Thanks for posting this — my adaptation of that sample code in my project had 
the same bug.

I’m not sure how the SQL in your application gets generated, but if you allow 
untrusted SQL, it’s still possible to create a query that can cause the rank 
function to crash. For example (assuming I have my SQL blob-literal syntax 
correct) a call to XRank(x’77777777’). The function assumes the blob passed to 
it is valid output from matchinfo, where the initial 4 bytes are an array 
count; but if you pass a custom blob you can specify an overly large count that 
causes the function to read past the end of the blob … probably into unmapped 
address space if the count is big enough.

sqlite-users mailing list

Reply via email to