## Query ```sql CREATE TABLE v0 ( v1, v2, v3, FOREIGN KEY ( v1, v1, v1, v1, v1, v1, v1, v1, v1, v1, v1, v1, v1 ) REFERENCES t0 ); INSERT INTO v0 VALUES ( 18446744073709551615, 'x', 'four' ); PRAGMA foreign_key_check; ``` ## Bug The query above triggers a heap based buffer overflow when testing with the latest commit of sqlite (55e2fbebb0a2c999). The ASAN output is as follows: ``` ================================================================= ==26238==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000013c8 at pc 0x00000064ee66 bp 0x7ffc6245fd70 sp 0x7ffc6245fd68 READ of size 2 at 0x61d0000013c8 thread T0 #0 0x64ee65 in sqlite3VdbeExec /home/sqlite/sqlite-asan-build/sqlite3.c:89413:7 #1 0x5712c9 in sqlite3Step /home/sqlite/sqlite-asan-build/sqlite3.c:84974:10 #2 0x5712c9 in sqlite3_step /home/sqlite/sqlite-asan-build/sqlite3.c:85031 #3 0x557643 in exec_prepared_stmt /home/sqlite/sqlite-asan-build/shell.c:14164:8 #4 0x51e40e in shell_exec /home/sqlite/sqlite-asan-build/shell.c:14473:7 #5 0x55c009 in runOneSqlLine /home/sqlite/sqlite-asan-build/shell.c:21449:8 #6 0x52235a in process_input /home/sqlite/sqlite-asan-build/shell.c:21549:17 #7 0x4feee5 in main /home/sqlite/sqlite-asan-build/shell.c #8 0x7f1e6bcb083f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41b278 in _start (/home/sqlite/sqlite-asan-build/sqlite3+0x41b278) 0x61d0000013c8 is located 8 bytes to the right of 2368-byte region [0x61d000000a80,0x61d0000013c0) allocated by thread T0 here: #0 0x4bb9a3 in malloc /home/sqlite/llvm_source/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x8e429c in sqlite3MemMalloc /home/sqlite/sqlite-asan-build/sqlite3.c:24178:7 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sqlite/sqlite-asan-build/sqlite3.c:89413:7 in sqlite3VdbeExec Shadow bytes around the buggy address: 0x0c3a7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a7fff8270: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa 0x0c3a7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==26238==ABORTING ``` ## Running the debug version leads to the following assertion failure: ``` sqlite3: sqlite3.c:89245: sqlite3VdbeExec: Assertion `pOp->p3>0 && pOp->p3<=(p->nMem+1 - p->nCursor)' failed. ``` ## Bisecting It seems this bug has been in the source code for a while. Here is an incomplete bisect result: ``` 6 BAD 2021-07-02 12:25:30 55e2fbebb0a2c999 CURRENT 2 BAD 2020-11-25 20:29:45 f4b7c10057a50c5b 3 BAD 2020-02-04 20:22:32 76668b55894a9c75 1 BAD 2018-07-27 20:01:00 865249de683e6971 5 BAD 2016-02-05 21:09:26 22589018ac3321f7 ```