Hi Salvatore,
On Sun, Sep 7, 2025 at 4:55 PM Salvatore Bonaccorso <[email protected]> wrote:
> The following vulnerability was published for sqlite3.
>
> CVE-2025-7709[0]:
> | Integer Overflow in FTS5 Extension
Indeed, already knew about it. I have a patch for you if you would
like to check it out.
> I think the issue is as well present before bd0e3ed522a1 ("Use
> flexible arrays whereever appropriate in FTS5.") which is afaics only
> in version-3.50.0 onwards itself. This would be somehow inline with
> [1] which claims at least 3.49.1 is affected as well.
Might be, but I can't reproduce the issue with 3.46.1 that I have in
Debian. As I have the fix I can apply it and say we have it fixed. But
then, how can I state 3.46.1 is affected, is there a way, a PoC that
shows it is affected?
What's the point of view of the security team?
Cheers,
Laszlo/GCS
Description: fix CVE-2025-7709
.
Author: Laszlo Boszormenyi (GCS) <[email protected]>
Bug-Debian: https://bugs.debian.org/1114609
Origin: upstream, https://sqlite.org/src/info/63595b74956a9391
Forwarded: not-needed
Last-Update: 2025-09-07
---
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1933,9 +1933,9 @@ static void fts5SegIterSetNext(Fts5Index
** leave an error in the Fts5Index object.
*/
static void fts5SegIterAllocTombstone(Fts5Index *p, Fts5SegIter *pIter){
- const int nTomb = pIter->pSeg->nPgTombstone;
+ const i64 nTomb = (i64)pIter->pSeg->nPgTombstone;
if( nTomb>0 ){
- int nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray);
+ i64 nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray);
Fts5TombstoneArray *pNew;
pNew = (Fts5TombstoneArray*)sqlite3Fts5MallocZero(&p->rc, nByte);
if( pNew ){
