Assertion failure in sqlite3OsDlOpen function
(1) By Song Liu (songliu) on 2023-03-25 02:53:46 [link] [source]
I found an assertion failure while SQLite (latest, a6e218a6e1ddd74b) executes the following queries.
CREATE TABLE v1 ( c1 );
INSERT INTO v1 VALUES ( load_extension ( hex ( hex ( zeroblob ( 127 * 8 + 8 ) ) ) ) );
Here are the outputs:
sqlite3: sqlite3.c:25175: sqlite3OsDlOpen: Assertion `strlen(zPath)<=SQLITE_MAX_PATHLEN' failed.
[1] 1802192 abort ./sqlite3 < poc
(2) By Song Liu (songliu) on 2023-03-25 03:00:17 in reply to 1 [source]
Here is the related code
/* tag-20210611-1. Some dlopen() implementations will segfault if given
** an oversize filename. Most filesystems have a pathname limit of 4K,
** so limit the extension filename length to about twice that.
** https://sqlite.org/forum/forumpost/08a0d6d9bf */
if( nMsg>SQLITE_MAX_PATHLEN ) goto extension_not_found;
handle = sqlite3OsDlOpen(pVfs, zFile);
#if SQLITE_OS_UNIX || SQLITE_OS_WIN
for(ii=0; ii<ArraySize(azEndings) && handle==0; ii++){
char *zAltFile = sqlite3_mprintf("%s.%s", zFile, azEndings[ii]);
if( zAltFile==0 ) return SQLITE_NOMEM_BKPT;
handle = sqlite3OsDlOpen(pVfs, zAltFile);
sqlite3_free(zAltFile);
}
#endif
There are two call sites of sqlite3OsDlOpen here. The assertion failure happened in calling the second sqlite3OsDlOpen function.
zAltFile is generated from zFile. zFile has been checked while zAltFile is not. The length of zAltFile is larger than zFile and may exceed the SQLITE_MAX_PATHLEN limits so that error happened.
(3) By Song Liu (songliu) on 2023-03-25 19:53:01 in reply to 1 [link] [source]
It seems the bug is fixed at commit 9f351bdee2a09a44. Thanks for your work!