SQLite User Forum

Heap Buffer Overflow in SQLite 3.50.0 with SQLITE_DEFAULT_MEMSTATUS=0
Login
Hierarchical

Heap Buffer Overflow in SQLite 3.50.0 with SQLITE_DEFAULT_MEMSTATUS=0

(1) By Matthew McEachen (mceachen) on 2025-06-01 19:27:49 [source]

I've discovered a heap buffer overflow in SQLite 3.50.0 when compiled with -DSQLITE_DEFAULT_MEMSTATUS=0. The overflow occurs in sqlite3VdbeSorterInit when executing ORDER BY queries on indexed tables.

Environment

  • SQLite 3.50.0
  • Linux x64, GCC 13.3.0
  • Discovered via AddressSanitizer during development of https://github.com/photostructure/node-sqlite

Minimal Reproduction

Create a file test.c:

#include "sqlite3.h"

int main() {
    sqlite3 *db;
    sqlite3_open(":memory:", &db);

    sqlite3_exec(db, "CREATE TABLE t(a,b,c)", 0, 0, 0);
    sqlite3_exec(db, "CREATE INDEX i ON t(a,b,c)", 0, 0, 0);
    sqlite3_exec(db, "SELECT * FROM t ORDER BY a,b,c", 0, 0, 0);

    sqlite3_close(db);
    return 0;
}

Compile and run:

gcc -fsanitize=address -g -DSQLITE_DEFAULT_MEMSTATUS=0 -o test test.c sqlite3.c -lm -ldl -lpthread
./test

ASAN Output

=================================================================
==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000005ac
READ of size 72 at 0x5070000005ac thread T0
    #0 0x7f27ad8fb42d in memcpy
    #1 0x5688e8185971 in sqlite3VdbeSorterInit sqlite3.c:105052
    #2 0x5688e816ddda in sqlite3VdbeExec sqlite3.c:98897
    #3 0x5688e8155ae5 in sqlite3Step sqlite3.c:92276
    #4 0x5688e8155c96 in sqlite3_step sqlite3.c:92337
    #5 0x5688e8156dea in sqlite3_exec sqlite3.c:138203

0x5070000005ac is located 0 bytes after 76-byte region

Key Details

  • Only occurs when compiled with -DSQLITE_DEFAULT_MEMSTATUS=0
  • Regression in 3.50.0: SQLite 3.49.2 does NOT have this issue
  • Minimal reproduction: 3-column table with 3-column index
  • No data insertion needed - occurs on empty table
  • The overflow happens during ORDER BY query execution

Impact

The SQLITE_DEFAULT_MEMSTATUS=0 flag is commonly used in production to improve performance by disabling memory allocation statistics. This makes the bug particularly concerning as it affects performance-optimized builds.

Tested on SQLite 3.50.0 amalgamation downloaded from sqlite.org. Confirmed that SQLite 3.49.2 does not exhibit this issue with the same test case and compilation flags.

(2) By Richard Hipp (drh) on 2025-06-04 13:30:47 in reply to 1 [link] [source]

Thanks for the well-researched and documented bug report.

Problem should be fixed by check-in 2025-06-01T21:38Z. There will probably be a patch release within a few days that contains this bug fix, along with several others.

(3) By Matthew McEachen (mceachen) on 2025-06-04 15:28:01 in reply to 2 [link] [source]

Nice! AddressSanitizer has no issues when compiled against sqlite-snapshot-202506031811.tar.gz

Kudos to you and your team for SQLite, @drh!