SQLite Forum

[BUG] carray.c memcpy() buffer overflow

[BUG] carray.c memcpy() buffer overflow

(1) By Kaktusbot on 2021-10-20 13:30:02 [source]

Function in carray.c

413 SQLITE_API int sqlite3_carray_bind

There is memcpy() in case of data type != CARRAY_TEXT which implies that sz is size of data type and nData is number of array entries.

467 memcpy(pNew->aData, aData, sz*nData);

But in this section earlier sz was already multiplied by size of data type.

433 sqlite3_int64 sz = nData;
434 switch( mFlags & 0x03 ){
435   case CARRAY_INT32:   sz *= 4;              break;
436   case CARRAY_INT64:   sz *= 8;              break;
437   case CARRAY_DOUBLE:  sz *= 8;              break;
438   case CARRAY_TEXT:    sz *= sizeof(char*);  break;
439 }

And in fact it was properly handled on another line but not on the 467 memcpy one

446 pNew->aData = sqlite3_malloc64( sz );

This leads to memcpy read and write overflows which makes my app crash spontaneously.

After I've changed line 467 as showed below crashes stopped.

467 memcpy(pNew->aData, aData, sz);

(2) By Richard Hipp (drh) on 2021-10-20 13:48:52 in reply to 1 [link] [source]

Now fixed on trunk. Thanks for the bug report.