Hey folks, I have been running afl-fuzz against sqlite and bumped in a bunch of bugs that seem to crash the sqlite3 binary (but do not seem to be a security problem, other than in the denial-of-service sense). There are four seemingly distinct patterns, with test cases included inline:
-- test1.sql -- create table t0(t);insert into t0 select strftime(); -- eof -- This one is a failure in: sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567 20567 if( db->mallocFailed ){ where db looks like something in the vicinity of NULL. #0 sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567 #1 0x000000000053b17c in sqlite3VdbeMemGrow (pMem=pMem@entry=0xa9f4d8, n=<optimized out>, n@entry=32, bPreserve=bPreserve@entry=0) at sqlite3.c:61789 #2 0x000000000057c904 in sqlite3VdbeMemClearAndResize (szNew=32, pMem=0xa9f4d8) at sqlite3.c:61831 #3 sqlite3VdbeMemStringify (pMem=0xa9f4d8, enc=<optimized out>, bForce=<optimized out>) at sqlite3.c:61949 #4 0x000000000057cf40 in valueToText (pVal=0xa9f4d8, enc=enc@entry=1 '\001') at sqlite3.c:62681 #5 0x000000000057d166 in sqlite3ValueText (pVal=<optimized out>, enc=1 '\001') at sqlite3.c:62714 #6 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at sqlite3.c:67471 #7 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xa9f358) at sqlite3.c:15657 -- test2.sql -- DETACH(select group_concat(q)); -- eof -- That one looks like a distinct NULL ptr deref: exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694 84694 for(i=0; i<pSrc->nSrc; i++){ #0 exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694 #1 0x00000000004fb86f in sqlite3WalkExpr (pWalker=0x7fffffffc400, pExpr=0xa9eec8) at sqlite3.c:79072 #2 0x000000000069193f in sqlite3WalkExprList (p=<optimized out>, pWalker=0x7fffffffc400) at sqlite3.c:79095 #3 sqlite3FunctionUsesThisSrc (pExpr=0xa9ed48, pSrcList=0x0) at sqlite3.c:19186 #4 resolveExprStep (pWalker=pWalker@entry=0x7fffffffc480, pExpr=pExpr@entry=0xa9ed48) at sqlite3.c:14402 #5 0x0000000000692bcb in sqlite3WalkExpr (pExpr=0xa9ed48, pWalker=0x7fffffffc480) at sqlite3.c:79072 #6 sqlite3ResolveExprNames (pNC=0x7fffffffc550, pExpr=0xa9ed48) at sqlite3.c:15026 #7 0x0000000000694b2b in resolveSelectStep (pWalker=<optimized out>, p=<optimized out>) at sqlite3.c:80402 ... -- test3.sql -- select(select strftime()); -- eof -- Faults in: sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708 62708 if( (pVal->flags&(MEM_Str|MEM_Term))==(MEM_Str|MEM_Term) && pVal->enc==enc ){ #0 sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708 #1 0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at sqlite3.c:67471 #2 strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xaa02d8) at sqlite3.c:15657 #3 0x00000000007883fb in sqlite3VdbeExec (p=0xa8d5a8) at sqlite3.c:70606 #4 0x00000000007aaf11 in sqlite3Step (p=0xaa0018) at sqlite3.c:67809 #5 sqlite3_step (pStmt=<optimized out>) at sqlite3.c:2339 #6 0x0000000000425228 in shell_exec (db=0xa8d5a8, zSql=zSql@entry=0xa8d510 "select(select strftime());", pArg=pArg@entry=0x7fffffffcf50, pzErrMsg=pzErrMsg@entry=0x7fffffffce68, xCallback=0x41dd80 <shell_callback>) at shell.c:1365 #7 0x000000000042a933 in process_input (p=p@entry=0x7fffffffcf50, in=0x7ffff7565640 <_IO_2_1_stdin_>) at shell.c:3697 -- test4.sql -- select n()AND+#00; -- eof -- This dies for me at: #0 sqlite3ExprIsInteger (p=p@entry=0xa9edb8, pValue=pValue@entry=0x7fffffffc9a4) at sqlite3.c:16463 #1 0x00000000004f3aed in sqlite3ExprIsInteger (pValue=0x7fffffffc9a4, p=0xa9edb8) at sqlite3.c:81085 #2 exprAlwaysFalse (p=0xa9edb8) at sqlite3.c:15665 #3 sqlite3ExprAnd (db=0xa8d598, pLeft=0xa9eeb8, pRight=0xa9edb8) at sqlite3.c:15682 #4 0x0000000000687b86 in sqlite3PExpr (pParse=0xa9f0c8, op=72, pLeft=0xa9eeb8, pRight=0xa9edb8, pToken=0x0) at sqlite3.c:81167 #5 0x0000000000752a7c in spanBinaryExpr (pLeft=<optimized out>, pLeft=<optimized out>, pRight=<optimized out>, pRight=<optimized out>, op=<optimized out>, pParse=<optimized out>, pOut=<optimized out>) at sqlite3.c:120313 #6 yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>) at sqlite3.c:57482 #7 sqlite3Parser (yyp=0xa9f368, yymajor=-13916, yyminor=..., pParse=0x3d5, pParse@entry=0xa9f0c8) at sqlite3.c:58144 /mz _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users