About vulnerabilities in SQLite native code
(1.2) By lappland on 2022-04-17 17:41:17 edited from 1.1 [link] [source]
I am currently doing some research on the security of SQLite. I used the open source vulnerability analysis engine, Infer, to scan the native code of SQLite 3.37.0.
The scan results show that there are still a number of vulnerabilities in the SQLite native code, such as Null dereference, Uninitialized variable, Resource/Memory leak, etc. I enclose the vulnerability report for your reference.
Based on the research of the result, I tried to design a tool to automatically detect and repair vulnerabilities in SQLite and make this tool available, FYI.
SQLite is my most used database engine. I sincerely hope this report will help SQLite become stronger and more secure. I also hope this finding will be helpful for you to improve SQLite in the future.
#0
tool/mkkeywordhash.c:520: error: Uninitialized Value
The value read from aKWHash[_] was never initialized.
518. for(j=0; j<nKeyword; j++){
519. h = aKeywordTable[j].hash % i;
520. aKWHash[h] *= 2;
^
521. aKWHash[h]++;
522. }
#1
tool/mkkeywordhash.c:523: error: Uninitialized Value
The value read from aKWHash[_] was never initialized.
521. aKWHash[h]++;
522. }
523. for(j=count=0; j<i; j++) count += aKWHash[j];
^
524. if( count<bestCount ){
525. bestCount = count;
#2
tool/mkkeywordhash.c:534: error: Uninitialized Value
The value read from aKWHash[_] was never initialized.
532. for(i=0; i<nKeyword; i++){
533. h = aKeywordTable[i].hash % bestSize;
534. aKeywordTable[i].iNext = aKWHash[h];
^
535. aKWHash[h] = i+1;
536. reorder(&aKWHash[h]);
#3
tool/mkkeywordhash.c:587: error: Uninitialized Value
The value read from aKWHash[_] was never initialized.
585. for(i=j=0; i<bestSize; i++){
586. if( j==0 ) printf(" ");
587. printf(" %3d,", aKWHash[i]);
^
588. j++;
589. if( j>12 ){
#4
tool/mkkeywordhash.c:653: error: Uninitialized Value
The value read from aKWHash[_] was never initialized.
651. printf("/* Hash table decoded:\n");
652. for(i=0; i<bestSize; i++){
653. j = aKWHash[i];
^
654. printf("** %3d:", i);
655. while( j ){
#5
tool/lemon.c:1357: error: Null Dereference
pointer `cfp` last assigned on line 1356 could be null and is dereferenced at line 1357, column 5.
1355. if( cfp==0 ){
1356. cfp = newconfig();
1357. cfp->rp = rp;
^
1358. cfp->dot = dot;
1359. cfp->fws = SetNew();
#6
tool/lemon.c:1383: error: Null Dereference
pointer `cfp` last assigned on line 1382 could be null and is dereferenced at line 1383, column 5.
1381. if( cfp==0 ){
1382. cfp = newconfig();
1383. cfp->rp = rp;
^
1384. cfp->dot = dot;
1385. cfp->fws = SetNew();
#7
tool/lemon.c:1909: error: Uninitialized Value
The value read from set[_] was never initialized.
1907. list = NEXT(list);
1908. NEXT(ep) = 0;
1909. for(i=0; i<LISTSIZE-1 && set[i]!=0; i++){
^
1910. ep = merge(ep,set[i],cmp,offset);
1911. set[i] = 0;
#8
tool/lemon.c:1916: error: Uninitialized Value
The value read from set[_] was never initialized.
1914. }
1915. ep = 0;
1916. for(i=0; i<LISTSIZE; i++) if( set[i] ) ep = merge(set[i],ep,cmp,offset);
^
1917. return ep;
1918. }
#9
shell.c:2945: error: Uninitialized Value
The value read from n was never initialized.
2943. }
2944.
2945. sqlite3_result_text(ctx, aBuf, n, SQLITE_TRANSIENT);
^
2946. if( aBuf!=aStatic ) sqlite3_free(aBuf);
2947. #endif
#10
tool/lemon.c:4008: error: Uninitialized Value
The value read from used[_] was never initialized.
4006. }
4007. }
4008. if( !used[i] ){
^
4009. ErrorMsg(lemp->filename,rp->ruleline,
4010. "Label %s for \"%s(%s)\" is never used.",
#11
shell.c:5778: error: Dead Store
The value written to &i (type int) is never used.
5776. }
5777. if( idxNum & 4 ){
5778. pCur->iStep = sqlite3_value_int64(argv[i++]);
^
5779. if( pCur->iStep==0 ){
5780. pCur->iStep = 1;
#12
shell.c:6269: error: Dead Store
The value written to &j (type int) is never used.
6267. }
6268. case RE_OP_CC_INC: re_op_cc_inc: {
6269. int j = 1;
^
6270. int n = pRe->aArg[x];
6271. int hit = 0;
#13
shell.c:7283: error: Dead Store
The value written to &n (type unsigned long) is never used.
7281. ){
7282. if( nWrite>0 ){
7283. size_t n = nWrite;
^
7284. fseek(pTab->pWriteFd, (long)pTab->szCurrent, SEEK_SET);
7285. n = fwrite(aWrite, 1, nWrite, pTab->pWriteFd);
#14
shell.c:7612: error: Uninitialized Value
The value read from lfh.nExtra was never initialized.
7610. if( rc==SQLITE_OK ){
7611. pNew->iDataOff = pNew->cds.iOffset + ZIPFILE_LFH_FIXED_SZ;
7612. pNew->iDataOff += lfh.nFile + lfh.nExtra;
^
7613. if( aBlob && pNew->cds.szCompressed ){
7614. pNew->aData = &pNew->aExtra[nExtra];
#15
shell.c:7612: error: Uninitialized Value
The value read from lfh.nFile was never initialized.
7610. if( rc==SQLITE_OK ){
7611. pNew->iDataOff = pNew->cds.iOffset + ZIPFILE_LFH_FIXED_SZ;
7612. pNew->iDataOff += lfh.nFile + lfh.nExtra;
^
7613. if( aBlob && pNew->cds.szCompressed ){
7614. pNew->aData = &pNew->aExtra[nExtra];
#16
shell.c:8162: error: Uninitialized Value
The value read from zTemplate[_] was never initialized.
8160. }
8161. for(i=1; i<10; i++){
8162. if( z[i]==zTemplate[i] ) mode |= 1 << (9-i);
^
8163. else if( z[i]!='-' ) goto parse_error;
8164. }
#17
shell.c:8309: error: Null Dereference
pointer `zDelete` last assigned on line 8308 could be null and is dereferenced by call to `strlen()` at line 8309, column 24.
8307. if( sqlite3_value_type(apVal[0])!=SQLITE_NULL ){
8308. const char *zDelete = (const char*)sqlite3_value_text(apVal[0]);
8309. int nDelete = (int)strlen(zDelete);
^
8310. if( nVal>1 ){
8311. const char *zUpdate = (const char*)sqlite3_value_text(apVal[1]);
#18
shell.c:10624: error: Dead Store
The value written to &rc (type int) is never used.
10622.
10623. static int idxCreateVtabSchema(sqlite3expert *p, char **pzErrmsg){
10624. int rc = idxRegisterVtab(p);
^
10625. sqlite3_stmt *pSchema = 0;
10626.
#19
shell.c:11712: error: Dead Store
The value written to &pData (type unsigned char*) is never used.
11710. case 4: v = (v<<8) + pData[0]; pData++;
11711. case 3: v = (v<<8) + pData[0]; pData++;
11712. case 2: v = (v<<8) + pData[0]; pData++;
^
11713. }
11714.
#20
shell.c:15529: error: Uninitialized Value
The value read from x[_] was never initialized.
15527. if( k+16<=n && k>=0 ){
15528. int ii;
15529. for(ii=0; ii<16; ii++) a[k+ii] = x[ii]&0xff;
^
15530. }
15531. }
#21
shell.c:15638: error: Null Dereference
pointer `zText` last assigned on line 15636 could be null and is dereferenced at line 15638, column 7.
15636. const char *zText = (const char*)sqlite3_value_text(argv[0]);
15637. UNUSED_PARAMETER(argc);
15638. if( zText[0]=='\'' ){
^
15639. int nText = sqlite3_value_bytes(argv[0]);
15640. int i;
#22
shell.c:20000: error: Dead Store
The value written to &iName (type int) is never used.
19998. if( c=='o' && strncmp(azArg[0], "open", n)==0 && n>=2 ){
19999. char *zNewFilename = 0; /* Name of the database file to open */
20000. int iName = 1; /* Index in azArg[] of the filename */
^
20001. int newFlag = 0; /* True to delete file before opening */
20002. /* Close the existing database */
#23
sqlite3.c:29141: error: Dead Store
The value written to &xtype (type unsigned char) is never used.
29139. etByte done; /* Loop termination flag */
29140. etByte cThousand; /* Thousands separator for %d and %u */
29141. etByte xtype = etINVALID; /* Conversion paradigm */
^
29142. u8 bArgList; /* True for SQLITE_PRINTF_SQLFUNC */
29143. char prefix; /* Prefix character. "+" or "-" or " " or '\0'. */
#24
sqlite3.c:32368: error: Uninitialized Value
The value read from c was never initialized.
32366. b++;
32367. }
32368. return c;
^
32369. }
32370. SQLITE_API int sqlite3_strnicmp(const char *zLeft, const char *zRight, int N){
#25
sqlite3.c:34929: error: Uninitialized Value
The value read from fd was never initialized.
34927. if( osOpen("/dev/null", O_RDONLY, m)<0 ) break;
34928. }
34929. if( fd>=0 ){
^
34930. if( m!=0 ){
34931. struct stat statbuf;
#26
sqlite3.c:34943: error: Uninitialized Value
The value read from fd was never initialized.
34941. #endif
34942. }
34943. return fd;
^
34944. }
34945.
#27
sqlite3.c:37934: error: Dead Store
The value written to &fd (type int) is never used.
37932. static int openDirectory(const char *zFilename, int *pFd){
37933. int ii;
37934. int fd = -1;
^
37935. char zDirname[MAX_PATHNAME+1];
37936.
#28
sqlite3.c:50536: error: Uninitialized Value
The value read from result.pDirty was never initialized.
50534. }
50535. }
50536. return result.pDirty;
^
50537. }
50538.
#29
sqlite3.c:52262: error: Uninitialized Value
The value read from head.pRight was never initialized.
52260. }
52261. }
52262. return head.pRight;
^
52263. }
52264.
#30
sqlite3.c:64137: error: Null Dereference
pointer `pLast` last assigned on line 63985 could be null and is dereferenced by call to `walWriteOneFrame()` at line 64137, column 14.
64135. testcase( bSync );
64136. while( iOffset<w.iSyncPoint ){
64137. rc = walWriteOneFrame(&w, pLast, nTruncate, iOffset);
^
64138. if( rc ) return rc;
64139. iOffset += szFrame;
#31
sqlite3.c:67034: error: Dead Store
The value written to &iCellFirst (type int) is never used.
67032. nCell = pPage->nCell;
67033. assert( nCell==get2byte(&data[hdr+3]) || CORRUPT_DB );
67034. iCellFirst = cellOffset + 2*nCell;
^
67035. usableSize = pPage->pBt->usableSize;
67036.
#32
sqlite3.c:67049: error: Dead Store
The value written to &pEnd (type unsigned char*) is never used.
67047. if( iFree2>usableSize-4 ) return SQLITE_CORRUPT_PAGE(pPage);
67048. if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
67049. u8 *pEnd = &data[cellOffset + nCell*2];
^
67050. u8 *pAddr;
67051. int sz2 = 0;
#33
sqlite3.c:67521: error: Uninitialized Value
The value read from next was never initialized.
67519. pc = next;
67520. }
67521. if( next>0 ){
^
67522. /* Freeblock not in ascending order */
67523. return SQLITE_CORRUPT_PAGE(pPage);
#34
sqlite3.c:67525: error: Uninitialized Value
The value read from size was never initialized.
67523. return SQLITE_CORRUPT_PAGE(pPage);
67524. }
67525. if( pc+size>(unsigned int)usableSize ){
^
67526. /* Last freeblock extends past page end */
67527. return SQLITE_CORRUPT_PAGE(pPage);
#35
sqlite3.c:68103: error: Uninitialized Value
The value read from zDbHeader[_] was never initialized.
68101. ** determined by the 2-byte integer located at an offset of 16 bytes from
68102. ** the beginning of the database file. */
68103. pBt->pageSize = (zDbHeader[16]<<8) | (zDbHeader[17]<<16);
^
68104. if( pBt->pageSize<512 || pBt->pageSize>SQLITE_MAX_PAGE_SIZE
68105. || ((pBt->pageSize-1)&pBt->pageSize)!=0 ){
#36
sqlite3.c:68124: error: Uninitialized Value
The value read from zDbHeader[_] was never initialized.
68122. ** determined by the one-byte unsigned integer found at an offset of 20
68123. ** into the database file header. */
68124. nReserve = zDbHeader[20];
^
68125. pBt->btsFlags |= BTS_PAGESIZE_FIXED;
68126. #ifndef SQLITE_OMIT_AUTOVACUUM
#37
sqlite3.c:71167: error: Uninitialized Value
The value read from c was never initialized.
71165. assert( pCur->ix<pCur->pPage->nCell );
71166. pCur->ix = (u16)idx;
71167. *pRes = c;
^
71168. rc = SQLITE_OK;
71169. goto moveto_table_finish;
#38
sqlite3.c:71360: error: Uninitialized Value
The value read from c was never initialized.
71358. assert( pCur->ix<pCur->pPage->nCell );
71359. pCur->ix = (u16)idx;
71360. *pRes = c;
^
71361. rc = SQLITE_OK;
71362. goto moveto_index_finish;
#39
sqlite3.c:73736: error: Uninitialized Value
The value read from aPgFlags[_] was never initialized.
73734. sqlite3PagerRekey(apNew[iBest]->pDbPage, pBt->nPage+iBest+1, 0);
73735. }
73736. sqlite3PagerRekey(apNew[i]->pDbPage, pgno, aPgFlags[iBest]);
^
73737. apNew[i]->pgno = pgno;
73738. }
#40
sqlite3.c:73728: error: Uninitialized Value
The value read from aPgOrder[_] was never initialized.
73726. int iBest = 0; /* aPgno[] index of page number to use */
73727. for(j=1; j<nNew; j++){
73728. if( aPgOrder[j]<aPgOrder[iBest] ) iBest = j;
^
73729. }
73730. pgno = aPgOrder[iBest];
#41
sqlite3.c:73730: error: Uninitialized Value
The value read from aPgOrder[_] was never initialized.
73728. if( aPgOrder[j]<aPgOrder[iBest] ) iBest = j;
73729. }
73730. pgno = aPgOrder[iBest];
^
73731. aPgOrder[iBest] = 0xffffffff;
73732. if( iBest!=i ){
#42
sqlite3.c:73811: error: Uninitialized Value
The value read from aPgno[_] was never initialized.
73809. ** overflow cell), we can skip updating the pointer map entries. */
73810. if( iOld>=nNew
73811. || pNew->pgno!=aPgno[iOld]
^
73812. || !SQLITE_WITHIN(pCell,pOld->aData,pOld->aDataEnd)
73813. ){
#43
sqlite3.c:73785: error: Uninitialized Value
The value read from apNew[_] was never initialized.
73783. if( ISAUTOVACUUM ){
73784. MemPage *pOld;
73785. MemPage *pNew = pOld = apNew[0];
^
73786. int cntOldNext = pNew->nCell + pNew->nOverflow;
73787. int iNew = 0;
#44
sqlite3.c:73796: error: Uninitialized Value
The value read from apNew[_] was never initialized.
73794. assert( iOld<nNew || iOld<nOld );
73795. assert( iOld>=0 && iOld<NB );
73796. pOld = iOld<nNew ? apNew[iOld] : apOld[iOld];
^
73797. cntOldNext += pOld->nCell + pOld->nOverflow + !leafData;
73798. }
#45
sqlite3.c:73800: error: Uninitialized Value
The value read from apNew[_] was never initialized.
73798. }
73799. if( i==cntNew[iNew] ){
73800. pNew = apNew[++iNew];
^
73801. if( !leafData ) continue;
73802. }
#46
sqlite3.c:73831: error: Uninitialized Value
The value read from apNew[_] was never initialized.
73829. int sz;
73830. u8 *pSrcEnd;
73831. MemPage *pNew = apNew[i];
^
73832. j = cntNew[i];
73833.
#47
sqlite3.c:73425: error: Uninitialized Value
The value read from apOld[_] was never initialized.
73423. ** leafData: 1 if pPage holds key+data and pParent holds only keys.
73424. */
73425. b.pRef = apOld[0];
^
73426. leafCorrection = b.pRef->leaf*4;
73427. leafData = b.pRef->intKeyLeaf;
#48
sqlite3.c:73429: error: Uninitialized Value
The value read from apOld[_] was never initialized.
73427. leafData = b.pRef->intKeyLeaf;
73428. for(i=0; i<nOld; i++){
73429. MemPage *pOld = apOld[i];
^
73430. int limit = pOld->nCell;
73431. u8 *aData = pOld->aData;
#49
sqlite3.c:73542: error: Uninitialized Value
The value read from apOld[_] was never initialized.
73540. usableSpace = pBt->usableSize - 12 + leafCorrection;
73541. for(i=k=0; i<nOld; i++, k++){
73542. MemPage *p = apOld[i];
^
73543. b.apEnd[k] = p->aDataEnd;
73544. b.ixNx[k] = cntOld[i];
#50
sqlite3.c:73667: error: Uninitialized Value
The value read from apOld[_] was never initialized.
73665. MemPage *pNew;
73666. if( i<nOld ){
73667. pNew = apNew[i] = apOld[i];
^
73668. apOld[i] = 0;
73669. rc = sqlite3PagerWrite(pNew->pDbPage);
#51
sqlite3.c:73796: error: Uninitialized Value
The value read from apOld[_] was never initialized.
73794. assert( iOld<nNew || iOld<nOld );
73795. assert( iOld>=0 && iOld<NB );
73796. pOld = iOld<nNew ? apNew[iOld] : apOld[iOld];
^
73797. cntOldNext += pOld->nCell + pOld->nOverflow + !leafData;
73798. }
#52
sqlite3.c:73573: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73571. szNew[i] -= sz;
73572. if( !leafData ){
73573. if( cntNew[i]<b.nCell ){
^
73574. sz = 2 + cachedCellSize(&b, cntNew[i]);
73575. }else{
#53
sqlite3.c:73574: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73572. if( !leafData ){
73573. if( cntNew[i]<b.nCell ){
73574. sz = 2 + cachedCellSize(&b, cntNew[i]);
^
73575. }else{
73576. sz = 0;
#54
sqlite3.c:73580: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73578. }
73579. szNew[i+1] += sz;
73580. cntNew[i]--;
^
73581. }
73582. while( cntNew[i]<b.nCell ){
#55
sqlite3.c:73582: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73580. cntNew[i]--;
73581. }
73582. while( cntNew[i]<b.nCell ){
^
73583. sz = 2 + cachedCellSize(&b, cntNew[i]);
73584. if( szNew[i]+sz>usableSpace ) break;
#56
sqlite3.c:73583: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73581. }
73582. while( cntNew[i]<b.nCell ){
73583. sz = 2 + cachedCellSize(&b, cntNew[i]);
^
73584. if( szNew[i]+sz>usableSpace ) break;
73585. szNew[i] += sz;
#57
sqlite3.c:73586: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73584. if( szNew[i]+sz>usableSpace ) break;
73585. szNew[i] += sz;
73586. cntNew[i]++;
^
73587. if( !leafData ){
73588. if( cntNew[i]<b.nCell ){
#58
sqlite3.c:73596: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73594. szNew[i+1] -= sz;
73595. }
73596. if( cntNew[i]>=b.nCell ){
^
73597. k = i+1;
73598. }else if( cntNew[i] <= (i>0 ? cntNew[i-1] : 0) ){
#59
sqlite3.c:73598: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73596. if( cntNew[i]>=b.nCell ){
73597. k = i+1;
73598. }else if( cntNew[i] <= (i>0 ? cntNew[i-1] : 0) ){
^
73599. rc = SQLITE_CORRUPT_BKPT;
73600. goto balance_cleanup;
#60
sqlite3.c:73598: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73596. if( cntNew[i]>=b.nCell ){
73597. k = i+1;
73598. }else if( cntNew[i] <= (i>0 ? cntNew[i-1] : 0) ){
^
73599. rc = SQLITE_CORRUPT_BKPT;
73600. goto balance_cleanup;
#61
sqlite3.c:73621: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73619. int d; /* Index of first cell to the left of right sibling */
73620.
73621. r = cntNew[i-1] - 1;
^
73622. d = r + 1 - leafData;
73623. (void)cachedCellSize(&b, d);
#62
sqlite3.c:73640: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73638. szNew[i] = szRight;
73639. szNew[i-1] = szLeft;
73640. if( cntNew[i-1] <= (i>1 ? cntNew[i-2] : 0) ){
^
73641. rc = SQLITE_CORRUPT_BKPT;
73642. goto balance_cleanup;
#63
sqlite3.c:73640: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73638. szNew[i] = szRight;
73639. szNew[i-1] = szLeft;
73640. if( cntNew[i-1] <= (i>1 ? cntNew[i-2] : 0) ){
^
73641. rc = SQLITE_CORRUPT_BKPT;
73642. goto balance_cleanup;
#64
sqlite3.c:73799: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73797. cntOldNext += pOld->nCell + pOld->nOverflow + !leafData;
73798. }
73799. if( i==cntNew[iNew] ){
^
73800. pNew = apNew[++iNew];
73801. if( !leafData ) continue;
#65
sqlite3.c:73832: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73830. u8 *pSrcEnd;
73831. MemPage *pNew = apNew[i];
73832. j = cntNew[i];
^
73833.
73834. assert( j<nMaxCells );
#66
sqlite3.c:73912: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73910. if( abDone[iPg] ) continue; /* Skip pages already processed */
73911. if( i>=0 /* On the upwards pass, or... */
73912. || cntOld[iPg-1]>=cntNew[iPg-1] /* Condition (1) is true */
^
73913. ){
73914. int iNew;
#67
sqlite3.c:73928: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73926. if( iPg==0 ){
73927. iNew = iOld = 0;
73928. nNewCell = cntNew[0];
^
73929. }else{
73930. iOld = iPg<nOld ? (cntOld[iPg-1] + !leafData) : b.nCell;
#68
sqlite3.c:73931: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73929. }else{
73930. iOld = iPg<nOld ? (cntOld[iPg-1] + !leafData) : b.nCell;
73931. iNew = cntNew[iPg-1] + !leafData;
^
73932. nNewCell = cntNew[iPg] - iNew;
73933. }
#69
sqlite3.c:73932: error: Uninitialized Value
The value read from cntNew[_] was never initialized.
73930. iOld = iPg<nOld ? (cntOld[iPg-1] + !leafData) : b.nCell;
73931. iNew = cntNew[iPg-1] + !leafData;
73932. nNewCell = cntNew[iPg] - iNew;
^
73933. }
73934.
#70
sqlite3.c:73544: error: Uninitialized Value
The value read from cntOld[_] was never initialized.
73542. MemPage *p = apOld[i];
73543. b.apEnd[k] = p->aDataEnd;
73544. b.ixNx[k] = cntOld[i];
^
73545. if( k && b.ixNx[k]==b.ixNx[k-1] ){
73546. k--; /* Omit b.ixNx[] entry for child pages with no cells */
#71
sqlite3.c:73551: error: Uninitialized Value
The value read from cntOld[_] was never initialized.
73549. k++;
73550. b.apEnd[k] = pParent->aDataEnd;
73551. b.ixNx[k] = cntOld[i]+1;
^
73552. }
73553. assert( p->nFree>=0 );
#72
sqlite3.c:73558: error: Uninitialized Value
The value read from cntOld[_] was never initialized.
73556. szNew[i] += 2 + p->xCellSize(p, p->apOvfl[j]);
73557. }
73558. cntNew[i] = cntOld[i];
^
73559. }
73560. k = nOld;
#73
sqlite3.c:73912: error: Uninitialized Value
The value read from cntOld[_] was never initialized.
73910. if( abDone[iPg] ) continue; /* Skip pages already processed */
73911. if( i>=0 /* On the upwards pass, or... */
73912. || cntOld[iPg-1]>=cntNew[iPg-1] /* Condition (1) is true */
^
73913. ){
73914. int iNew;
#74
sqlite3.c:73930: error: Uninitialized Value
The value read from cntOld[_] was never initialized.
73928. nNewCell = cntNew[0];
73929. }else{
73930. iOld = iPg<nOld ? (cntOld[iPg-1] + !leafData) : b.nCell;
^
73931. iNew = cntNew[iPg-1] + !leafData;
73932. nNewCell = cntNew[iPg] - iNew;
#75
sqlite3.c:73491: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73489. cntOld[i] = b.nCell;
73490. if( i<nOld-1 && !leafData){
73491. u16 sz = (u16)szNew[i];
^
73492. u8 *pTemp;
73493. assert( b.nCell<nMaxCells );
#76
sqlite3.c:73563: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73561. for(i=0; i<k; i++){
73562. int sz;
73563. while( szNew[i]>usableSpace ){
^
73564. if( i+1>=k ){
73565. k = i+2;
#77
sqlite3.c:73571: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73569. }
73570. sz = 2 + cachedCellSize(&b, cntNew[i]-1);
73571. szNew[i] -= sz;
^
73572. if( !leafData ){
73573. if( cntNew[i]<b.nCell ){
#78
sqlite3.c:73584: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73582. while( cntNew[i]<b.nCell ){
73583. sz = 2 + cachedCellSize(&b, cntNew[i]);
73584. if( szNew[i]+sz>usableSpace ) break;
^
73585. szNew[i] += sz;
73586. cntNew[i]++;
#79
sqlite3.c:73585: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73583. sz = 2 + cachedCellSize(&b, cntNew[i]);
73584. if( szNew[i]+sz>usableSpace ) break;
73585. szNew[i] += sz;
^
73586. cntNew[i]++;
73587. if( !leafData ){
#80
sqlite3.c:73616: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73614. */
73615. for(i=k-1; i>0; i--){
73616. int szRight = szNew[i]; /* Size of sibling on the right */
^
73617. int szLeft = szNew[i-1]; /* Size of sibling on the left */
73618. int r; /* Index of right-most cell in left sibling */
#81
sqlite3.c:73617: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73615. for(i=k-1; i>0; i--){
73616. int szRight = szNew[i]; /* Size of sibling on the right */
73617. int szLeft = szNew[i-1]; /* Size of sibling on the left */
^
73618. int r; /* Index of right-most cell in left sibling */
73619. int d; /* Index of first cell to the left of right sibling */
#82
sqlite3.c:73938: error: Uninitialized Value
The value read from szNew[_] was never initialized.
73936. if( rc ) goto balance_cleanup;
73937. abDone[iPg]++;
73938. apNew[iPg]->nFree = usableSpace-szNew[iPg];
^
73939. assert( apNew[iPg]->nOverflow==0 );
73940. assert( apNew[iPg]->nCell==nNewCell );
#83
sqlite3.c:76785: error: Dead Store
The value written to &nSrcPage (type int) is never used.
76783. Pager * const pDestPager = sqlite3BtreePager(p->pDest); /* Dest pager */
76784. int ii; /* Iterator variable */
76785. int nSrcPage = -1; /* Size of source db in pages */
^
76786. int bCloseTrans = 0; /* True if src db requires unlocking */
76787.
#84
sqlite3.c:80891: error: Null Dereference
pointer `&x->zText` last assigned on line 80805 could be null and is dereferenced by call to `sqlite3_str_append()` at line 80891, column 7.
80889. sqlite3_str_appendf(&x, "%c%u", (i==1 ? '[' : ','), ai[i]);
80890. }
80891. sqlite3_str_append(&x, "]", 1);
^
80892. break;
80893. }
#85
sqlite3.c:81227: error: Uninitialized Value
The value read from i was never initialized.
81225. }
81226. *piPc = iPc;
81227. *piAddr = i;
^
81228. *paOp = aOp;
81229. return rc;
#86
sqlite3.c:86597: error: Null Dereference
pointer `&out->zText` last assigned on line 86592 could be null and is dereferenced by call to `sqlite3_str_append()` at line 86597, column 7.
86595. const char *zStart = zRawSql;
86596. while( *(zRawSql++)!='\n' && *zRawSql );
86597. sqlite3_str_append(&out, "-- ", 3);
^
86598. assert( (zRawSql - zStart) > 0 );
86599. sqlite3_str_append(&out, zStart, (int)(zRawSql-zStart));
#87
sqlite3.c:90673: error: Dead Store
The value written to &p2 (type unsigned int) is never used.
90671. assert( (pIn2->flags & MEM_Int)!=0 );
90672. sqlite3VdbeMemIntegerify(pIn2);
90673. p2 = (int)pIn2->u.i;
^
90674. /* The p2 value always comes from a prior OP_CreateBtree opcode and
90675. ** that opcode will always set the p2 value to 2 or more or else fail.
#88
sqlite3.c:90653: error: Dead Store
The value written to &pX (type Btree*) is never used.
90651. assert( DbMaskTest(p->btreeMask, iDb) );
90652. pDb = &db->aDb[iDb];
90653. pX = pDb->pBt;
^
90654. assert( pX!=0 );
90655. if( pOp->opcode==OP_OpenWrite ){
#89
sqlite3.c:90657: error: Dead Store
The value written to &wrFlag (type int) is never used.
90655. if( pOp->opcode==OP_OpenWrite ){
90656. assert( OPFLAG_FORDELETE==BTREE_FORDELETE );
90657. wrFlag = BTREE_WRCSR | (pOp->p5 & OPFLAG_FORDELETE);
^
90658. assert( sqlite3SchemaMutexHeld(db, iDb, 0) );
90659. if( pDb->pSchema->file_format < p->minWriteFileFormat ){
#90
sqlite3.c:97424: error: Null Dereference
pointer `pTask` last assigned on line 97386 could be null and is dereferenced at line 97424, column 14.
97422. assert( pTask->list.aMemory==0 || pSorter->list.aMemory!=0 );
97423.
97424. aMem = pTask->list.aMemory;
^
97425. pCtx = (void*)pTask;
97426. pSorter->iPrev = (u8)(pTask - pSorter->aTask);
#91
sqlite3.c:100423: error: Uninitialized Value
The value read from anRef[_] was never initialized.
100421. pExpr->op = TK_TRUEFALSE;
100422. for(i=0, p=pNC; p && i<ArraySize(anRef); p=p->pNext, i++){
100423. p->nRef = anRef[i];
^
100424. }
100425. sqlite3ExprDelete(pParse->db, pExpr->pLeft);
#92
sqlite3.c:103732: error: Null Dereference
pointer `pExpr` last assigned on line 103727 could be null and is dereferenced at line 103732, column 10.
103730. assert( sqlite3StrICmp(pExpr->u.zToken,"true")==0
103731. || sqlite3StrICmp(pExpr->u.zToken,"false")==0 );
103732. return pExpr->u.zToken[4]==0;
^
103733. }
103734.
#93
sqlite3.c:110464: error: Uninitialized Value
The value read from aCreateTbl[_] was never initialized.
110462. assert( i<ArraySize(aTable) );
110463. sqlite3VdbeAddOp4Int(v, OP_OpenWrite, iStatCur+i, (int)aRoot[i], iDb, 3);
110464. sqlite3VdbeChangeP5(v, aCreateTbl[i]);
^
110465. VdbeComment((v, aTable[i].zName));
110466. }
#94
sqlite3.c:110463: error: Uninitialized Value
The value read from aRoot[_] was never initialized.
110461. for(i=0; i<nToOpen; i++){
110462. assert( i<ArraySize(aTable) );
110463. sqlite3VdbeAddOp4Int(v, OP_OpenWrite, iStatCur+i, (int)aRoot[i], iDb, 3);
^
110464. sqlite3VdbeChangeP5(v, aCreateTbl[i]);
110465. VdbeComment((v, aTable[i].zName));
#95
sqlite3.c:111194: error: Dead Store
The value written to &jZeroRows (type int) is never used.
111192. Vdbe *v; /* The virtual machine being built up */
111193. int i; /* Loop counter */
111194. int jZeroRows = -1; /* Jump from here if number of rows is zero */
^
111195. int iDb; /* Index of database containing pTab */
111196. u8 needTableCnt = 1; /* True to count the table */
#96
sqlite3.c:114883: error: Null Dereference
pointer `pCExpr` last assigned on line 114881 could be null and is dereferenced by call to `sqlite3StringToId()` at line 114883, column 7.
114881. Expr *pCExpr = sqlite3ExprSkipCollate(pList->a[i].pExpr);
114882. assert( pCExpr!=0 );
114883. sqlite3StringToId(pCExpr);
^
114884. if( pCExpr->op==TK_ID ){
114885. const char *zCName;
#97
sqlite3.c:118560: error: Null Dereference
pointer `pNew` last assigned on line 118553 could be null and is dereferenced at line 118560, column 5.
118558. sqlite3SelectDelete(db, pQuery);
118559. }else{
118560. pNew->pSelect = pQuery;
^
118561. pNew->pCols = pArglist;
118562. pNew->zName = sqlite3NameFromToken(pParse->db, pName);
#98
sqlite3.c:118712: error: Null Dereference
pointer `pColl2` last assigned on line 118711 could be null and is dereferenced at line 118712, column 9.
118710. for(i=0; i<3; i++){
118711. pColl2 = sqlite3FindCollSeq(db, aEnc[i], z, 0);
118712. if( pColl2->xCmp!=0 ){
^
118713. memcpy(pColl, pColl2, sizeof(CollSeq));
118714. pColl->xDel = 0; /* Do not copy the destructor */
#99
sqlite3.c:119462: error: Dead Store
The value written to &nPk (type short) is never used.
119460. Index *pPk; /* The PRIMARY KEY index on the table */
119461. int iPk = 0; /* First of nPk registers holding PRIMARY KEY value */
119462. i16 nPk = 1; /* Number of columns in the PRIMARY KEY */
^
119463. int iKey; /* Memory cell holding key of row to be deleted */
119464. i16 nKey; /* Number of memory cells in the row key */
#100
sqlite3.c:125678: error: Null Dereference
pointer `pPk` last assigned on line 125677 could be null and is dereferenced at line 125678, column 16.
125676. }else{
125677. pPk = sqlite3PrimaryKeyIndex(pTab);
125678. nPkField = pPk->nKeyCol;
^
125679. }
125680.
#101
sqlite3.c:131029: error: Dead Store
The value written to &x (type int) is never used.
131027. aiCols = 0;
131028. if( pParent ){
131029. x = sqlite3FkLocateIndex(pParse, pParent, pFK, &pIdx, &aiCols);
^
131030. assert( x==0 || db->mallocFailed );
131031. }
#102
sqlite3.c:132489: error: Uninitialized Value
The value read from meta[_] was never initialized.
132487. memset(meta, 0, sizeof(meta));
132488. }
132489. pDb->pSchema->schema_cookie = meta[BTREE_SCHEMA_VERSION-1];
^
132490.
132491. /* If opening a non-empty database, check the text encoding. For the
#103
sqlite3.c:132496: error: Uninitialized Value
The value read from meta[_] was never initialized.
132494. ** as sqlite3.enc.
132495. */
132496. if( meta[BTREE_TEXT_ENCODING-1] ){ /* text encoding */
^
132497. if( iDb==0 && (db->mDbFlags & DBFLAG_EncodingFixed)==0 ){
132498. u8 encoding;
#104
sqlite3.c:132501: error: Uninitialized Value
The value read from meta[_] was never initialized.
132499. #ifndef SQLITE_OMIT_UTF16
132500. /* If opening the main database, set ENC(db). */
132501. encoding = (u8)meta[BTREE_TEXT_ENCODING-1] & 3;
^
132502. if( encoding==0 ) encoding = SQLITE_UTF8;
132503. #else
#105
sqlite3.c:132509: error: Uninitialized Value
The value read from meta[_] was never initialized.
132507. }else{
132508. /* If opening an attached database, the encoding much match ENC(db) */
132509. if( (meta[BTREE_TEXT_ENCODING-1] & 3)!=ENC(db) ){
^
132510. sqlite3SetString(pzErrMsg, db, "attached databases must use the same"
132511. " text encoding as main database");
#106
sqlite3.c:132521: error: Uninitialized Value
The value read from meta[_] was never initialized.
132519. if( pDb->pSchema->cache_size==0 ){
132520. #ifndef SQLITE_OMIT_DEPRECATED
132521. size = sqlite3AbsInt32(meta[BTREE_DEFAULT_CACHE_SIZE-1]);
^
132522. if( size==0 ){ size = SQLITE_DEFAULT_CACHE_SIZE; }
132523. pDb->pSchema->cache_size = size;
#107
sqlite3.c:132536: error: Uninitialized Value
The value read from meta[_] was never initialized.
132534. ** file_format==4 Version 3.3.0. // DESC indices. Boolean constants
132535. */
132536. pDb->pSchema->file_format = (u8)meta[BTREE_FILE_FORMAT-1];
^
132537. if( pDb->pSchema->file_format==0 ){
132538. pDb->pSchema->file_format = 1;
#108
sqlite3.c:132551: error: Uninitialized Value
The value read from meta[_] was never initialized.
132549. ** indices that the user might have created.
132550. */
132551. if( iDb==0 && meta[BTREE_FILE_FORMAT-1]>=4 ){
^
132552. db->flags &= ~(u64)SQLITE_LegacyFileFmt;
132553. }
#109
sqlite3.c:135690: error: Dead Store
The value written to &eDest (type int) is never used.
135688. int iQueue; /* The Queue table */
135689. int iDistinct = 0; /* To ensure unique results if UNION */
135690. int eDest = SRT_Fifo; /* How to write to Queue */
^
135691. SelectDest destQueue; /* SelectDest targetting the Queue table */
135692. int i; /* Loop counter */
#110
sqlite3.c:138738: error: Dead Store
The value written to &pTab (type Table*) is never used.
138736. }else if( (rc = resolveFromTermToCte(pParse, pWalker, pFrom))!=0 ){
138737. if( rc>1 ) return WRC_Abort;
138738. pTab = pFrom->pTab;
^
138739. assert( pTab!=0 );
138740. #endif
#111
sqlite3.c:139534: error: Dead Store
The value written to &rc (type int) is never used.
139532. Expr *pHaving; /* The HAVING clause. May be NULL */
139533. AggInfo *pAggInfo = 0; /* Aggregate information */
139534. int rc = 1; /* Value to return from this function */
^
139535. DistinctCtx sDistinct; /* Info on how to code the DISTINCT keyword */
139536. SortCtx sSort; /* Info on how to code the ORDER BY clause */
#112
sqlite3.c:139543: error: Dead Store
The value written to &v (type Vdbe*) is never used.
139541.
139542. db = pParse->db;
139543. v = sqlite3GetVdbe(pParse);
^
139544. if( p==0 || db->mallocFailed || pParse->nErr ){
139545. return 1;
#113
sqlite3.c:143170: error: Uninitialized Value
The value read from aiCurOnePass[_] was never initialized.
143168. /* Open every index that needs updating. */
143169. if( eOnePass!=ONEPASS_OFF ){
143170. if( aiCurOnePass[0]>=0 ) aToOpen[aiCurOnePass[0]-iBaseCur] = 0;
^
143171. if( aiCurOnePass[1]>=0 ) aToOpen[aiCurOnePass[1]-iBaseCur] = 0;
143172. }
#114
sqlite3.c:143171: error: Uninitialized Value
The value read from aiCurOnePass[_] was never initialized.
143169. if( eOnePass!=ONEPASS_OFF ){
143170. if( aiCurOnePass[0]>=0 ) aToOpen[aiCurOnePass[0]-iBaseCur] = 0;
143171. if( aiCurOnePass[1]>=0 ) aToOpen[aiCurOnePass[1]-iBaseCur] = 0;
^
143172. }
143173.
#115
sqlite3.c:143174: error: Uninitialized Value
The value read from aiCurOnePass[_] was never initialized.
143172. }
143173.
143174. if( eOnePass==ONEPASS_MULTI && (nIdx-(aiCurOnePass[1]>=0))>0 ){
^
143175. addrOnce = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);
143176. }
#116
sqlite3.c:143186: error: Uninitialized Value
The value read from aiCurOnePass[_] was never initialized.
143184. /* Top of the update loop */
143185. if( eOnePass!=ONEPASS_OFF ){
143186. if( aiCurOnePass[0]!=iDataCur
^
143187. && aiCurOnePass[1]!=iDataCur
143188. #ifdef SQLITE_ALLOW_ROWID_IN_VIEW
#117
sqlite3.c:143187: error: Uninitialized Value
The value read from aiCurOnePass[_] was never initialized.
143185. if( eOnePass!=ONEPASS_OFF ){
143186. if( aiCurOnePass[0]!=iDataCur
143187. && aiCurOnePass[1]!=iDataCur
^
143188. #ifdef SQLITE_ALLOW_ROWID_IN_VIEW
143189. && !isView
#118
sqlite3.c:146825: error: Null Dereference
pointer `pNew` last assigned on line 146815 could be null and is dereferenced at line 146825, column 16.
146823.
146824. assert( ExprUseXSelect(pNew) );
146825. pOrigRhs = pNew->x.pSelect->pEList;
^
146826. assert( pNew->pLeft!=0 );
146827. assert( ExprUseXList(pNew->pLeft) );
#119
sqlite3.c:147928: error: Dead Store
The value written to &j (type int) is never used.
147926. pStart = pEnd = 0;
147927. if( pLoop->wsFlags & WHERE_BTM_LIMIT ) pStart = pLoop->aLTerm[j++];
147928. if( pLoop->wsFlags & WHERE_TOP_LIMIT ) pEnd = pLoop->aLTerm[j++];
^
147929. assert( pStart!=0 || pEnd!=0 );
147930. if( bRev ){
#120
sqlite3.c:148108: error: Dead Store
The value written to &j (type int) is never used.
148106. }
148107. if( pLoop->wsFlags & WHERE_TOP_LIMIT ){
148108. pRangeEnd = pLoop->aLTerm[j++];
^
148109. nExtraReg = MAX(nExtraReg, pLoop->u.btree.nTop);
148110. #ifndef SQLITE_LIKE_DOESNT_MATCH_BLOBS
#121
sqlite3.c:149145: error: Null Dereference
pointer `pRight` last assigned on line 149144 could be null and is dereferenced at line 149145, column 8.
149143.
149144. pRight = sqlite3ExprSkipCollate(pList->a[0].pExpr);
149145. op = pRight->op;
^
149146. if( op==TK_VARIABLE && (db->flags & SQLITE_EnableQPSG)==0 ){
149147. Vdbe *pReprepare = pParse->pReprepare;
#122
sqlite3.c:150937: error: Uninitialized Value
The value read from pX was never initialized.
150935. }
150936. if( (pTerm->eOperator & (WO_EQ|WO_IS))!=0
150937. && (pX = pTerm->pExpr->pRight, ALWAYS(pX!=0))
^
150938. && pX->op==TK_COLUMN
150939. && pX->iTable==pScan->aiCur[0]
#123
sqlite3.c:170993: error: Dead Store
The value written to &p (type char*) is never used.
170991. p = appendText(p, zWal);
170992. *(p++) = 0;
170993. *(p++) = 0;
^
170994. assert( (sqlite3_int64)(p - pResult)==nByte );
170995. return pResult + 4;
#124
sqlite3.c:173453: error: Dead Store
The value written to &z (type char*) is never used.
173451. }
173452. *(z++) = '"';
173453. *(z++) = '\0';
^
173454. }
173455. return zRet;
#125
sqlite3.c:174309: error: Dead Store
The value written to &iIdx (type int) is never used.
174307. if( iDocidLe>=0 ){
174308. pInfo->idxNum |= FTS3_HAVE_DOCID_LE;
174309. pInfo->aConstraintUsage[iDocidLe].argvIndex = iIdx++;
^
174310. }
174311.
#126
sqlite3.c:175927: error: Dead Store
The value written to &iIdx (type int) is never used.
175925. if( idxNum & FTS3_HAVE_LANGID ) pLangid = apVal[iIdx++];
175926. if( idxNum & FTS3_HAVE_DOCID_GE ) pDocidGe = apVal[iIdx++];
175927. if( idxNum & FTS3_HAVE_DOCID_LE ) pDocidLe = apVal[iIdx++];
^
175928. assert( iIdx==nVal );
175929.
#127
sqlite3.c:178913: error: Dead Store
The value written to &iNext (type int) is never used.
178911. }
178912. if( iLangid>=0 ){
178913. pInfo->aConstraintUsage[iLangid].argvIndex = iNext++;
^
178914. pInfo->estimatedCost--;
178915. }
#128
sqlite3.c:179109: error: Dead Store
The value written to &iNext (type int) is never used.
179107. }
179108. if( iNext<nVal ){
179109. iLangid = iNext++;
^
179110. }
179111.
#129
sqlite3.c:181782: error: Dead Store
The value written to &z (type char const *) is never used.
181780. ){
181781. int rc;
181782. char *z = (char *)zArg;
^
181783. int n = 0;
181784. char *zCopy;
#130
sqlite3.c:195619: error: Null Dereference
pointer `pNode` last assigned on line 195617 could be null and is dereferenced by call to `nodeGetRowid()` at line 195619, column 15.
195617. RtreeNode *pNode = rtreeNodeOfFirstSearchPoint(pCsr, &rc);
195618. if( rc==SQLITE_OK && ALWAYS(p) ){
195619. *pRowid = nodeGetRowid(RTREE_OF_CURSOR(pCsr), pNode, p->iCell);
^
195620. }
195621. return rc;
#131
sqlite3.c:195640: error: Null Dereference
pointer `pNode` last assigned on line 195633 could be null and is dereferenced by call to `nodeGetCoord()` at line 195640, column 5.
195638. sqlite3_result_int64(ctx, nodeGetRowid(pRtree, pNode, p->iCell));
195639. }else if( i<=pRtree->nDim2 ){
195640. nodeGetCoord(pRtree, pNode, p->iCell, i-1, &c);
^
195641. #ifndef SQLITE_RTREE_INT_ONLY
195642. if( pRtree->eCoordType==RTREE_COORD_REAL32 ){
#132
sqlite3.c:195638: error: Null Dereference
pointer `pNode` last assigned on line 195633 could be null and is dereferenced by call to `nodeGetRowid()` at line 195638, column 31.
195636. if( NEVER(p==0) ) return SQLITE_OK;
195637. if( i==0 ){
195638. sqlite3_result_int64(ctx, nodeGetRowid(pRtree, pNode, p->iCell));
^
195639. }else if( i<=pRtree->nDim2 ){
195640. nodeGetCoord(pRtree, pNode, p->iCell, i-1, &c);
#133
sqlite3.c:197647: error: Dead Store
The value written to &ii (type int) is never used.
197645. sqlite3_str *pSql;
197646. char *zSql;
197647. int ii = 4;
^
197648. int iErr;
197649.
#134
sqlite3.c:207348: error: Dead Store
The value written to &i (type int) is never used.
207346. }
207347. if( iAgg>=0 ){
207348. pIdxInfo->aConstraintUsage[iAgg].argvIndex = ++i;
^
207349. pIdxInfo->idxNum |= 0x04;
207350. }
#135
sqlite3.c:207857: error: Dead Store
The value written to &iArg (type int) is never used.
207855. if( idxNum & 0x04 ){
207856. /* aggregate=? constraint is present */
207857. pCsr->isAgg = sqlite3_value_double(argv[iArg++])!=0.0;
^
207858. }else{
207859. pCsr->isAgg = 0;
Found 136 issues
Issue Type(ISSUED_TYPE_ID): #
Uninitialized Value(UNINITIALIZED_VALUE): 85
Dead Store(DEAD_STORE): 33
Null Dereference(NULL_DEREFERENCE): 18
(2.1) By Harald Hanche-Olsen (hanche) on 2022-04-17 16:58:23 edited from 2.0 in reply to 1.0 [link] [source]
As a mere outside observer, I have noticed that such claims come up regularly on the forum. Each time, the response has been that automated tools (static source code analysers) produce so many false positives when applied to the SQLite code base as to be pretty much useless. A number of bugs have been found by fuzzing techniques, though.
If you find a way to actually trigger the presumed bugs, that is a different matter, of course.
I expect you will soon get a more authoritative answer than mine, though.
(3) By Richard Hipp (drh) on 2022-04-17 17:14:11 in reply to 2.1 [link] [source]
Harald's answer is spot on. Static analysis tools are notorious for generating many false-positives. If you have an actual vulnerability (unlikely) then by all means report it. If you are uncomfortable reporting it on this public forum, you can send private email to drh at sqlite dot org.
But warnings from static analysis tools are not vulnerabilities. They are not even bugs. More often than not, they are just wrong.
Thank you for your interest in SQLite, though, and for taking the time to post the report from your static analyzer.
(4.1) By Larry Brasfield (larrybr) on 2022-04-17 18:41:14 edited from 4.0 in reply to 1.2 [link] [source]
I decided to take a look at the "vulnerabilities" discovered in shell.c . That effort was short-circuited by the following discovery.
I started with the first report against shell.c, reading:
#9
shell.c:2945: error: Uninitialized Value
The value read from n was never initialized.
Here is an unabridged excerpt from the referenced code:
while( 1 ){
n = readlink(pCur->zPath, aBuf, nBuf);
if( n<nBuf ) break;
if( aBuf!=aStatic ) sqlite3_free(aBuf);
nBuf = nBuf*2;
aBuf = sqlite3_malloc64(nBuf);
if( aBuf==0 ){
sqlite3_result_error_nomem(ctx);
return SQLITE_NOMEM;
}
}
sqlite3_result_text(ctx, aBuf, n, SQLITE_TRANSIENT);
Readers of the C language may note that the object known as "n" is always assigned a value in the while loop before its value is read. The read reported as "vulnerable", in the sqlite3_result_text() call, is easily seen to always have an assigned value at that point in the code.
This result was enough to dissuade me from study of the other reports against shell.c, and prompts this observation and suggestion: Modern compilers are able to warn against use of unassigned variable values, which is detected by relatively sophisticated (but not invariably correct) execution flow analysis. The Infer tool might benefit from adopting a similar approach.
(5) By Harald Hanche-Olsen (hanche) on 2022-04-17 18:51:34 in reply to 4.1 [link] [source]
Ah, but if 1 turned out to be false, then n would indeed be uninitialised! So there! ;-)
(6.1) By Gerry Snyder (GSnyder) on 2022-04-17 21:13:19 edited from 6.0 in reply to 5 [source]
Deleted(7.2) By Harald Hanche-Olsen (hanche) on 2022-04-17 20:15:09 edited from 7.1 in reply to 6.0 [link] [source]
Yes, it would. After the while loop, in the call to sqlite3_result_text.
Seriously, the tool used doesn’t seem to take into the account the fact that a while loop is sometimes guaranteed to run at least once, and can’t spot even a trivial case thereof.
(8) By anonymous on 2022-04-17 20:24:50 in reply to 4.1 [link] [source]
Some cursory browsing reveals that the Infer tool relies on Clang for parsing.
The shell.c example above shows that it reports more false positives than Clang's own static analyser.
This does not inspire confidence.
(9) By Larry Brasfield (larrybr) on 2022-04-17 20:24:57 in reply to 7.1 [link] [source]
To be fair to the "Infer" tool: It probably assumes that a while loop body may or may not be executed, without examining the guard condition for runtime constancy. That is hard to do in the face of preprocessing trickery or complex conditions, so I am not surprised that Infer's author(s) punted on that challenge.
Fortunately, there are tools available which are reasonably good at detecting actual use of uninitialized variables, such as Valgrind and AddressSanitizer. Those are both used with SQLite and its shell, while running the Tcl-driven test suite, prior to any SQLite release.