On Tue, Dec 24, 2019 at 5:48 PM Richard Hipp <d...@sqlite.org> wrote:
>
> On 12/24/19, Yongheng Chen <changoch...@gmail.com> wrote:
> >
> > When we run it with sqlite compiled with asan, we got a heap overflow crash.
> >
> > The bug exists in the latest development code.
>
> Unable to repro. Tried tip of trunk and release, using gcc and clang,
> all with various combinations of -fsanitize=memory,
> -fsanitize=address, -fsanitize=undefined, and running under valgrind.
Hi
I just tried the latest from trunk in fossil
(1c0a05b09 2019-12-24 16:20:05 UTC) and I can
reproduce the bug when running with valgrind:
$ valgrind ./sqlite3
==6674== Memcheck, a memory error detector
==6674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6674== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==6674== Command: ./sqlite3
==6674==
SQLite version 3.31.0 2019-12-24 16:20:05
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 )
VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO
NOTHING ; END ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE
'1' ) FROM v0 ;
==6674== Invalid read of size 1
==6674== at 0x12944E: zipfileStep (shell.c:6243)
==6674== by 0x1B8711: sqlite3VdbeExec (sqlite3.c:91052)
==6674== by 0x1BD58F: sqlite3Step (sqlite3.c:82703)
==6674== by 0x1BD58F: sqlite3_step (sqlite3.c:82768)
==6674== by 0x13161D: exec_prepared_stmt (shell.c:11379)
==6674== by 0x13161D: shell_exec (shell.c:11684)
==6674== by 0x132C7B: runOneSqlLine (shell.c:18265)
==6674== by 0x13CCE4: process_input (shell.c:18365)
==6674== by 0x11DD65: main (shell.c:19123)
==6674== Address 0x5d15ccf is 1 bytes before a block of size 120,000 alloc'd
==6674== at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6674== by 0x16AAF0: sqlite3MemMalloc (sqlite3.c:23180)
==6674== by 0x1459E1: mallocWithAlarm (sqlite3.c:27071)
==6674== by 0x1459E1: sqlite3Malloc (sqlite3.c:27101)
==6674== by 0x1516A4: setupLookaside (sqlite3.c:158620)
==6674== by 0x1E463D: openDatabase (sqlite3.c:161240)
==6674== by 0x1327FF: open_db.part.64 (shell.c:12696)
==6674== by 0x132EA6: open_db (stdio2.h:97)
==6674== by 0x132EA6: runOneSqlLine (shell.c:18261)
==6674== by 0x13CCE4: process_input (shell.c:18365)
==6674== by 0x11DD65: main (shell.c:19123)
==6674==
0|NULL
sqlite>
Line where overflow is detected in shell.c:6243:
6242 }else{
!6243 if( zName[nName-1]!='/' ){
6244 zName = zFree = sqlite3_mprintf("%s/", zName);
Regards
Dominique
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
