SQLite User Forum

Heap buffer overflow in re_subcompile_string function
Login
Chronological

Heap buffer overflow in re_subcompile_string function

(1) By Song Liu (songliu) on 2023-05-12 15:06:22 [source]

I found a heap buffer overflow while SQLite (latest, ab3797e844c97fed) executes the following queries. 

CREATE TABLE v0(c);
CREATE INDEX i ON v0('' REGEXP '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000[0]', 0);
PRAGMA hard_heap_limit=90000;
INSERT INTO v0 VALUES(hex(zeroblob(240))),(0),(0),(0);

Here is the ASAN report:

==617670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000004f40 at pc 0x5616eec7150b bp 0x7ffe10a8bfe0 sp 0x7ffe10a8bfd0
WRITE of size 4 at 0x619000004f40 thread T0
    #0 0x5616eec7150a in re_subcompile_string /data/song/testbug/sqlite_bisect/shell.c:5487
    #1 0x5616eec70943 in re_subcompile_re /data/song/testbug/sqlite_bisect/shell.c:5359
    #2 0x5616eec7191a in sqlite3re_compile /data/song/testbug/sqlite_bisect/shell.c:5562
    #3 0x5616eec7203f in re_sql_func /data/song/testbug/sqlite_bisect/shell.c:5630
    #4 0x5616eee42c67 in sqlite3VdbeExec /data/song/testbug/sqlite_bisect/sqlite3.c:99197
    #5 0x5616eedfe280 in sqlite3Step /data/song/testbug/sqlite_bisect/sqlite3.c:88987
    #6 0x5616eedfec24 in sqlite3_step /data/song/testbug/sqlite_bisect/sqlite3.c:89048
    #7 0x5616eecb71ce in exec_prepared_stmt /data/song/testbug/sqlite_bisect/shell.c:19327
    #8 0x5616eecb9299 in shell_exec /data/song/testbug/sqlite_bisect/shell.c:19644
    #9 0x5616eece807b in runOneSqlLine /data/song/testbug/sqlite_bisect/shell.c:26731
    #10 0x5616eece8e5c in process_input /data/song/testbug/sqlite_bisect/shell.c:26897
    #11 0x5616eececcc4 in main /data/song/testbug/sqlite_bisect/shell.c:27838
    #12 0x7f63d3bbcd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7f63d3bbce3f in __libc_start_main_impl ../csu/libc-start.c:392
    #14 0x5616eec5d2e4 in _start (/data/song/testbug/sqlite3-asan+0xf32e4)

0x619000004f40 is located 0 bytes to the right of 960-byte region [0x619000004b80,0x619000004f40)
allocated by thread T0 here:
    #0 0x7f63d4022c18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x5616eecfa078 in sqlite3MemRealloc /data/song/testbug/sqlite_bisect/sqlite3.c:25839
    #2 0x5616eecfd6e0 in sqlite3Realloc /data/song/testbug/sqlite_bisect/sqlite3.c:29754
    #3 0x5616eecfd7f3 in sqlite3_realloc64 /data/song/testbug/sqlite_bisect/sqlite3.c:29788
    #4 0x5616eec6f7d0 in re_resize /data/song/testbug/sqlite_bisect/shell.c:5246
    #5 0x5616eec6f913 in re_insert /data/song/testbug/sqlite_bisect/shell.c:5258
    #6 0x5616eec6fc8b in re_append /data/song/testbug/sqlite_bisect/shell.c:5272
    #7 0x5616eec7162b in re_subcompile_string /data/song/testbug/sqlite_bisect/shell.c:5511
    #8 0x5616eec70943 in re_subcompile_re /data/song/testbug/sqlite_bisect/shell.c:5359
    #9 0x5616eec7191a in sqlite3re_compile /data/song/testbug/sqlite_bisect/shell.c:5562
    #10 0x5616eec7203f in re_sql_func /data/song/testbug/sqlite_bisect/shell.c:5630
    #11 0x5616eee42c67 in sqlite3VdbeExec /data/song/testbug/sqlite_bisect/sqlite3.c:99197
    #12 0x5616eedfe280 in sqlite3Step /data/song/testbug/sqlite_bisect/sqlite3.c:88987
    #13 0x5616eedfec24 in sqlite3_step /data/song/testbug/sqlite_bisect/sqlite3.c:89048
    #14 0x5616eecb71ce in exec_prepared_stmt /data/song/testbug/sqlite_bisect/shell.c:19327
    #15 0x5616eecb9299 in shell_exec /data/song/testbug/sqlite_bisect/shell.c:19644
    #16 0x5616eece807b in runOneSqlLine /data/song/testbug/sqlite_bisect/shell.c:26731
    #17 0x5616eece8e5c in process_input /data/song/testbug/sqlite_bisect/shell.c:26897
    #18 0x5616eececcc4 in main /data/song/testbug/sqlite_bisect/shell.c:27838
    #19 0x7f63d3bbcd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/song/testbug/sqlite_bisect/shell.c:5487 in re_subcompile_string

My compilation flags:

export CFLAGS="-g -O0 -fsanitize=address -DSQLITE_DEBUG"
./configure --enable-all --enable-debug --disable-shared && make

(2) By Larry Brasfield (larrybr) on 2023-05-12 16:36:40 in reply to 1 [link] [source]

Richard fixed this within this hour.

(3) By Song Liu (songliu) on 2023-05-12 17:20:07 in reply to 2 [link] [source]

Thanks for your efforts!