Heap Buffer Overflow in SQLite 3.50.0 with SQLITE_DEFAULT_MEMSTATUS=0
(1) By Matthew McEachen (mceachen) on 2025-06-01 19:27:49 [source]
I've discovered a heap buffer overflow in SQLite 3.50.0 when compiled with -DSQLITE_DEFAULT_MEMSTATUS=0
. The overflow occurs in sqlite3VdbeSorterInit
when executing ORDER BY queries on indexed tables.
Environment
- SQLite 3.50.0
- Linux x64, GCC 13.3.0
- Discovered via AddressSanitizer during development of https://github.com/photostructure/node-sqlite
Minimal Reproduction
Create a file test.c
:
#include "sqlite3.h"
int main() {
sqlite3 *db;
sqlite3_open(":memory:", &db);
sqlite3_exec(db, "CREATE TABLE t(a,b,c)", 0, 0, 0);
sqlite3_exec(db, "CREATE INDEX i ON t(a,b,c)", 0, 0, 0);
sqlite3_exec(db, "SELECT * FROM t ORDER BY a,b,c", 0, 0, 0);
sqlite3_close(db);
return 0;
}
Compile and run:
gcc -fsanitize=address -g -DSQLITE_DEFAULT_MEMSTATUS=0 -o test test.c sqlite3.c -lm -ldl -lpthread
./test
ASAN Output
=================================================================
==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000005ac
READ of size 72 at 0x5070000005ac thread T0
#0 0x7f27ad8fb42d in memcpy
#1 0x5688e8185971 in sqlite3VdbeSorterInit sqlite3.c:105052
#2 0x5688e816ddda in sqlite3VdbeExec sqlite3.c:98897
#3 0x5688e8155ae5 in sqlite3Step sqlite3.c:92276
#4 0x5688e8155c96 in sqlite3_step sqlite3.c:92337
#5 0x5688e8156dea in sqlite3_exec sqlite3.c:138203
0x5070000005ac is located 0 bytes after 76-byte region
Key Details
- Only occurs when compiled with
-DSQLITE_DEFAULT_MEMSTATUS=0
- Regression in 3.50.0: SQLite 3.49.2 does NOT have this issue
- Minimal reproduction: 3-column table with 3-column index
- No data insertion needed - occurs on empty table
- The overflow happens during ORDER BY query execution
Impact
The SQLITE_DEFAULT_MEMSTATUS=0
flag is commonly used in production to improve performance by disabling memory allocation statistics. This makes the bug particularly concerning as it affects performance-optimized builds.
Tested on SQLite 3.50.0 amalgamation downloaded from sqlite.org. Confirmed that SQLite 3.49.2 does not exhibit this issue with the same test case and compilation flags.