr tn
  1164   1164   }
         1165  +
         1166  +# The following test case exposes an instance in sqlite3_declare_vtab()
         1167  +# an error message was set using a call similar to sqlite3_mprintf(zErr),
         1168  +# where zErr is an arbitrary string. This is no good if the string contains
         1169  +# characters that can be mistaken for printf() formatting directives.
         1170  +#
         1171  +do_test vtab1-17.1 {
         1172  +  execsql { 
         1173  +    PRAGMA writable_schema = 1;
         1174  +    INSERT INTO sqlite_master VALUES(
         1175  +      'table', 't3', 't3', 0, 'INSERT INTO "%s%s" VALUES(1)'
         1176  +    );
         1177  +  }
         1178  +  catchsql { CREATE VIRTUAL TABLE t4 USING echo(t3); }
         1179  +} {1 {vtable constructor failed: t4}}
  1165   1180   
  1166   1181   unset -nocomplain echo_module_begin_fail
  1167   1182   finish_test