Sat, 31 Mar 2007


When sqlite_udf_decode_binary() is called with a string only containing a single 0x01 char this will result in a call to the sqlite_decode_binary() function with an empty string as parameter. This leads to an exploitable buffer overflow.

Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1

Detailed information

The sqlite_udf_decode_binary() function does not correctly handle invalid strings passed to it. When the passed string only contains of a single \x01 character a call to the function sqlite_decode_binary() of the bundled sqlite library will be made with an empty string as parameter. This is however not supported by the API function, it needs to be called with a string of atleast length 1.

int sqlite_decode_binary(const unsigned char *in, unsigned char *out){
  int i, e;
  unsigned char c;
  e = *(in++);
  i = 0;
  while( (c = *(in++))!=0 ){
    if( c==1 ){
      c = *(in++) - 1;
    out[i++] = c + e;
  return i;

When the sqlite_decode_binary() function is called with an empty string it will overjump the ASCIIZ terminator and copy the bytes following it to the destination, until another ASCIIZ character is hit. This is similar to a standard strcpy() overflow.

Proof of concept, exploit or instructions to reproduce

To test for this vulnerability just try the following piece of code.


    $x = "AQ                                                                        ";
    $x = base64_decode($x);

    $y = sqlite_udf_decode_binary($x);


This little POC will only crash PHP. A code execution exploit will be added to this site in the future. So check back soon.


This vulnerability was fixed by hardening the bundled sqlite library against being called with an empty string. If your PHP is however using a shared copy of an external sqlite library you stay vulnerable after upgrading to PHP 5.2.1 or PHP 4.4.6