SQLite

View Ticket
Login
Plaintext
Ticket Hash: 33aa4c0de8a62e3397bd58ce4182942939e78aea
Title: Heap buffer overflow on SQL input
Status: Fixed Type: Code_Defect
Severity: Severe Priority: High
Subsystem: Utilities Resolution: Fixed
Last Modified: 2023-03-20 01:33:28
2.12 years ago 		Created: 2023-03-16 20:23:50
2.13 years ago
Version Found In: 3.41.1
User Comments:
drh added on 2023-03-16 20:23:50:

This is test3.sql from forum post d24ec63447:

CREATE  TABLE  IF  NOT  EXISTS dbstat(pagetypeREAL);
CREATE  TEMPORARY  TABLE  IF  NOT  EXISTS dbstat AS  SELECT  ALL dbstat.*, *, *, *, *, *, dbstat.*, *, *, *, *, *, *, *, *, *, *, *, *, *, '%Y-%m-%d', *, *, *, *, * FROM (dbstat AS dbstat NOT  INDEXED , sqlite_schema AS dbstat NOT  INDEXED ) GROUP  BY  FALSE  HAVING  FALSE  ORDER  BY 5e200 NULLS  FIRST;
ALTER  TABLE dbstat ADD  COLUMN pagetype CONSTRAINT constr1 GENERATED  ALWAYS  AS ( RAISE ( IGNORE )->> FALSE  OR  FALSE );
SELECT * FROM dbstat;
drh added on 2023-03-17 00:44:22:

Unable to recreate the problem using ASAN or Valgrind. Possible an instrumentation error on the part of the original reporter. The reported instrumentation puts the problem in the CLI, not the core SQLite library, on the main input buffer. A few extra bytes of space are now added on the end of that buffer as a safety margin.

drh added on 2023-03-19 23:38:49:

Reopened

The problem is that the sqlite3_error_offset() routine is returning a valid that is out-of-range for its input. Two errors: First, the sqlite3_error_offset() is returning an out-of-range value. Second, the CLI code that uses sqlite3_error_offset() is failing to properly deal with the out-of-range return value.

Reproducible test case (run under valgrind):

CREATE TABLE t1 AS SELECT *,*,*,*,*,*,* FROM sqlite_schema;
ALTER TABLE t1 ADD path GENERATED ALWAYS AS (no_such_function(1));
SELECT * FROM t1;