Re: sqlite 3.49.1-1 package bug changing return types signedness

Wed, 23 Apr 2025 10:22:14 -0700 

Greetings,
I haven't heard back from the issue I've documented below, or from Jan Nijtmans, and it still needs attention. 


The changes I've documented below actually introduce integer overflow 
and maybe memory violating conditions in applications that work fine on 
other operating systems, as opposed to when they are compiled against 
sqlite3 on Cygwin.



I ask that we get a new Cygwin package of sqlite3 that fixes the issue I 
mentioned below.



(Yes, this isn't the most favorable tone for FrOSS communities, but then 
again it addresses something that was deliberate, ill-advised, and broke 
the package, and I preferably would like to see the party that broke it 
to also fix it because they usually know best.)


Am 25.03.25 um 00:15 schrieb Matthias Andree via Cygwin:

Hi @Jan Nijtmans,

thank you very much for updating the Cygwin package to 3.49.1.

I would like to ask you to stop changing API return types, such as the
one here, where your patch converts the sqlite3_column_bytes return from
int to unsigned int. This is from sqlite3-3.49.1-1's patch

-SQLITE_API int sqlite3_column_bytes(sqlite3_stmt*, int iCol);
-SQLITE_API int sqlite3_column_bytes16(sqlite3_stmt*, int iCol);
+SQLITE_API unsigned int sqlite3_column_bytes(sqlite3_stmt*, int iCol);
+SQLITE_API unsigned int sqlite3_column_bytes16(sqlite3_stmt*, int iCol);

While I appreciate that it would have been adequate if the original
return type had been unsigned int or size_t for that matter, you cannot

change this in a downstream package. This would take sqlite 4.0 to 
change.


This does break applications! Who would special-case applications
because some downstream packager changed API?

See

https://softwareengineering.stackexchange.com/questions/175253/why-does-an-unsigned-int-compared-with-a-signed-character-turn-out-with-an-unexp 


and (C++ based but has the same underlying problem because C++ uses the
same type promotion rules for int-like types):

Useful context also here:
https://flak.tedunangst.com/post/subtraction-is-not-comparison

Please revise the sqlite3 package and make sure its API functions return
the publicly documented return types even if you do not like them or
feel they're wrong because good applications will have adapted.

Thanks in advance.

Best regards,
Matthias





--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple






















					Reply via email to