SQLite User Forum

Heap Buffer Overflow in SQLite 3.50.0 with SQLITE_DEFAULT_MEMSTATUS=0
Login

Heap Buffer Overflow in SQLite 3.50.0 with SQLITE_DEFAULT_MEMSTATUS=0

(1) By Matthew McEachen (mceachen) on 2025-06-01 19:27:49 [source]

I've discovered a heap buffer overflow in SQLite 3.50.0 when compiled with -DSQLITE_DEFAULT_MEMSTATUS=0. The overflow occurs in sqlite3VdbeSorterInit when executing ORDER BY queries on indexed tables.

Environment

  • SQLite 3.50.0
  • Linux x64, GCC 13.3.0
  • Discovered via AddressSanitizer during development of https://github.com/photostructure/node-sqlite

Minimal Reproduction

Create a file test.c:

#include "sqlite3.h"

int main() {
    sqlite3 *db;
    sqlite3_open(":memory:", &db);

    sqlite3_exec(db, "CREATE TABLE t(a,b,c)", 0, 0, 0);
    sqlite3_exec(db, "CREATE INDEX i ON t(a,b,c)", 0, 0, 0);
    sqlite3_exec(db, "SELECT * FROM t ORDER BY a,b,c", 0, 0, 0);

    sqlite3_close(db);
    return 0;
}

Compile and run:

gcc -fsanitize=address -g -DSQLITE_DEFAULT_MEMSTATUS=0 -o test test.c sqlite3.c -lm -ldl -lpthread
./test

ASAN Output

=================================================================
==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000005ac
READ of size 72 at 0x5070000005ac thread T0
    #0 0x7f27ad8fb42d in memcpy
    #1 0x5688e8185971 in sqlite3VdbeSorterInit sqlite3.c:105052
    #2 0x5688e816ddda in sqlite3VdbeExec sqlite3.c:98897
    #3 0x5688e8155ae5 in sqlite3Step sqlite3.c:92276
    #4 0x5688e8155c96 in sqlite3_step sqlite3.c:92337
    #5 0x5688e8156dea in sqlite3_exec sqlite3.c:138203

0x5070000005ac is located 0 bytes after 76-byte region

Key Details

  • Only occurs when compiled with -DSQLITE_DEFAULT_MEMSTATUS=0
  • Regression in 3.50.0: SQLite 3.49.2 does NOT have this issue
  • Minimal reproduction: 3-column table with 3-column index
  • No data insertion needed - occurs on empty table
  • The overflow happens during ORDER BY query execution

Impact

The SQLITE_DEFAULT_MEMSTATUS=0 flag is commonly used in production to improve performance by disabling memory allocation statistics. This makes the bug particularly concerning as it affects performance-optimized builds.

Tested on SQLite 3.50.0 amalgamation downloaded from sqlite.org. Confirmed that SQLite 3.49.2 does not exhibit this issue with the same test case and compilation flags.