Fuzzers and testers:
I've created some new built-in SQL functions for SQLite that provide
direct access to some of the internal code-generator routines that
have historically given trouble:
expr_compare(A,B)
This function returns non-zero if expressions A and B are different.
See https://www.sqlite.org/src/artifact/971e442fd5?ln=5049-5075 for
details.
expr_implies_expr(A,B)
Return non-zero if expression A implies expression B. See
https://www.sqlite.org/src/artifact/971e442fd5?ln=5277-5299 for
details. This routine is used to determine if a partial index is
usable.
implies_nonnull_row(E,C)
C must be the name of a column in one of the tables of the SELECT
statement. E is an arbitrary expression. Return non-zero if
expression E can only be true if the row of which C is a member has
some non-NULL column. This routine is used to help determine if a
LEFT JOIN can be simplified into an ordinary JOIN.
These new SQL functions are only accessible if you activate "internal
functions" using C code like this:
sqlite3_test_control(SQLITE_TESTCTRL_INTERNAL_FUNCTIONS, db);
Or in the CLI like this:
.testctrl internal_functions
In other words, these SQL functions are not available to ordinary
applications. An application would need to take special steps to
activate these routines. And those special steps include making calls
to C-code, which means that an attacker who is submitting SQL text
and/or database files is unable to exploit any weaknesses that may
turn up in these SQL functions.
Fuzzer authors: I recommend that you enable these functions in your
fuzzers. Doing so might help your fuzzersto find bugs that would
otherwise be difficult to reach.
Happy hunting.
--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
