From af359cee75e4806650f2b9b948e398d89ceb9555 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Mon, 20 May 2024 09:44:42 -0400 Subject: [PATCH] gh-118928: sqlite3: correctly bail if sequences of params are used with named placeholders (#119197) --- .../next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst | 2 ++ Modules/_sqlite/cursor.c | 1 + 2 files changed, 3 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst diff --git a/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst new file mode 100644 index 00000000000..61b19276173 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst @@ -0,0 +1,2 @@ +Fix an error where incorrect bindings in :mod:`sqlite3` queries could lead +to a crash. Patch by Erlend E. Aasland. diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c index 5d4b77b1a07..0fbd408f18c 100644 --- a/Modules/_sqlite/cursor.c +++ b/Modules/_sqlite/cursor.c @@ -675,6 +675,7 @@ bind_parameters(pysqlite_state *state, pysqlite_Statement *self, "supplied a sequence which requires nameless (qmark) " "placeholders.", i+1, name); + return; } if (PyTuple_CheckExact(parameters)) {