SQLite Forum

Potential Integer Overflow

Potential Integer Overflow

(1) By yongheng on 2021-03-02 20:48:32 [source]

I notice that at https://github.com/sqlite/sqlite/blob/7601294ad3fe9f7e0db8eb2478dec0de293b8bb6/src/printf.c#L924, the addition is perform before conversion:

szNew += N + 1; ---> int32_t tmp = N + 1; szNew += tmp;

So if N == 0x7FFFFFFF, then an integer overflow might happen. I am not sure whether it is possible for N to be 0x7FFFFFFF.

When I use clang (version 7.0.1) to compile SQLite (clang -o sqlite3_O0 sqlite3.c shell.c -ldl -pthread). When adding -O0, the addition is:

.text:000000000043BF95                 mov     ecx, [rbp+N]
.text:000000000043BF98                 add     ecx, 1
.text:000000000043BF9B                 movsxd  rax, ecx
.text:000000000043BF9E                 add     rax, [rbp+szNew]

When using -O3, the addition is perform as the following:

.text:00000000004320FB szNew = rsi , N = r15                           ; i64_0
.text:00000000004320FB                 movsxd  rdx, r15d
.text:00000000004320FE                 lea     rdi, [szNew+rdx]
.text:0000000000432102                 add     rdx, szNew
.text:0000000000432105                 add     rdx, 1

In the optimized version, the integer overflow will not happen.

I cannot figure out a query to test it, so I just put all the information I have here.

(2) By yongheng on 2021-03-02 22:13:45 in reply to 1 [link] [source]

Fix in https://www.sqlite.org/src/info/a5940294b2ac8d15