An integer overflow in SQLite’s sqlite3_str_vappendf, large inputs when dealing with q Q or w format specifiers (unique to SQLite’s implementation of printf used to escape quotes). In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer. Naturally this leads to a stack-based buffer overflow.