Issue #17073: Fix some integer overflows in sqlite3 module.

2025-09-24 17:33:29 +00:00 · 2013-02-07 16:59:34 +02:00 · 2013-02-07 16:59:34 +02:00 · 35c52b687f
commit 35c52b687f
parent d5327d95d2
8 changed files with 203 additions and 75 deletions
--- a/Lib/sqlite3/test/userfunctions.py
+++ b/Lib/sqlite3/test/userfunctions.py
@ -374,14 +374,15 @@ class AggregateTests(unittest.TestCase):
        val = cur.fetchone()[0]
        self.assertEqual(val, 60)

-def authorizer_cb(action, arg1, arg2, dbname, source):
-    if action != sqlite.SQLITE_SELECT:
-        return sqlite.SQLITE_DENY
-    if arg2 == 'c2' or arg1 == 't2':
-        return sqlite.SQLITE_DENY
-    return sqlite.SQLITE_OK
-
 class AuthorizerTests(unittest.TestCase):
+    @staticmethod
+    def authorizer_cb(action, arg1, arg2, dbname, source):
+        if action != sqlite.SQLITE_SELECT:
+            return sqlite.SQLITE_DENY
+        if arg2 == 'c2' or arg1 == 't2':
+            return sqlite.SQLITE_DENY
+        return sqlite.SQLITE_OK
+
    def setUp(self):
        self.con = sqlite.connect(":memory:")
        self.con.executescript("""
@ -394,12 +395,12 @@ class AuthorizerTests(unittest.TestCase):
        # For our security test:
        self.con.execute("select c2 from t2")

-        self.con.set_authorizer(authorizer_cb)
+        self.con.set_authorizer(self.authorizer_cb)

    def tearDown(self):
        pass

-    def CheckTableAccess(self):
+    def test_table_access(self):
        try:
            self.con.execute("select * from t2")
        except sqlite.DatabaseError, e:
@ -408,7 +409,7 @@ class AuthorizerTests(unittest.TestCase):
            return
        self.fail("should have raised an exception due to missing privileges")

-    def CheckColumnAccess(self):
+    def test_column_access(self):
        try:
            self.con.execute("select c2 from t1")
        except sqlite.DatabaseError, e:
@ -417,11 +418,46 @@ class AuthorizerTests(unittest.TestCase):
            return
        self.fail("should have raised an exception due to missing privileges")

+class AuthorizerRaiseExceptionTests(AuthorizerTests):
+    @staticmethod
+    def authorizer_cb(action, arg1, arg2, dbname, source):
+        if action != sqlite.SQLITE_SELECT:
+            raise ValueError
+        if arg2 == 'c2' or arg1 == 't2':
+            raise ValueError
+        return sqlite.SQLITE_OK
+
+class AuthorizerIllegalTypeTests(AuthorizerTests):
+    @staticmethod
+    def authorizer_cb(action, arg1, arg2, dbname, source):
+        if action != sqlite.SQLITE_SELECT:
+            return 0.0
+        if arg2 == 'c2' or arg1 == 't2':
+            return 0.0
+        return sqlite.SQLITE_OK
+
+class AuthorizerLargeIntegerTests(AuthorizerTests):
+    @staticmethod
+    def authorizer_cb(action, arg1, arg2, dbname, source):
+        if action != sqlite.SQLITE_SELECT:
+            return 2**32
+        if arg2 == 'c2' or arg1 == 't2':
+            return 2**32
+        return sqlite.SQLITE_OK
+
+
 def suite():
    function_suite = unittest.makeSuite(FunctionTests, "Check")
    aggregate_suite = unittest.makeSuite(AggregateTests, "Check")
-    authorizer_suite = unittest.makeSuite(AuthorizerTests, "Check")
-    return unittest.TestSuite((function_suite, aggregate_suite, authorizer_suite))
+    authorizer_suite = unittest.makeSuite(AuthorizerTests)
+    return unittest.TestSuite((
+            function_suite,
+            aggregate_suite,
+            authorizer_suite,
+            unittest.makeSuite(AuthorizerRaiseExceptionTests),
+            unittest.makeSuite(AuthorizerIllegalTypeTests),
+            unittest.makeSuite(AuthorizerLargeIntegerTests),
+        ))

 def test():
    runner = unittest.TextTestRunner()