QID 150591

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. Trail of Bits disclosed the vulnerability which affects applications using SQLLite versions that are vulnerable - https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ Exploitation is possible only on 64 bit systems and depends on how the program is compiled; arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases. The exploitation is not possible using SQL related injections. Based on the published information systems vulnerable to CVE-2022-35737 are exploitable when large string inputs are passed to the SQLite implementations of the printf functions and when the format string contains the %Q, %q, or %w format substitution types. This is enough to cause the program to crash. We also show that if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop (nearly) indefinitely.

When an input string was large enough, the integer would overflow, could also result in arbitrary code execution