SQLite Forum

Another CLI problem
Login
Chronological

Another CLI problem

(1.1) By Yu Liang (LY1598773890) on 2022-10-27 18:27:54 edited from 1.0 [source]

The latest SQLite3 crashes when executing the query from this link: PoC LINK. The PoC is just a four-lines query, but it contains a special character in the first line that I cannot copy and paste into this report. Therefore, I have the share the POC file in the Google Drive.

To trigger this bug, run the CLI command: sqlite3 < poc.

Here is some debug information from the crash, from SQLite3 version: 7450a561f8.

Stack Trace: 

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x608530 (<__libc_csu_init>:       endbr64)
RCX: 0x0
RDX: 0x0
RSI: 0x4
RDI: 0x7ffff7d6e6a0 --> 0xfbad2a84
RBP: 0x7fffffffb8c0 --> 0x7fffffffbb60 --> 0x7fffffffbca0 --> 0x7fffffffbd30 --> 0x7fffffffc5e0 --> 0x7fffffffc660 (--> ...)
RSP: 0x7fffffffb890 --> 0x0
RIP: 0x437c4c (<utf8_width_print+76>:   cmp    BYTE PTR [rax+rcx*1],0x0)
R8 : 0x6a12e0 --> 0x100000001
R9 : 0x6a92d0 --> 0x18b0
R10: 0x69f010 --> 0x1
R11: 0x7ffff7d6dbe0 --> 0x6b62c0 --> 0x0
R12: 0x403750 (<_start>:        endbr64)
R13: 0x7fffffffdde0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x437c3d <utf8_width_print+61>:      mov    DWORD PTR [rbp-0x1c],0x0
   0x437c44 <utf8_width_print+68>:      mov    rax,QWORD PTR [rbp-0x18]
   0x437c48 <utf8_width_print+72>:      movsxd rcx,DWORD PTR [rbp-0x1c]
=> 0x437c4c <utf8_width_print+76>:      cmp    BYTE PTR [rax+rcx*1],0x0
   0x437c50 <utf8_width_print+80>:      je     0x437cd2 <utf8_width_print+210>
   0x437c56 <utf8_width_print+86>:      mov    rax,QWORD PTR [rbp-0x18]
   0x437c5a <utf8_width_print+90>:      movsxd rcx,DWORD PTR [rbp-0x1c]
   0x437c5e <utf8_width_print+94>:      movsx  edx,BYTE PTR [rax+rcx*1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb890 --> 0x0
0008| 0x7fffffffb898 --> 0x400000004
0016| 0x7fffffffb8a0 --> 0x0
0024| 0x7fffffffb8a8 --> 0x0
0032| 0x7fffffffb8b0 --> 0x400008000
0040| 0x7fffffffb8b8 --> 0x7ffff7d6e6a0 --> 0xfbad2a84
0048| 0x7fffffffb8c0 --> 0x7fffffffbb60 --> 0x7fffffffbca0 --> 0x7fffffffbd30 --> 0x7fffffffc5e0 --> 0x7fffffffc660 (--> ...)
0056| 0x7fffffffb8c8 --> 0x435e5e (<shell_callback+654>:        mov    ecx,DWORD PTR [rbp-0x34])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000437c4c in utf8_width_print (pOut=0x7ffff7d6e6a0 <_IO_2_1_stdout_>, w=0x4, zUtf=0x0) at shell.c:570
570       for(i=n=0; zUtf[i]; i++){
gdb-peda$ bt
#0  0x0000000000437c4c in utf8_width_print (pOut=0x7ffff7d6e6a0 <_IO_2_1_stdout_>, w=0x4, zUtf=0x0) at shell.c:570
#1  0x0000000000435e5e in shell_callback (pArg=0x7fffffffc7c0, nArg=0x4, azArg=0x6a12c0, azCol=0x6a12a0, aiType=0x6a12e0) at shell.c:13385
#2  0x000000000043a466 in exec_prepared_stmt (pArg=0x7fffffffc7c0, pStmt=0x6b2f30) at shell.c:14898
#3  0x0000000000418607 in shell_exec (pArg=0x7fffffffc7c0, zSql=0x6a7980 "EXPLAIN QUERY PLAN SELECT 0", pzErrMsg=0x7fffffffc5b0) at shell.c:15174
#4  0x000000000043e55f in runOneSqlLine (p=0x7fffffffc7c0, zSql=0x6a7980 "EXPLAIN QUERY PLAN SELECT 0", in=0x7ffff7d6d980 <_IO_2_1_stdin_>, startline=0x3)
    at shell.c:22787
#5  0x00000000004193aa in process_input (p=0x7fffffffc7c0) at shell.c:22970
#6  0x000000000040ad67 in main (argc=0x1, argv=0x7fffffffdde8) at shell.c:23806
#7  0x00007ffff7ba5083 in __libc_start_main (main=0x408e40 <main>, argc=0x1, argv=0x7fffffffdde8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffddd8) at ../csu/libc-start.c:308
#8  0x000000000040377e in _start ()

Bisecting log: 

bisect complete
  1 BAD     2022-10-27 14:41:38 a608d584a8a68eba
  3 BAD     2022-06-22 18:33:21 5247df05991df979
  4 BAD     2022-05-12 17:09:33 7a2ac303d1436a42
  5 BAD     2022-04-11 11:25:28 e8c00442d2daedec
  6 BAD     2022-04-02 20:08:48 8a3a3486358d076c
  7 BAD     2022-03-30 17:36:40 9248ce50f57fb9c4
  9 BAD     2022-03-29 13:16:32 d0966d1bdd474e27
 10 BAD     2022-03-28 18:34:40 310a3e102d8eedf9
 11 GOOD    2022-03-28 17:34:46 06928e745c7bcb26 CURRENT
  8 GOOD    2022-03-28 14:56:47 daa924af98725334
  2 GOOD    2022-03-21 20:08:13 c7a2047e93df36c1

Looking forward to your reply. Thank you! :-)

(2) By Tim Streater (Clothears) on 2022-10-27 18:12:14 in reply to 1.0 [link] [source]

Third-Mini% hexdump -C poc

00000000 2e 00 0a 65 78 70 0a 2e 6c 69 6d 69 74 20 6c 65 |...exp..limit le|

00000010 20 30 0a 45 58 50 4c 41 49 4e 20 51 55 45 52 59 | 0.EXPLAIN QUERY|

00000020 20 50 4c 41 4e 20 53 45 4c 45 43 54 20 30 | PLAN SELECT 0|

0000002e Third-Mini% sqlite3

CLI sqlite3 3.39.2 segfaults with this file.

(3) By Richard Hipp (drh) on 2022-10-27 18:25:40 in reply to 1.0 [link] [source]

POC that uses no special characters:

.explain
.limit length 0
EXPLAIN QUERY PLAN SELECT 0;

Fixed on trunk. Thank you for the bug report.

(4) By Yu Liang (LY1598773890) on 2022-10-27 18:35:17 in reply to 3 [link] [source]

Thank you Richard for the super quick reply and super quick fix.

Appreciate with the response!