SQLite Forum

[Bug] A NULL pointer dereference bug was discovered in SQLite

[Bug] A NULL pointer dereference bug was discovered in SQLite

(1) By salmonx on 2021-06-15 04:00:13 [link] [source]

NULL Pointer (sqlite3_vfs_find)

SQLITE_API sqlite3_vfs *sqlite3_vfs_find(const char *zVfs){
  int rc = sqlite3_initialize();
  if( rc ) return 0;            // NULL Pointer
  return pVfs;

NULL Pointer Deference


SQLITE_PRIVATE int sqlite3MemdbInit(void){
  sqlite3_vfs *pLower = sqlite3_vfs_find(0);
  unsigned int sz = pLower->szOsFile; // NULL Pointer Deference


int sqlite3_appendvfs_init(
  sqlite3 *db, 
  char **pzErrMsg, 
  const sqlite3_api_routines *pApi
  pOrig = sqlite3_vfs_find(0);
  apnd_vfs.iVersion = pOrig->iVersion; // NULL Pointer Deference
  apnd_vfs.pAppData = pOrig;
  apnd_vfs.szOsFile = pOrig->szOsFile + sizeof(ApndFile); //NULL Pointer Deference


/* Return the current wall-clock time */
static sqlite3_int64 timeOfDay(void){
  static sqlite3_vfs *clockVfs = 0;
  sqlite3_int64 t;
  if( clockVfs==0 ) clockVfs = sqlite3_vfs_find(0);
  if( clockVfs->iVersion>=2 && clockVfs->xCurrentTimeInt64!=0 ){ // NULL Pointer Deference
    clockVfs->xCurrentTimeInt64(clockVfs, &t);
    double r;
    clockVfs->xCurrentTime(clockVfs, &r); // NULL Pointer Deference
    t = (sqlite3_int64)(r*86400000.0);
  return t;

(2) By Rowan Worth (sqweek) on 2021-06-15 04:39:07 in reply to 1 [source]

The NULL dereference happens if sqlite3_initialize fails. In the context of sqlite3MemdbInit at least this will never happen, because sqlite3MemdbInit is only called by sqlite3_initialize (and recursive/subsequent calls to sqlite3_initialize are no-ops).

The most recent copy of the sqlite3 source I have on hand doesn't include sqlite3_appendvfs_init so I can't check whether that one is in a similar situation :)

I haven't analysed timeOfDay for the same reason, although it does seem like it's worth accounting for sqlite3_vfs_find(0) returning NULL in this context even if it's not currently called without a successful sqlite3_initialize.

(3) By Richard Hipp (drh) on 2021-06-15 15:17:09 in reply to 1 [link] [source]

This is not really a bug since it is not reachable. However, I have added additional code to trunk which should squelch the warnings from your static analyzer.