Skip to content

std::string_view is used with functions expecting null-terminated strings #5

@wandernauta

Description

@wandernauta

In a number of places, a std::string_view argument is accepted and then passed to a SQLite or libpq function that expects a null-terminated (C) string. However, this is not safe: string_view is not guaranteed to be null-terminated.

In practice, on my machine, this means that the following prints "abcd" as expected, but then creates a database named "abcdxyz":

char xyz[] = {'x', 'y', 'z', 0};
char arr[] = {'a', 'b', 'c', 'd'};

TEST_CASE("suffix test") {
  std::string_view v(arr, sizeof arr);

  MESSAGE(v);
  MiniSQLite ms(v);
}

It also means that the following is UB:

  ms.exec({});

The issue appears in:

  • MiniSQLite::MiniSQLite
  • MiniSQLite::exec
  • MiniSQLite::prepare (here, sqlite3_prepare_v2 could be passed .size())
  • MiniPSQL::MiniPSQL

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions