Ubuntu
sqlite3 package

Several potential bugs of null pointer dereference

Bug #1940353 reported by yuxuan He on 2021-08-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	sqlite3 (Ubuntu)	New	Undecided	Unassigned

Bug Description

Ubuntu version: 18.04
sqlite version:3.22

Hello,I found some potential bugs in package sqlite3,and the .docx file in the attachment I uploaded shows the occurrence process of the bug in a graphical way.Would you help me check whether the bugs mentioned below are true? Thank you very much for your patience.

In file sqlite3/build/sqlite3.c(build is a folder contain files generated by configure)
In function sqlite3VtabCallDestroy
In line 128391.There is a statement load return value of function vtabDisconnectedAll to pointer p and return value can be null.
In line 128392.There is a statment derefer p without check.
The entire graphic description is shown in figure 1 in .docx file.

In sqlite3-3.22.0/src/tclsqlite.c
In function dbReleaseStmt
In line 1421:
pointer pPrev is initilized to null,and in a certain path,the value of pPrev not be changed and derefered without check.
The entire graphic description is shown in figure 2 in .docx file.

In file sqlite3/build/sqlite3.c(build is a folder contain files generated by configure)
In function vdbeSorterFlushPMA
In line 89710,pointer pTask is derefered without check and its value can be null.
The entire graphic description is shown in figure 3 in .docx file.

In file sqlite3/build/sqlite3.c(build is a folder contain files generated by configure)
In function sqlite3CodeRowTriggerDirect
In line 126110:
pointer v load return value of function sqliteGetVdbe and its value can be null.
In line 126120:
pointer v act as the 1st parameter of function sqlite3VdbeAddOp4 and in this function,v will derefer without check.
The entire graphic description is shown in figure 4 in .docx file.

In file sqlite3/build/sqlite3.c(build is a folder contain files generated by configure)
In function sqlite3_randomness
In line 27774:return value of sqlite3_vfs_find which can be null act as the 1st parameter of function sqlite3OsRandomness,in this function,return value of sqlite3_vfs_find is derefered without check.
The entire graphic description is shown in figure 5 in .docx file.

In file sqlite3/build/shell.c(build is a folder contain files generated by configure)
In function process_input
In line 14653:
zSql is initialized to null and in certain path,the value of zSql not be changed and derefered without check.
The entire graphic description is shown in figure 6 in .docx file.

In file sqlite3/build/shell.c(build is a folder contain files generated by configure)
In function sqlite3_appendvfs_init
In line 3949:
return value of function sqlite3_vfs_fund which can be null is loaded to pOrig
In line 3950:
pOrig is derefered without check
The entire graphic description is shown in figure 7 in .docx file.

In file sqlite3/build/sqlite3.c(build is a folder contain files generated by configure)
In function fts3IncrmergeChomp
In line 163794:
pSeg is initialized to null.
In line 163803:
pSeg is derefered without check
The entire graphic description is shown in figure 8 in .docx file.

Revision history for this message

yuxuan He (hyxl1017) wrote on 2021-08-18:

null_pointer_dereference.docx Edit (1.1 MiB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

null_pointer_dereference.docx Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusqlite3 package