SQLite Integer Overflow Vulnerability in FTS5 Extension Allowing Out-of-Bounds Write

A moderate integer overflow vulnerability has been identified in the SQLite FTS5 extension, specifically in version 3.49.1. The issue arises when the size of an array of tombstone pointers is calculated and improperly truncated to a 32-bit integer. This flaw allows a pointer to partially controlled data to be written out of bounds, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for out-of-bounds memory writes that could be exploited to overwrite adjacent memory and potentially execute arbitrary code.

Reproduction

The vulnerability can be reproduced by executing a crafted SQL query that manipulates the 'nPgTombstone' value, which is under attacker control. This can be done using the SQLite command-line tool. The AddressSanitizer will report a heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users should upgrade to SQLite version 3.50 or later, where this vulnerability has been patched.