Merge pull request #62 from gwenn/too-big

Check Rust str length before binding.

src/lib.rs

@@ -543,6 +543,12 @@ impl InnerSqliteConnection {
     fn prepare<'a>(&mut self,
                    conn: &'a SqliteConnection,
                    sql: &str) -> SqliteResult<SqliteStatement<'a>> {
+        if sql.len() >= ::std::i32::MAX as usize {
+            return Err(SqliteError {
+                code: ffi::SQLITE_TOOBIG,
+                message: "statement too long".to_string()
+            });
+        }
         let mut c_stmt: *mut ffi::sqlite3_stmt = unsafe { mem::uninitialized() };
         let c_sql = try!(str_to_cstring(sql));
         let r = unsafe {

src/types.rs

@@ -102,8 +102,12 @@ raw_to_impl!(c_double, sqlite3_bind_double);
 
 impl<'a> ToSql for &'a str {
     unsafe fn bind_parameter(&self, stmt: *mut sqlite3_stmt, col: c_int) -> c_int {
+        let length = self.len();
+        if length > ::std::i32::MAX as usize {
+            return ffi::SQLITE_TOOBIG;
+        }
         match str_to_cstring(self) {
-            Ok(c_str) => ffi::sqlite3_bind_text(stmt, col, c_str.as_ptr(), -1,
+            Ok(c_str) => ffi::sqlite3_bind_text(stmt, col, c_str.as_ptr(), length as c_int,
                                                 ffi::SQLITE_TRANSIENT()),
             Err(_)    => ffi::SQLITE_MISUSE,
         }
@@ -118,6 +122,9 @@ impl ToSql for String {
 
 impl<'a> ToSql for &'a [u8] {
     unsafe fn bind_parameter(&self, stmt: *mut sqlite3_stmt, col: c_int) -> c_int {
+        if self.len() > ::std::i32::MAX as usize {
+            return ffi::SQLITE_TOOBIG;
+        }
         ffi::sqlite3_bind_blob(
             stmt, col, mem::transmute(self.as_ptr()), self.len() as c_int, ffi::SQLITE_TRANSIENT())
     }