Merge pull request #809 from weiznich/master

Report use-after-free issue in diesels sqlite backend
2025-12-31 08:40:26 +01:00 · 2021-03-05 14:41:59 +01:00
parent 68ccfc5bab c31f016dce
commit 34e986372a
1 changed files with 31 additions and 0 deletions
--- a/crates/diesel/RUSTSEC-0000-0000.md
+++ b/crates/diesel/RUSTSEC-0000-0000.md
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "diesel"
+date = "2021-03-05"
+url = "https://github.com/diesel-rs/diesel/pull/2663"
+categories = ["memory-corruption"]
+keywords = ["use after free"]
+
+[affected]
+functions = { "diesel::SqliteConnection::query_by_name" = ["< 1.4.6"] }
+[versions]
+patched = [">= 1.4.6"]
+```
+
+# Fix a use-after-free bug in diesels Sqlite backend
+
+We've misused `sqlite3_column_name`. The
+[SQLite](https://www.sqlite.org/c3ref/column_name.html) documentation
+states that the following:
+
+> The returned string pointer is valid until either the prepared statement
+> is destroyed by sqlite3_finalize() or until the statement is automatically
+> reprepared by the first call to sqlite3_step() for a particular
+> run or until the next call to sqlite3_column_name()
+> or sqlite3_column_name16() on the same column.
+
+As part of our `query_by_name` infrastructure we've first received all
+field names for the prepared statement and stored them as string slices
+for later use. After that we called `sqlite3_step()` for the first time,
+which invalids the pointer and therefore the stored string slice.