Release 0.21.8: fix: define - incorporate upstream fixes from statement_vtab (#94) · mlawren/sqlean

0.21.8
a08c9c6
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.

GPG key ID: 4AEE18F83AFDEB23
Expired

Verified
Learn about vigilant mode
Compare

Choose a tag to compare

Loading

View all tags

0.21.8: fix: define - incorporate upstream fixes from statement_vtab (#94)

0.21.8
a08c9c6
Compare

Choose a tag to compare

Loading

View all tags
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.

GPG key ID: 4AEE18F83AFDEB23
Expired

Verified
Learn about vigilant mode

0x09 tagged this 28 Aug 09:19

* Encode parameter indexes to a printable string in idxStr

This resolves a potential vulnerability on platforms with uncommon
integer widths (see below.)

Per the discussion in sqlite.org/forum/info/853f5b586ecbf11c idxStr is
strictly intended to reference valid string memory. statement_vtab uses
idxStr to supply parameter indexes to xFilter, previously passing these
as integer memory directly. It now serializes indexes using a fixed-
length 6 bit encoding, which for speed and simplicity is printable but
not necessarily readable.

idxStr is currently included in EXPLAIN query results as well as in
debug output from SQLite. On typical platforms where int is larger than
SQLite's column maximum of 32767, previous buffers were incidentally
valid for these only due to what amounts to several technicalities in
the C standard.

On platforms with less common integer widths -- such as those with 16
bit ints or where sizeof(int) is 1 -- there is a risk of overread and
disclosure of subsequent memory if an untrusted user is able to execute
an EXPLAIN query on a statement_vtab with a sufficient number of
columns.

Application of this fix can be verified at runtime with the following
SQL:
> CREATE VIRTUAL TABLE x USING statement((SELECT ?42, ?46));
> EXPLAIN SELECT * FROM x WHERE [46] = 0 AND [42] = 0;
In the output of EXPLAIN, the VFilter opcode's P4 register will read
"O!!!!!K!!!!!" (without quotes).

Corresponds to
0x09/sqlite-statement-vtab@400bea16a314bb3994c3912a6639f488af98e9e0

* Handle conflicting AND constraints on columns

Constraints such as `WHERE ColumnA = 1 AND ColumnA = 2` now result in an
empty set rather than an error, which is consistent with the behavior of
these queries against normal (non-virtual) SQLite tables.

Purely redundant constraints (where ColumnA = 1 AND ColumnA = 1)
likewise no longer result in an error.

Corresponds to
0x09/sqlite-statement-vtab@e8f20f31025d62a8a1f17a213c2b10ee5cc96517

* Clarify shallow copy of argv in xFilter

Corresponds to
0x09/sqlite-statement-vtab@77d338e03bcf9f27891db9f5db74ab3a78b1be15

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly