Function in `carray.c` ``` 413 SQLITE_API int sqlite3_carray_bind ``` There is `memcpy()` in case of `data type != CARRAY_TEXT` which implies that `sz` is size of data type and `nData` is number of array entries. ``` 467 memcpy(pNew->aData, aData, sz*nData); ``` But in this section earlier `sz` was already multiplied by size of data type. ``` 433 sqlite3_int64 sz = nData; 434 switch( mFlags & 0x03 ){ 435 case CARRAY_INT32: sz *= 4; break; 436 case CARRAY_INT64: sz *= 8; break; 437 case CARRAY_DOUBLE: sz *= 8; break; 438 case CARRAY_TEXT: sz *= sizeof(char*); break; 439 } ``` And in fact it was properly handled on another line but not on the 467 memcpy one ``` 446 pNew->aData = sqlite3_malloc64( sz ); ``` This leads to `memcpy` read and write overflows which makes my app crash spontaneously. After I've changed line 467 as showed below crashes stopped. ``` 467 memcpy(pNew->aData, aData, sz); ```