SQLite Heap Buffer Overflow Vulnerability in concat_ws() Function Allowing Arbitrary Code Execution

A heap buffer overflow vulnerability has been identified in SQLite's concat_ws() function. This issue arises from an integer overflow that can be triggered by using a large separator value with multiple arguments. The overflowed integer, which is truncated, is improperly used to allocate a buffer. When SQLite writes the resulting string to this buffer, it applies the original, untruncated size, leading to a heap buffer overflow of approximately 4GB. This vulnerability can result in arbitrary code execution.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by calling the concat_ws() function with an excessively large separator and multiple arguments. The integer overflow occurs when the function calculates the total size needed for the concatenated string, allowing for a large buffer overflow when the data is written to the allocated memory.

Remediation

Users are advised to update to the latest version of SQLite, where this vulnerability has been addressed.