We just took a look at the bug. The value of the accessed address in the crash point can be controlled by the value in the second line of the test input, which means:
—— ……. CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 1234 ASC ) ) ) FROM v0 ; ….. —— — Then address 1234 will be accessed. We think this has the potential of achieving RCE. Yongheng & Chen > On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera <jic...@outlook.com> wrote: > > > Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote... >> >> Hi, >> >> We found a bug that crashes Sqlite. Here’s the test case: >> >> —— >> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ; >> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER >> BY 10 ASC ) ) ) FROM v0 ; >> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10 >> ); >> —— >> >> This bug exists in both the development code and the latest release code. > > Yep, 3.30.0 has the problem. > > josé > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > <mailto:sqlite-users@mailinglists.sqlite.org> > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users> _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
