[New-bugs-announce] [issue45754] [sqlite3] SQLITE_LIMIT_LENGTH is incorrectly used to check statement length
Erlend E. Aasland
report at bugs.python.org
Mon Nov 8 12:40:00 EST 2021
New submission from Erlend E. Aasland <erlend.aasland at innova.no>:
In Modules/_sqlite/statement.c pysqlite_statement_create() and Modules/_sqlite/cursor.c pysqlite_cursor_executescript_impl(), we incorrectly use SQLITE_LIMIT_LENGTH to check statement length. However, the correct limit is *SQLITE_LIMIT_SQL_LENGTH*.
### Alternative 1:
Quick fix is to check against SQLITE_LIMIT_SQL_LENGTH instead of SQLITE_LIMIT_LENGTH.
### Alternative 2:
Let SQLite do the check for us, and instead add integer overflow check, since Py_ssize_t may be larger than int (sqlite3_prepare_v2() uses an int as the max statement length parameter).
### Alternative 3:
As alternative 2, but alter the sqlite3_prepare_v2() call to accept _any_ length (max statement length = -1).
See also:
- https://sqlite.org/limits.html
- https://sqlite.org/c3ref/c_limit_attached.html
- https://sqlite.org/c3ref/prepare.html
----------
messages: 405975
nosy: erlendaasland, serhiy.storchaka
priority: normal
severity: normal
status: open
title: [sqlite3] SQLITE_LIMIT_LENGTH is incorrectly used to check statement length
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue45754>
_______________________________________
More information about the New-bugs-announce
mailing list