From c18fb0d99b633bb267dead6e7c46229f4b780bc3 Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Mon, 26 Oct 2015 13:41:07 +0100 Subject: [PATCH] gpg: Make sure we only have a single SQL statement. * g10/tofu.c (sqlite3_stepx): Make sure SQL only contains a single SQL statement. -- Signed-off-by: Neal H. Walfield --- g10/tofu.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/g10/tofu.c b/g10/tofu.c index 4eab487b6..43a6224a8 100644 --- a/g10/tofu.c +++ b/g10/tofu.c @@ -289,10 +289,25 @@ sqlite3_stepx (sqlite3 *db, } else { - rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, NULL); + const char *tail = NULL; + + rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, &tail); if (rc) log_fatal ("failed to prepare SQL: %s", sql); + /* We can only process a single statement. */ + if (tail) + { + while (*tail == ' ' || *tail == ';') + tail ++; + + if (*tail) + log_fatal + ("sqlite3_stepx can only process a single SQL statement." + " Second statement starts with: '%s'\n", + tail); + } + if (stmtp) *stmtp = stmt; }