Integer Overflow in SQLite Leading to Stack-based Buffer Overflow
Original Post:
We discussed this vulnerability during Episode 164 on 01 November 2022
An integer overflow in SQLite’s sqlite3_str_vappendf
, large inputs when dealing with q
Q
or w
format specifiers (unique to SQLite’s implementation of printf
used to escape quotes). In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer. Naturally this leads to a stack-based buffer overflow.