Re: [sqlite] Heap Out of Bound Read in Sqlite

Tue, 24 Dec 2019 09:14:11 -0800 

This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When I use this 
specific version to compile sqlite, the problem can be repro.

Just in case you need it, here’s the log I got:
—
SQLite version 3.31.0 2019-12-24 15:35:53
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 
) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) 
FROM v0 ;
=================================================================
==25839==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6340000007ff at pc 0x00000042c622 bp 0x7ffe62feaf20 sp 0x7ffe62feaf10
READ of size 1 at 0x6340000007ff thread T0
    #0 0x42c621 in zipfileStep /data/xxx/sqlite/asan/shell.c:6243
    #1 0x5a30f6 in sqlite3VdbeExec /data/xxx/sqlite/asan/sqlite3.c:91052
    #2 0x5c155e in sqlite3Step /data/xxx/sqlite/asan/sqlite3.c:82703
    #3 0x5c155e in sqlite3_step /data/xxx/sqlite/asan/sqlite3.c:82768
    #4 0x436e0d in exec_prepared_stmt /data/xxx/sqlite/asan/shell.c:11379
    #5 0x43da53 in shell_exec /data/xxx/sqlite/asan/shell.c:11684
    #6 0x440631 in runOneSqlLine /data/xxx/sqlite/asan/shell.c:18265
    #7 0x450f95 in process_input /data/xxx/sqlite/asan/shell.c:18365
    #8 0x412a65 in main /data/xxx/sqlite/asan/shell.c:19123
    #9 0x7fc3b2a9d82f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x413e18 in _start (/data/xxx/sqlite/asan/sqlite3+0x413e18)

0x6340000007ff is located 1 bytes to the left of 120000-byte region 
[0x634000000800,0x63400001dcc0)
allocated by thread T0 here:
    #0 0x7fc3b3754662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x4d2ea0 in sqlite3MemMalloc /data/xxx/sqlite/asan/sqlite3.c:23180
—

Yongheng Chen

> On Dec 24, 2019, at 11:48 AM, Richard Hipp <d...@sqlite.org> wrote:
> 
> On 12/24/19, Yongheng Chen <changoch...@gmail.com> wrote:
>> 
>> When we run it with sqlite compiled with asan, we got a heap overflow crash.
>> 
>> The bug exists in the latest development code.
> 
> Unable to repro.  Tried tip of trunk and release, using gcc and clang,
> all with various combinations of -fsanitize=memory,
> -fsanitize=address, -fsanitize=undefined, and running under valgrind.
> 
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org

_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to