gpg: Make sure we only have a single SQL statement.
authorNeal H. Walfield <neal@g10code.com>
Mon, 26 Oct 2015 12:41:07 +0000 (13:41 +0100)
committerNeal H. Walfield <neal@g10code.com>
Mon, 26 Oct 2015 12:41:59 +0000 (13:41 +0100)
* g10/tofu.c (sqlite3_stepx): Make sure SQL only contains a single SQL
statement.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
g10/tofu.c

index 4eab487..43a6224 100644 (file)
@@ -289,10 +289,25 @@ sqlite3_stepx (sqlite3 *db,
     }
   else
     {
-      rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, NULL);
+      const char *tail = NULL;
+
+      rc = sqlite3_prepare_v2 (db, sql, -1, &stmt, &tail);
       if (rc)
         log_fatal ("failed to prepare SQL: %s", sql);
 
+      /* We can only process a single statement.  */
+      if (tail)
+        {
+          while (*tail == ' ' || *tail == ';')
+            tail ++;
+
+          if (*tail)
+            log_fatal
+              ("sqlite3_stepx can only process a single SQL statement."
+               "  Second statement starts with: '%s'\n",
+               tail);
+        }
+
       if (stmtp)
         *stmtp = stmt;
     }