Trivial bounds check issue in the Z-order extension
(1) By Anteater (anteater) on 2025-08-05 09:48:48 [source]
Subject: Trivial bounds check issue in the Z-order extension
Hi Team,
I noticed a trivial issue in the zorder.c extension that is a trivial stack buffer overflow.
Description
The zorderFunc uses a fixed-size stack array x[63], but the loop that populates it uses argc as its boundary. If a user calls the zorder() function with more than 63 arguments, the loop will write past the end of the x array.
// from zorder.c
static void zorderFunc(
sqlite3_context *context,
int argc,
sqlite3_value **argv
){
sqlite3_int64 z, x[63]; // Array size is 63
int i, j;
z = 0;
for(i=0; i<argc; i++){
x[i] = sqlite3_value_int64(argv[i]); // Writes past x[62] if argc > 63
}
// ...
}
For example:
sqlite> .load ./zorder
sqlite> SELECT zorder(1,2,3,...,64); -- This will crash the process
Best,
(2) By Richard Hipp (drh) on 2025-08-05 11:01:30 in reply to 1 [link] [source]
That extension was a prototype we threw together for a client years and years ago. It has never been used for anything as far as I know.
Bounds checking, error messages, reasonable limits, and documentation added by check-in 2025-08-05T10:54z. Perhaps it will work better for you now.
(3) By Anteater (anteater) on 2025-08-05 12:02:33 in reply to 2 [link] [source]
Thank you guys very much for a quick fix.