gh-145040: Fix crash in sqlite3 when connection is closed during aggregate callback

raminfp · raminfp · commit da5c4a6790dd · 2026-02-20T19:11:42.000+03:30
Fix a segmentation fault in the _sqlite module that occurs when
Connection.close() is called inside an aggregate step() callback.

After stmt_step() returns, _pysqlite_query_execute() calls
sqlite3_last_insert_rowid(self-&gt;connection-&gt;db) without checking if
self-&gt;connection-&gt;db is still valid. If the connection was closed during
the callback, self-&gt;connection-&gt;db is NULL, causing a NULL pointer
dereference.

The fix adds a NULL check for self-&gt;connection-&gt;db after stmt_step()
returns, raising ProgrammingError instead of crashing.
diff --git a/Lib/test/test_sqlite3/test_userfunctions.py b/Lib/test/test_sqlite3/test_userfunctions.py
@@ -723,6 +723,29 @@ def test_agg_keyword_args(self):
                 'takes exactly 3 positional arguments'):
             self.con.create_aggregate("test", 1, aggregate_class=AggrText)
 
+    def test_aggr_close_conn_in_step(self):
+        """Connection.close() in an aggregate step callback must not crash."""
+        con = sqlite.connect(":memory:", autocommit=True)
+        cur = con.cursor()
+        cur.execute("CREATE TABLE t(x INTEGER)")
+        for i in range(50):
+            cur.execute("INSERT INTO t VALUES (?)", (i,))
+
+        class CloseConnAgg:
+            def __init__(self):
+                self.total = 0
+
+            def step(self, value):
+                self.total += value
+                con.close()
+
+            def finalize(self):
+                return self.total
+
+        con.create_aggregate("agg_close", 1, CloseConnAgg)
+        with self.assertRaises(sqlite.ProgrammingError):
+            con.execute("SELECT agg_close(x) FROM t")
+
 
 class AuthorizerTests(unittest.TestCase):
     @staticmethod
diff --git a/Misc/NEWS.d/next/Library/2026-02-20-00-00-00.gh-issue-145040.sqlite3-close-crash.rst b/Misc/NEWS.d/next/Library/2026-02-20-00-00-00.gh-issue-145040.sqlite3-close-crash.rst
@@ -0,0 +1,6 @@
+Fixed a crash in the :mod:`sqlite3` module when
+:meth:`~sqlite3.Connection.close` is called on the connection during an
+aggregate callback (e.g., in the ``step`` method). The interpreter now raises
+:exc:`~sqlite3.ProgrammingError` instead of crashing with a segmentation
+fault.
+
diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c
@@ -906,6 +906,11 @@ _pysqlite_query_execute(pysqlite_Cursor* self, int multiple, PyObject* operation
         }
 
         rc = stmt_step(self->statement->st);
+        if (self->connection->db == NULL) {
+            PyErr_SetString(state->ProgrammingError,
+                            "Cannot operate on a closed database.");
+            goto error;
+        }
         if (rc != SQLITE_DONE && rc != SQLITE_ROW) {
             if (PyErr_Occurred()) {
                 /* there was an error that occurred in a user-defined callback */
@@ -967,7 +972,7 @@ _pysqlite_query_execute(pysqlite_Cursor* self, int multiple, PyObject* operation
         Py_XDECREF(parameters);
     }
 
-    if (!multiple) {
+    if (!multiple && self->connection->db) {
         sqlite_int64 lastrowid;
 
         Py_BEGIN_ALLOW_THREADS
