In extensions rtree, fts3 and fts5, ensure that when dynamic buffers are bound

to persistent SQL statements using SQLITE_STATIC, the binding is replaced with an SQL NULL before the buffer is freed. Otherwise, a user may obtain a pointer to the persistent statement using sqlite3_next_stmt() and attempt to access the freed buffer using sqlite3_expanded_sql() or similar. FossilOrigin-Name: 2a5f813bc61f9e780f2ccbda425611f65ad523b6d486a1e5e2b9d5e9f1d260a2
2025-07-29 08:01:23 +03:00 · 2018-02-07 18:02:50 +00:00
parent fa68815fa3
commit eab0e10304
14 changed files with 47 additions and 20 deletions
--- a/test/tester.tcl
+++ b/test/tester.tcl
@ -2309,6 +2309,16 @@ proc test_find_sqldiff {} {
  return $prog
 }

+# Call sqlite3_expanded_sql() on all statements associated with database
+# connection $db. This sometimes finds use-after-free bugs if run with
+# valgrind or address-sanitizer.
+proc expand_all_sql {db} {
+  set stmt ""
+  while {[set stmt [sqlite3_next_stmt $db $stmt]]!=""} {
+    sqlite3_expanded_sql $stmt
+  }
+}
+

 # If the library is compiled with the SQLITE_DEFAULT_AUTOVACUUM macro set
 # to non-zero, then set the global variable $AUTOVACUUM to 1.