apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Rossi <...@brasko.net>
Subject dbd p[v]b functions problem
Date Thu, 04 Feb 2010 22:44:16 GMT
Hi,

I've been playing with the dbd_sqlite3_pvbselect function today 
and found what I believe to be several major issue. Please note,
this issue is probably across all database subsystems.

The function looks like,
  static int dbd_sqlite3_pvbselect(apr_pool_t * pool, apr_dbd_t * sql,
                                   apr_dbd_results_t ** results,
                                   apr_dbd_prepared_t * statement, int seek,
                                   va_list args)

It declares on the stack this variable,
  const void **values;

and then continues to initialize that variable using va_arg and the
args parameter like so,
  for (i = 0; i < statement->nvals; i++) {
    values[i] = va_arg(args, const void*);
  }

If you pass an integer into this function in args, and you tell
va_arg it's a void*, you've got problems. On systems where an
integer is the size of a pointer, you are probably OK so far,
otherwise at this step, you probably have memory corruption.

Now, the values list then gets passed into dbd_sqlite3_pbselect, which
calls dbd_sqlite3_bbind. Just looking at the integer case you'll
see,

  case APR_DBD_TYPE_INT:
    sqlite3_bind_int(stmt, i + 1, *(int*)values[j]);
    break;

If values[j] represents an integer as I discussed, then it is
casted to a int*, (even though it's still an integer), and then
it's dereferenced, which will cause a SEGFAULT, since the integer
was not an address.

So, the problem I'm seeing is, all of the functions that call
dbd_sqlite3_bbind (dbd_sqlite3_pbquery, dbd_sqlite3_pvbquery,
dbd_sqlite3_pbselect, dbd_sqlite3_pvbselect) only allow
parameters that are pointers. Is this a design decision or
a flaw?

A really simple solution to this would be to just write a loop
similar to dbd_sqlite3_bbind that took the va_list as an
argument and treated each case depending on the type that it is.

The second issue I noticed is, there is no function that take
a va_list, instead of a ... parameter list. That means that it's
very difficult to write wrapper functions that sit on top of apr.

BTW, is anyone using this interface? It's not even tested in
test/dbd.c. I'm assuming that with the bugs I've found above, no
one has used this interface, without great pain.

What do you think? If you like my suggestions, i'll write up
a patch for inclusion.

Thanks,
Bob Rossi

Mime
View raw message