Out-of-bounds read in FTS5 on 3.24.0 and 201807110327 snapshot

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Out-of-bounds read in FTS5 on 3.24.0 and 201807110327 snapshot

David Yip
Hi all,

On x86-64 Linux with SQLite 3.24.0 and the 201807110327 SQLite snapshot,
the
following program causes FTS5 to do an out-of-bounds access:
https://gitlab.peach-bun.com/snippets/157

Sample ASan and Valgrind outputs are here:
https://gitlab.peach-bun.com/snippets/158

It looks like if you feed in the byte sequence E3 81 BE E3 82 8A E3 82 84
(the
UTF-8 encoding of γΎγ‚Šγ‚„), then the loop

    while( (p[n] & 0xc0)==0x80 ) n++;

in sqlite3Fts5IndexCharlenToBytelen will attempt to read past the end of
the
string when building 3-character prefixes.

I don't know what (if any) security/stability implications this
out-of-bounds read has, but it is
inconvenient to hit it when statically linking SQLite into an application
has
has ASan enabled (because it'll cause a program abort).

Please let me know if I can provide any additional information that would
help
with a fix.

Thanks,

- David
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Out-of-bounds read in FTS5 on 3.24.0 and 201807110327 snapshot

Dan Kennedy-4
On 07/25/2018 10:50 AM, David Yip wrote:

> Hi all,
>
> On x86-64 Linux with SQLite 3.24.0 and the 201807110327 SQLite snapshot,
> the
> following program causes FTS5 to do an out-of-bounds access:
> https://gitlab.peach-bun.com/snippets/157
>
> Sample ASan and Valgrind outputs are here:
> https://gitlab.peach-bun.com/snippets/158
>

> Please let me know if I can provide any additional information that would
> help
> with a fix.

Thanks for taking the time to report this and construct the demo code.
Now fixed here:

   https://www.sqlite.org/src/info/0e3de8abbb0c7ae6

Dan.





>
> Thanks,
>
> - David
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Out-of-bounds read in FTS5 on 3.24.0 and 201807110327 snapshot

David Yip
Thank you for the quick fix!

On Wed, Jul 25, 2018 at 10:27 AM, Dan Kennedy <[hidden email]> wrote:

> On 07/25/2018 10:50 AM, David Yip wrote:
>
>> Hi all,
>>
>> On x86-64 Linux with SQLite 3.24.0 and the 201807110327 SQLite snapshot,
>> the
>> following program causes FTS5 to do an out-of-bounds access:
>> https://gitlab.peach-bun.com/snippets/157
>>
>> Sample ASan and Valgrind outputs are here:
>> https://gitlab.peach-bun.com/snippets/158
>>
>>
> Please let me know if I can provide any additional information that would
>> help
>> with a fix.
>>
>
> Thanks for taking the time to report this and construct the demo code. Now
> fixed here:
>
>   https://www.sqlite.org/src/info/0e3de8abbb0c7ae6
>
> Dan.
>
>
>
>
>
>
>> Thanks,
>>
>> - David
>> _______________________________________________
>> sqlite-users mailing list
>> [hidden email]
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users