New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Mar 2015
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: sqlite bad ptr access

Project Member Reported by, Mar 20 2015

Issue description

Reported upstream, but also filing here for tracking purposes. Will update with an upstream patch.

Offending query:


...will cause sqlite to access an uninitialized ptr when handling expressions in order statements. Spewed out by AFL. Appears reproducible with WebSQL in Chrome. Crash PoC:

var db = window.openDatabase("DBName", "1.0", "description", 5*1024*1024);
db.transaction(function(tx) {
  tx.executeSql('SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE"""""""";', [], alert, alert);


Comment 1 by, Mar 20 2015

Labels: Security_Impact-Stable Security_Severity-High
Status: ExternalDependency

Comment 2 by, Mar 21 2015

The fix is in:

I'll leave it to you to decide if you want to cherry-pick or wait for the next release (3.8.9). The release will also include a bunch of other fuzzer fixes, but most of them are non-exploitable.

Comment 4 by, Mar 23 2015

Do you do Chromium code reviews?  Wasn't clear from looking at logs.

cherry-pick because we don't have a set schedule for SQLite imports.  Patch had a couple rejects, but the merge seems fine.

Comment 5 by, Mar 25 2015

Nope, but pinged Abhishek off-bug. Thanks!
Status: Fixed
Labels: M-42 Merge-Requested
Project Member

Comment 10 by ClusterFuzz, Mar 27 2015

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: M-41

Comment 13 by, Mar 27 2015

Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M41), manual review required.

Comment 14 by, Mar 27 2015

Labels: Merge-Approved Hotlist-Merge-Approved
Approved for M42 (branch: 2311)
Labels: -M-41 -Merge-Review -Hotlist-Merge-Review
This fix will go out with M42.  -M-41.
Project Member

Comment 16 by, Mar 27 2015

Labels: -Merge-Approved merge-merged-2311
The following revision refers to this bug:

commit 90856262ae6ae80bd6f478b820515e35c21f094b
Author: Scott Hess <>
Date: Fri Mar 27 22:52:32 2015

[sqlite backport] Fix collation dequoting.

"Fix a problem causing collation sequence names to be dequoted
multiple times under some circumstances."

BUG= 469082

Review URL:

Cr-Commit-Position: refs/heads/master@{#322165}
(cherry picked from commit 3e13a01e946b7df16a5b3702ac016b5784945a90)

Review URL:

Cr-Commit-Position: refs/branch-heads/2311@{#369}
Cr-Branched-From: 09b7de5dd7254947cd4306de907274fa63373d48-refs/heads/master@{#317474}


Labels: Release-0-M42
 Issue 477340  has been merged into this issue.
Project Member

Comment 20 by ClusterFuzz, Jul 1 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 21 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 22 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment