SQLite Forum

Use of unitialized variable in 3.32.1
Login

Use of unitialized variable in 3.32.1

(1) By Jim Borden (borrrden) on 2020-05-29 23:54:20 [link] [source]

In the analyzeOneTable function the following occurs:

for(j=0; j<pPk->nKeyCol; j++){
    k = sqlite3TableColumnToIndex(pIdx, pPk->aiColumn[j]);
    assert( k>=0 && k<pIdx->nColumn );
    sqlite3VdbeAddOp3(v, OP_Column, iIdxCur, k, regKey+j);
    VdbeComment((v, "%s.column(%d)", pIdx->zName, i));
}

Note the use of i in the last line's comment. At least on GCC this gives a warning about the variable being possibly uninitialized and I think it was the intent to use j here.

(2) By anonymous on 2020-05-30 00:35:02 in reply to 1 [link] [source]

It needs -DSQLITE_ENABLE_STAT4, but clang would still not flag it. It does look like j is intended.

The code is at analyze.c:1213

(3) By Richard Hipp (drh) on 2020-05-30 00:43:50 in reply to 1 [source]

Thanks for the report! The problem is now fixed on trunk.

Notes:

  • This only happens if SQLite is compiled with -DSQLITE_ENABLE_EXPLAIN_COMMENTS and with -DSQLITE_ENABLE_STAT4. Most builds of SQLite do not include either of those options.

  • Even when it does happen, the uninitialized integer is the input to an %d format for a string that is used as a debugging comment in the byte-code. So, in other words, the problem causes a goofy comment to appear in the comment column of the EXPLAIN output. In other words, it is utterly harmless.

It is good that the problem was found. (Thanks, borrrden!) I only include the notes above to try to prevent a CVE from being written with a scary headline: "Critical Uninitialized Variable Usage In SQLite 3.32.1" How sad that CVE politics have degenerated to the point that I feel the need to do that....