Memory error with sqlcipher

[rogerbinns]

You need to use the sanitizer.

This configuration is not meaningful to me - I was testing an updated apply_key.

import apsw

con = apsw.Connection("testdb")
con.pragma("cipher", "sqlcipher")
con.pragma("plaintext_header_size", "64")
con.pragma("key", "hello world")
con.execute("create table x(y); insert into x values(randomblob(32768))")

Result

==874168==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7446fa25c280 at pc 0x7446fd2f95fe bp 0x7fff7811c8c0 sp 0x7fff7811c068                                                                                                                                                                                 
READ of size 80 at 0x7446fa25c280 thread T0                                                                                                                                                                                                                                                                                 
    #0 0x7446fd2f95fd in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115                                                                                                                                                                                           
    #1 0x7446ea40c79d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29                                                                                                                                                                                                                                    
    #2 0x7446ea40c79d in EncryptPageSQLCipherCipher /space/mc/sqlite3/sqlite3.c:279675                                                                                                                                                                                                                                      
    #3 0x7446ea18f5c6 in sqlite3mcEncrypt /space/mc/sqlite3/sqlite3.c:282152
    #4 0x7446ea2062e2 in sqlite3mcCodec /space/mc/sqlite3/sqlite3.c:283856
    #5 0x7446ea206bd5 in mcWriteMainDb /space/mc/sqlite3/sqlite3.c:307456
    #6 0x7446ea20c17e in mcIoWrite /space/mc/sqlite3/sqlite3.c:307665
    #7 0x7446ea0e72a3 in sqlite3OsWrite /space/mc/sqlite3/sqlite3.c:26272
    #8 0x7446ea47b99b in pager_write_pagelist /space/mc/sqlite3/sqlite3.c:61714 
    #9 0x7446ea4bc11d in sqlite3PagerCommitPhaseOne /space/mc/sqlite3/sqlite3.c:63882
    #10 0x7446ea4bc501 in sqlite3BtreeCommitPhaseOne /space/mc/sqlite3/sqlite3.c:74979
    #11 0x7446ea4d7583 in vdbeCommit /space/mc/sqlite3/sqlite3.c:87972
    #12 0x7446ea4d91fb in sqlite3VdbeHalt /space/mc/sqlite3/sqlite3.c:88382
    #13 0x7446ea598c15 in sqlite3VdbeExec /space/mc/sqlite3/sqlite3.c:94570
    #14 0x7446ea5cbf67 in sqlite3Step /space/mc/sqlite3/sqlite3.c:91378
    #15 0x7446ea5cc766 in sqlite3_step /space/mc/sqlite3/sqlite3.c:91439
....

Address 0x7446fa25c280 is located in stack of thread T0 at offset 128 in frame
    #0 0x7446ea40c1e3 in EncryptPageSQLCipherCipher /space/mc/sqlite3/sqlite3.c:279636

  This frame has 3 object(s):
    [48, 52) 'pgno_raw' (line 279685)
    [64, 128) 'iv' (line 279644)
    [160, 224) 'hmac_out' (line 279686) <== Memory access at offset 128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy

[utelle]

The problem is at least not related to the added pragma plaintext_header_file.

When the cipher variant SQLCipher 4 was introduced, I had forgotten to adjust the size of the initial vector. No memory was overwritten, but memory out of array bounds was read.

This should now be fixed.