One more find. Tested on 64-bit x86 Linux box, version 3.8.8.1.
printf "create table t0(\211 DEFAULT(0=0)NOT/**/NULL);REPLACE into t0
select'';" >test.sql
./sqlite_asan <test.sql
This does not crash under normal conditions, but both ASAN and
Valgrind claim an out-of-bound read, so they are probably not wrong.
ASAN:
ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60800000b898 at pc 0x00000090427c bp 0x7fffffff1cf0 sp
0x7fffffff1ce8
READ of size 8 at 0x60800000b898 thread T0
#0 0x90427b in sqlite3ExprCollSeq
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x90427b)
#1 0x98e96a in sqlite3BinaryCompareCollSeq
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x98e96a)
#2 0x96f78b in codeCompare (/home/lcamtuf/afl/BIN/sqlite3_asan+0x96f78b)
#3 0x97c15c in sqlite3ExprCodeTarget
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x97c15c)
#4 0x977fae in sqlite3ExprCode (/home/lcamtuf/afl/BIN/sqlite3_asan+0x977fae)
#5 0x9c11b3 in sqlite3GenerateConstraintChecks
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x9c11b3)
#6 0x8a87a2 in sqlite3Insert (/home/lcamtuf/afl/BIN/sqlite3_asan+0x8a87a2)
#7 0x83f810 in yy_reduce (/home/lcamtuf/afl/BIN/sqlite3_asan+0x83f810)
...
0x60800000b898 is located 32 bytes to the right of 88-byte region
[0x60800000b820,0x60800000b878)
allocated by thread T0 here:
#0 0x49d9cb in __interceptor_malloc
/root/COMP/llvm-3.5.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x7e5cb1 in sqlite3MemMalloc
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x7e5cb1)
#2 0xc5c7b7 in mallocWithAlarm (/home/lcamtuf/afl/BIN/sqlite3_asan+0xc5c7b7)
#3 0x4f74bb in sqlite3Malloc (/home/lcamtuf/afl/BIN/sqlite3_asan+0x4f74bb)
#4 0x557a99 in sqlite3DbMallocRaw
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x557a99)
#5 0x91d2ba in exprDup (/home/lcamtuf/afl/BIN/sqlite3_asan+0x91d2ba)
#6 0x918e69 in sqlite3ExprDup (/home/lcamtuf/afl/BIN/sqlite3_asan+0x918e69)
#7 0x859923 in sqlite3AddDefaultValue
(/home/lcamtuf/afl/BIN/sqlite3_asan+0x859923)
...
Valgrind:
==16603== Invalid read of size 8
==16603== at 0x5D8670: sqlite3ExprCollSeq (sqlite3.c:81927)
==16603== by 0x60F29A: codeCompare (sqlite3.c:82059)
==16603== by 0x6B39F5: sqlite3ExprCodeTarget (sqlite3.c:84448)
==16603== by 0x6B8A01: sqlite3ExprCode (sqlite3.c:85009)
==16603== by 0x411402: sqlite3GenerateConstraintChecks (sqlite3.c:99766)
==16603== by 0x78C1BE: sqlite3Insert (sqlite3.c:99507)
==16603== by 0x7AD4B5: sqlite3Parser (sqlite3.c:124334)
==16603== by 0x7BE668: sqlite3RunParser (sqlite3.c:125943)
==16603== by 0x7C1129: sqlite3Prepare (sqlite3.c:105025)
==16603== by 0x7C25D0: sqlite3LockAndPrepare.part.504 (sqlite3.c:105120)
==16603== by 0x7C800D: sqlite3_prepare_v2 (sqlite3.c:105115)
==16603== by 0x425315: shell_exec.constprop.11 (shell.c:1433)
==16603== Address 0x5635c68 is 24 bytes before a block of size 16 alloc'd
==16603== at 0x4C2845D: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16603== by 0x56195E: sqlite3MemMalloc (sqlite3.c:16881)
==16603== by 0x49694F: sqlite3Malloc (sqlite3.c:20509)
==16603== by 0x497747: sqlite3DbMallocRaw (sqlite3.c:20906)
==16603== by 0x58AED4: sqlite3AddDefaultValue (sqlite3.c:20991)
==16603== by 0x7AC913: sqlite3Parser (sqlite3.c:123890)
==16603== by 0x7BE668: sqlite3RunParser (sqlite3.c:125943)
==16603== by 0x7C1129: sqlite3Prepare (sqlite3.c:105025)
==16603== by 0x7C25D0: sqlite3LockAndPrepare.part.504 (sqlite3.c:105120)
==16603== by 0x7C2C4F: sqlite3LockAndPrepare.constprop.573 (sqlite3.c:105115)
==16603== by 0x7C34A4: sqlite3InitCallback (sqlite3.c:105184)
==16603== by 0x757DD0: sqlite3_exec (sqlite3.c:100669)
Cheers,
/mz
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
