gpg: Make sure we only have a single SQL statement.

* g10/tofu.c (sqlite3_stepx): Make sure SQL only contains a single SQL statement. -- Signed-off-by: Neal H. Walfield <neal@g10code.com>
2015-10-26 13:41:07 +01:00 · 2015-10-26 13:41:07 +01:00 · c18fb0d99b
parent 5b0ed7674d
commit c18fb0d99b
1 changed files with 16 additions and 1 deletions
--- a/g10/tofu.c
+++ b/g10/tofu.c
@ -289,10 +289,25 @@ sqlite3_stepx (sqlite3 *db,
    }
  else
    {
-      rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, NULL);
+      const char *tail = NULL;
+
+      rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, &tail);
      if (rc)
        log_fatal ("failed to prepare SQL: %s", sql);

+      /* We can only process a single statement.  */
+      if (tail)
+        {
+          while (*tail == ' ' || *tail == ';')
+            tail ++;
+
+          if (*tail)
+            log_fatal
+              ("sqlite3_stepx can only process a single SQL statement."
+               "  Second statement starts with: '%s'\n",
+               tail);
+        }
+
      if (stmtp)
        *stmtp = stmt;
    }