Re: [sqlite] Assertion `memIsValid(pCtx->argv[i])' failed.

The error pic got stripped. It was "Database error: SQL logic error: {DELETE FROM ftsidx WHERE docid IN (SELECT rowid FROM ftsdocs WHERE type='t' AND rid=0 AND idxed)}” > On Jan 9, 2020, at 7:17 PM, Yongheng Chen wrote: > > Hi, > > We found an assertion failed in sq

[sqlite] Assertion `memIsValid(pCtx->argv[i])' failed.

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 INT CHECK( datetime ( ( NULL ) ,( '1995-09-01' ) ,( 'GERMANY' ) ,( 'MED P' ) ,( 'abc' ) ,( 'Y' ) ,( '13' ) ,( 'MED BAG' ) ,( '199419' ) ,( 'LG CASE' ) ,( '1995-09-01' ) ,( 'SM BOX' ) ,( '' ) ,( 'a' )

Re: [sqlite] A hang in Sqlite

us to keep track of what we report. So if possible I wish I could be granted the access to opening a ticket. Yongheng & Rui > On Jan 6, 2020, at 9:44 AM, Simon Slavin wrote: > > On 6 Jan 2020, at 2:40pm, Yongheng Chen wrote: > >> I am sorry if I was polluting the mail lis

Re: [sqlite] A hang in Sqlite

Hi, I am sorry if I was polluting the mail list. As nobody mentioned that before and reporting bugs to this mail list is what is said in the official website, I just keep doing this. I think Manuel has the access to open a ticket. Could I be granted this access too so that I don’t need to send

[sqlite] A hang in Sqlite

Hi, We found a test case that hangs Sqlite: — CREATE TEMPORARY TABLE v0 ( v1 INT UNIQUE ) ; WITH RECURSIVE v0 ( v1 ) AS ( SELECT -128 UNION SELECT v1 + 33 FROM v0 ) SELECT 'x' from v0; — This seems triggering a dead loop. However, since v0 is empty, it might not enter a dead loop I think ? We

[sqlite] Root cause of an assertion failed.

Hi, We noticed that an assertion is converted back to a conditional in this check in(https://www.sqlite.org/src/info/4d0b9109f7a5312d4e136395e08b11dad64d746bc106ad44d47675e5b1dcb4ef ). We are

[sqlite] Crash bug in Sqlite

Hi, We found a crash bug in sqlite. Here’s the POC: — CREATE VIRTUAL TABLE v0 USING rtree ( v3 AS( '1994-01-01' ) CHECK( v3 ) CHECK( v3 NOT LIKE 'y' ) GENERATED ALWAYS AS( ( SELECT 10.10 * AVG ( v3 ) FROM v0 WHERE v1 = v3 ) ) , v2 , v1 ) ; SELECT count ( * ) , max ( v3 ) FROM v0 ; CREATE

[sqlite] Assertion `(mFlags_Blob)==0 || sqlite3BlobCompare(pMem, pX)==0'

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v2 INTEGER PRIMARY KEY UNIQUE ON CONFLICT FAIL , v1 DOUBLE CHECK( ( v2 > 10 AND v1 >= 10 AND v2 <= 10 + 10 AND v1 BETWEEN 0 AND 10 AND v2 IN ( '' , 'AIR REG' ) AND v2 NOT IN ( 0 , NULL , 10 ) AND v2 >= 10 ) + CASE

[sqlite] Crash bug in sqlite

Hi, We found a crash bug in sqlite. Here’s the POC: — CREATE VIRTUAL TABLE v0 USING fts4 ( v1 AS( typeof ( v5 ) ) , v6 UNIQUE GENERATED ALWAYS AS( v5 ) , v2 INT , v3 INT UNIQUE GENERATED ALWAYS AS( NULL ) , v4 INTEGER UNIQUE , v5 DOUBLE PRIMARY KEY CHECK( v4 ) , v7 VARCHAR(20) UNIQUE ) ;

[sqlite] Assertion `memIsValid([i])' failed.

Hi, We found an assertion failed in sqlite. And this assertion seems not to be fixed completely. Here’s the POC: — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 ( v1 ) VALUES ( NULL ) ,( NULL ) ; SELECT ifnull ( v1 , max ( ( SELECT printf ( 's%' , 3 , 0 , 0.10 ) ) ) ) , max (

[sqlite] Assertion `0' failed.

Hi, We found an assertion failed in sqlite. And this assertion seems not to be fixed completely. Here’s the POC: — CREATE TABLE v0 ( v8 FLOAT , v7 UNIQUE ON CONFLICT ROLLBACK GENERATED ALWAYS AS( v6 ) , v6 INT , v5 INT UNIQUE GENERATED ALWAYS AS( NULL ) , v4 INTEGER UNIQUE , v3 DOUBLE PRIMARY

[sqlite] Undefined behavior in fopen64 in sqlite3

Hi, We found an undefined behavior in sqlite. Here’s the POC: — DELETE FROM zipfile WHERE NULL BETWEEN ( 2) AND 1 ; —- When compiled with `-fsanitize=address`, it got a crash. We found that it’s because it tries to use `fopen64(NULL, “ab+”)` in zipfileBegin. And fopen64 with NULL seems an

[sqlite] Assertion `memIsValid(pRec)' failed

Hi, We found an assertion failed in sqlite. And this assertion seems not to be fixed completely. Here’s the POC: — CREATE TABLE v0 ( v1 ) ; INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; UPDATE v0 SET v1 = ( SELECT coalesce ( quote ( NULL ) , quote ( v1 ) , ( SELECT 1 FROM v0 AS v WHERE ( SELECT

[sqlite] Assertion `(mFlags_Str)==0 || (pMem->n==pX->n && pMem->z==pX->z)' failed.

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 VARCHAR(15) ) ; INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; UPDATE v0 SET v1 = ( SELECT coalesce ( quote ( NULL ) , quote ( v1 ) , quote ( v1 ) , 0 ) FROM v0 ORDER BY substr ( v1 , v1 , 10 ) ) ; —- This exists

[sqlite] Assertion `memIsValid(pRec)' failed

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 CHAR(25) ) ; CREATE TRIGGER myname AFTER INSERT ON v0 BEGIN INSERT INTO v0 SELECT ( SELECT ifnull ( count ( DISTINCT ( SELECT v1 FROM v0 ) ) , 10 ) ) FROM v0 AS d WHERE v1 = v1 AND v1 <= v1 GROUP BY v1 , v1 ORDER

[sqlite] Assertion `memIsValid([p1+idx])' failed.

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 DOUBLE PRIMARY KEY ) ; INSERT INTO v0 VALUES ( 10 ) ; SELECT * FROM v0 NATURAL JOIN v0 NATURAL JOIN v0 WHERE v1 = 9223372036854775807 OR ( ( v1 = ( SELECT 10 + sum ( v1 LIKE 'LG PACK' ) OVER( ORDER BY v1 ) ) AND

[sqlite] Assertion `pRes->iTable==pSrc->a[0].iCursor'

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v2 INTEGER PRIMARY KEY , v1 AS( 10.10 ) UNIQUE ) ; SELECT * FROM v0 WHERE v1 + 10 IN ( SELECT v2 FROM v0 NATURAL JOIN v0 WHERE v2 IN ( SELECT v1 FROM v0 ORDER BY v1 ) ) ; —- This exists in the latest development

[sqlite] Assertion `pC!=0' failed.

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ON CONFLICT ROLLBACK NOT NULL ON CONFLICT IGNORE , v2 FLOAT AS( 'BUILDING' ) CHECK( 10 ) CHECK( v2 NOT LIKE 'MED BAG' ) NOT NULL UNIQUE ) ; INSERT INTO v0 VALUES ( 10 ) ; SELECT * FROM v0 JOIN

[sqlite] Assertion `pWalker->eCode==0' failed.

Hi, We found an assertion failed in sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 INT , v2 INT ) ; CREATE TABLE v3 ( v4 DOUBLE PRIMARY KEY UNIQUE NOT NULL ) ; SELECT * FROM v3 LEFT JOIN v0 ON v1 = 10 WHERE ( v2 < 10 AND v1 = 10 ) > ( v2 < 0 AND v1 > 10 AND ( v1 = 10 AND 10 ) ) ORDER BY v1 DESC

[sqlite] Crash Bug In sqlite

Hi, We found a crash bug in sqlite. Here’s the POC: — CREATE VIRTUAL TABLE v0 USING fts4 ( v1 , v2 , v3 , v4 ) ; INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; CREATE TABLE v5 ( v6 UNIQUE NOT NULL PRIMARY KEY UNIQUE ) ; INSERT INTO v5 ( v6 , v6 ) SELECT nullif ( DISTINCT zeroblob ( julianday ()

[sqlite] sqlite3VdbeMemAboutToChange(Vdbe *, Mem *): Assertion `(mFlags_Str)==0 || (pMem->n==pX->n && pMem->z==pX->z)' failed.

Hi, We found a debug assertion bug in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v1 , v2 FLOAT ) ; CREATE TRIGGER x AFTER INSERT ON v0 BEGIN INSERT INTO v0 SELECT DISTINCT v2 / 10 , v2 / 1 FROM v0 ; END; INSERT INTO v0 ( v1 , v1 ) VALUES ( '' , 10 ) ,( '' , 0 ) ,( 'AIR' , 10 ); UPDATE v0 SET

[sqlite] Assertion Bug in Sqlite

Hi, We found an assertion bug in Sqlite. Here’s the PoC: — CREATE TABLE v0 ( v1 ) ; CREATE TABLE v2 ( v3 INTEGER UNIQUE ON CONFLICT ABORT ) ; CREATE TRIGGER x AFTER INSERT ON v2 WHEN ( ( SELECT v1 AS PROMO_REVENUE FROM v2 JOIN v0 USING ( VALUE ) ) AND 0 ) BEGIN DELETE FROM v2 ; END ; CREATE

[sqlite] Debug Assertion Bug in Sqlite

Hi, We found some assertion bugs in sqlite. Here’s the pocs: #1 — CREATE TABLE v0 ( v1 , v2 PRIMARY KEY ON CONFLICT REPLACE ) ; CREATE TEMP TRIGGER x BEFORE INSERT ON v0 BEGIN INSERT INTO v0 ( v1 ) VALUES ( 10 ) ; END ; CREATE VIRTUAL TABLE v3 USING rtree ( v4 AS( v2 = 'MED PACK' ) , v5 AS( v2

[sqlite] Assertion Bug in sqlite

Hi, There’s one bug that triggers assertion failed in sqlite: — CREATE TABLE v0 ( v1 ) ; CREATE TABLE v2 ( v3 VARCHAR(1) UNIQUE ) ; SELECT * FROM v0 WHERE v1 IN ( 'AIR' ) GROUP BY v1 , v1 ; CREATE INDEX v4 ON v0 ( v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 )

[sqlite] Assertion Bugs in Sqlite

Hi, We found some assertion bugs in sqlite: #1 — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY UNIQUE ) ; INSERT INTO v0 VALUES ( 10 ) ON CONFLICT DO NOTHING ; SELECT * FROM v0 NATURAL JOIN v0 AS y WHERE v1 IN ( SELECT DISTINCT v1 FROM v0 ORDER BY v1 ); sqlite3.c:100324: Select

[sqlite] Heap Use After Free In sqlite.

Hi, We found a heap UAF bug in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v1 CHECK( CASE v1 WHEN '13' THEN 10 ELSE 10 END ) ) ; CREATE TRIGGER x INSERT ON v0 BEGIN INSERT INTO v0 ( v1 , v1 ) SELECT v1 , v1 FROM v0 WHERE v1 < 10 ON CONFLICT DO NOTHING ; END ; INSERT INTO v0 SELECT * FROM v0

[sqlite] Assertion Failed In sqlite3

Hi, We found an assertion violation bug in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 VALUES ( 10 ) ; SELECT '29' , count () OVER( ORDER BY v1 ) AS m FROM v0 ORDER BY v1 > ( SELECT m ) ; — The bug exists in the latest development code and release

[sqlite] Buffer Overflow bugs In Sqlite

Hi, We found a global buffer overflow and a heap buffer overflow in sqlite. Here’s the POC (trigger with asan): Global buffer overflow: — CREATE TABLE v0 ( v6 INTEGER UNIQUE , v5 , v3 , v4 , v2 , v7 , v1 ) ; INSERT INTO v0 ( v3 ) VALUES ( 0 ) ,( 10 ) ,( 10.10 ) ,( 10 ) ,( 10 ) ,( 10 ) ,(

[sqlite] Crash bug in sqlite

Hi, We found a crash bug in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 ( v1 ) VALUES ( 0 ) ,( 1 ) ,( 10 ) ON CONFLICT DO NOTHING ; CREATE VIRTUAL TABLE v2 USING rtree ( v5 UNIQUE ON CONFLICT ABORT , v4 , v3 ) ; SELECT 'MED BOX' - 'a' FROM v0 LEFT JOIN

Re: [sqlite] Heap Out of Bound Read in Sqlite

c (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662) #1 0x4d2ea0 in sqlite3MemMalloc /data/xxx/sqlite/asan/sqlite3.c:23180 — Yongheng Chen > On Dec 24, 2019, at 11:48 AM, Richard Hipp wrote: > > On 12/24/19, Yongheng Chen wrote: >> >> When we run it with sqlite compiled

[sqlite] Heap Out of Bound Read in Sqlite

Hi, We found a oob read in sqlite. Here’s the PoC: — CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ; CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ; CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON

[sqlite] Heap overflow leads to crashing or memory dumping(possibly database leaking)

Hi, We found a heap overflow bug in sqlite, which leads to crashing and memory dumping. Here is the PoC: — create table v0(v1 char); insert into v0 values ('1'); create table v2(v3 text); insert into v2 values

[sqlite] Crash Bug in Sqlite

Hi, We found another crash in Sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 , v2 ) ; SELECT 10 , 1 UNION SELECT v2 , dense_rank () OVER( ORDER BY - 10 ) FROM v0 ; — This bug exists in both the latest development code and the release code. Yongheng & Rui

[sqlite] Crash bug in Sqlite

Hi, We found another crash in Sqlite. Here’s the POC: — CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; CREATE VIEW v2 ( v3 ) AS SELECT DISTINCT ( SELECT DISTINCT v1 , v1 , v1 , v3 , v1 , v3 , v1 , 10.10 ) ; CREATE TABLE v4 ( v5 INTEGER PRIMARY KEY , v6 INT ); DELETE FROM v0 WHERE NULL BETWEEN

[sqlite] Crash bug in Sqlite

Hi, We found another crash in Sqlite. Here’s the POC: — CREATE TABLE v0 ( v7 FLOAT , v3 DOUBLE , v6 TEXT , v1 INTEGER UNIQUE , v5 DOUBLE , v2 VARCHAR(20) UNIQUE , v4 ) ; REPLACE INTO v0 ( v6 , v3 , v2 ) VALUES ( 10 , 10 , 10 ); CREATE VIRTUAL TABLE v8 USING zipfile ( v9 DOUBLE ) ; REPLACE INTO

[sqlite] Crash bug in Sqlite

Hi, We found another crash in Sqlite. Here’s the POC: — CREATE TABLE v0 ( v2 INTEGER UNIQUE ON CONFLICT IGNORE , v1 TEXT PRIMARY KEY ) ; CREATE VIEW v3 ( v4 ) AS SELECT v2 IN ( 9223372036854775808 , ( printf () IN ( 0 , 0 ) ) , 10 , 10 , 10 ) AS AVG_YEARLY FROM v0 ; CREATE TABLE v5 ( v6 , v7 )

Re: [sqlite] Crash Bug in Sqlite

It’s Yongheng & Rui. Sorry for the typo. > On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera wrote: > > > Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote... >> >> Hi, >> >> We found a bug that crashes Sqlite. Here’s the test case: >&

Re: [sqlite] Crash Bug in Sqlite

; ….. —— — Then address 1234 will be accessed. We think this has the potential of achieving RCE. Yongheng & Chen > On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera wrote: > > > Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote... >> >> Hi, >> >> We found a

[sqlite] Crash Bug in Sqlite

Hi, We found a bug that crashes Sqlite. Here’s the test case: —— CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ; CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 10 ASC ) ) ) FROM v0 ; SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN

Re: [sqlite] CVE-2019-19317

When we report the bugs, we said that they were from 3.31 version, but people in mitre changed them to 3.30.1. We just reported what we found. And the commit we reported in the bug report is referencing to the official GitHub repo. Bugs are found in the latest version, because there are so

Re: [sqlite] A crash bug in sqlite

I see. I totally agree with you. A better sqlite is what we all want. Best. Yongheng & Rui > On Dec 9, 2019, at 11:23 AM, Richard Hipp wrote: > > On 12/9/19, Yongheng Chen wrote: >> So should we just report the bugs after another release version? > > No. You shoul

Re: [sqlite] A crash bug in sqlite

So should we just report the bugs after another release version? We think the sooner the bugs get fixed, the better in terms of security, as this approach can minimize the number of bugs in future release. > On Dec 9, 2019, at 10:56 AM, Jose Isaias Cabrera wrote: > > > Since no one

Re: [sqlite] Crash Bug Report

Thanks for the fix. > On Dec 9, 2019, at 9:43 AM, Richard Hipp wrote: > > On 12/8/19, Yongheng Chen wrote: >> >> We found one crash bug in sqlite, > > Simplified test case: > > CREATE TABLE t1(a); > CREATE VIEW v2(b) AS WITH t3 AS (SELECT b FROM v2) VALU

[sqlite] A crash bug in sqlite

Hi, We found a crash bug in sqlite of master branch. Here’s the POC — CREATE TABLE v0 ( v2 DOUBLE CHECK( ( v2 IN ( v2 , v1) ) ) , v1 UNIQUE AS( v2 > v2 ) ) ; INSERT INTO v0 VALUES ( 10 ); SELECT v0 . v1 , v0 . v1 FROM v0 JOIN v0 USING ( v1 , v1) ; — The bug exists in "SQLite version 3.31.0

Re: [sqlite] Crash Bug Report

I haven’t tested many versions. But the most up-to-date master branch and the release version has this bug. > On Dec 8, 2019, at 4:55 PM, Simon Slavin wrote: > > On 8 Dec 2019, at 7:51pm, Yongheng Chen wrote: > >> The bug exists in "SQLite version 3.31.0 2019-12-

[sqlite] Crash Bug Report

hope somebody else can help us. Thanks. Best. Yongheng Chen & Rui Zhong ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Bug report

Hi, This is Yongheng Chen from Gatech and Rui Zhong from PSU. We found 7 crashes for sqlite of the newest commit 3842e8f166e23a1ed6e6094105e7a23502d414da. We have attached the samples that crash sqlite in the email. FYI, we have also reported the bugs for CVE at cve.mitre.org <h