Control: reassign -1 libsqliteodbc 0.9999-1 Control: retitle -1 libsqliteodbc: regression: crashes (SIGSEGV) with line comments Control: affects -1 + libdbd-odbc-perl Control: tags -1 + patch Control: forwarded -1 Christian Werner <c...@ch-werner.de>
On Wed, 20 Sep 2023 17:00:50 +0200 gregor herrmann wrote:
> As noticed by ci.debian.org, t/rt_57957.t started to fail at some
> point between 2023-09-02 and 2023-09-18.
The two tests that fail are the line comment ones:
4 - Prepare with line comment named placeholder
6 - Prepare with line comment and ? placeholder
They both fail by causing a SIGSEGV in Perl itself.
Executing the same SQL within sqlite3 does not cause a SIGSEGV:
$ sqlite3
SQLite version 3.43.1 2023-09-11 12:01:27
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> select -- placeholder ? in a comment
1;
1
When I modify the SQL a bit so that gdb can actually load the core dump
from inside pbuilder, I get a backtrace inside sqliteodbc.
When I downgrade libsqliteodbc from 0.9999-1 to 0.9998-3+b1 then the
crash no longer happens, so this is a bug in sqliteodbc.
When I modify the pyodbc tests to include a test with a line comment,
then I get a Python crash and the crash is fixed with 0.9998-3+b1.
Looking at the diff from 0.9998-3 to 0.9999-1, I see that this version
added support for line comments by adding this case to the code:
case '-':
*p++ = *q;
if (!inq && q[1] == '-') {
++q;
while (*q) {
*p++ = *q;
if (*q == '\n') {
break;
}
}
}
break;
So this is crashing because the q pointer isn't getting incremented so
it never reaches the \n character nor the end of the SQL string, but
the p pointer is getting incremented within the infinite loop, so it
gets incremented past the end of its allocated memory.
The fix is to increment both pointers at once.
*p++ = *q++;
This fixes the libdbd-odbc-perl test failures too.
I have sent the attached patch to upstream.
--
bye,
pabs
https://wiki.debian.org/PaulWise
From 0bc7d682561c1a3e4cec4627e45c8cefa91f14a9 Mon Sep 17 00:00:00 2001
From: Paul Wise <pa...@bonedaddy.net>
Date: Tue, 10 Oct 2023 12:45:17 +0800
Subject: [PATCH] Fix crash with line comments in SQL fixup
The handling of line comments is crashing because the q pointer isn't
getting incremented so it never reaches the \n character nor the end
of the SQL string, but the p pointer is getting incremented within the
infinite loop, so it gets incremented past the end of its allocated memory.
This crash was introduced in version 0.9999.
---
sqlite3odbc.c | 2 +-
sqlite4odbc.c | 2 +-
sqliteodbc.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/sqlite3odbc.c b/sqlite3odbc.c
index 94b407e..27f394f 100644
--- a/sqlite3odbc.c
+++ b/sqlite3odbc.c
@@ -2581,7 +2581,7 @@ errout:
if (!inq && q[1] == '-') {
++q;
while (*q) {
- *p++ = *q;
+ *p++ = *q++;
if (*q == '\n') {
break;
}
diff --git a/sqlite4odbc.c b/sqlite4odbc.c
index 78f2b1e..031cd1f 100644
--- a/sqlite4odbc.c
+++ b/sqlite4odbc.c
@@ -2561,7 +2561,7 @@ errout:
if (!inq && q[1] == '-') {
++q;
while (*q) {
- *p++ = *q;
+ *p++ = *q++;
if (*q == '\n') {
break;
}
diff --git a/sqliteodbc.c b/sqliteodbc.c
index c9c7a29..bad61ab 100644
--- a/sqliteodbc.c
+++ b/sqliteodbc.c
@@ -1730,7 +1730,7 @@ errout:
if (!inq && q[1] == '-') {
++q;
while (*q) {
- *p++ = *q;
+ *p++ = *q++;
if (*q == '\n') {
break;
}
--
2.42.0
signature.asc
Description: This is a digitally signed message part
