SQLite Forum

Timeline
Login

1 forum post by user Kaktusbot

2021-10-20
13:30 Post: BUG carray.c memcpy() buffer overflow (artifact: 48e525b266 user: Kaktusbot)

Function in carray.c

413 SQLITE_API int sqlite3_carray_bind

There is memcpy() in case of data type != CARRAY_TEXT which implies that sz is size of data type and nData is number of array entries.

467 memcpy(pNew->aData, aData, sz*nData);

But in this section earlier sz was already multiplied by size of data type.

433 sqlite3_int64 sz = nData;
434 switch( mFlags & 0x03 ){
435   case CARRAY_INT32:   sz *= 4;              break;
436   case CARRAY_INT64:   sz *= 8;              break;
437   case CARRAY_DOUBLE:  sz *= 8;              break;
438   case CARRAY_TEXT:    sz *= sizeof(char*);  break;
439 }

And in fact it was properly handled on another line but not on the 467 memcpy one

446 pNew->aData = sqlite3_malloc64( sz );

This leads to memcpy read and write overflows which makes my app crash spontaneously.

After I've changed line 467 as showed below crashes stopped.

467 memcpy(pNew->aData, aData, sz);