Hey folks,

I have been running afl-fuzz against sqlite and bumped in a bunch of
bugs that seem to crash the sqlite3 binary (but do not seem to be a
security problem, other than in the denial-of-service sense). There
are four seemingly distinct patterns, with test cases included inline:

-- test1.sql --
create table t0(t);insert into t0
select strftime();
-- eof --

This one is a failure in:

sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567
20567       if( db->mallocFailed ){

where db looks like something in the vicinity of NULL.

#0  sqlite3DbMallocRaw (db=0x2, n=32) at sqlite3.c:20567
#1  0x000000000053b17c in sqlite3VdbeMemGrow
(pMem=pMem@entry=0xa9f4d8, n=<optimized out>, n@entry=32,
    bPreserve=bPreserve@entry=0) at sqlite3.c:61789
#2  0x000000000057c904 in sqlite3VdbeMemClearAndResize (szNew=32,
pMem=0xa9f4d8) at sqlite3.c:61831
#3  sqlite3VdbeMemStringify (pMem=0xa9f4d8, enc=<optimized out>,
bForce=<optimized out>) at sqlite3.c:61949
#4  0x000000000057cf40 in valueToText (pVal=0xa9f4d8, enc=enc@entry=1
'\001') at sqlite3.c:62681
#5  0x000000000057d166 in sqlite3ValueText (pVal=<optimized out>,
enc=1 '\001') at sqlite3.c:62714
#6  0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at
#7  strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xa9f358) at

-- test2.sql --
DETACH(select group_concat(q));
-- eof --

That one looks like a distinct NULL ptr deref:

exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694
84694       for(i=0; i<pSrc->nSrc; i++){

#0  exprSrcCount (pWalker=<optimized out>, pExpr=0xa9eec8) at sqlite3.c:84694
#1  0x00000000004fb86f in sqlite3WalkExpr (pWalker=0x7fffffffc400,
pExpr=0xa9eec8) at sqlite3.c:79072
#2  0x000000000069193f in sqlite3WalkExprList (p=<optimized out>,
pWalker=0x7fffffffc400) at sqlite3.c:79095
#3  sqlite3FunctionUsesThisSrc (pExpr=0xa9ed48, pSrcList=0x0) at sqlite3.c:19186
#4  resolveExprStep (pWalker=pWalker@entry=0x7fffffffc480,
pExpr=pExpr@entry=0xa9ed48) at sqlite3.c:14402
#5  0x0000000000692bcb in sqlite3WalkExpr (pExpr=0xa9ed48,
pWalker=0x7fffffffc480) at sqlite3.c:79072
#6  sqlite3ResolveExprNames (pNC=0x7fffffffc550, pExpr=0xa9ed48) at
#7  0x0000000000694b2b in resolveSelectStep (pWalker=<optimized out>,
p=<optimized out>) at sqlite3.c:80402

-- test3.sql --
select(select strftime());
-- eof --

Faults in:

sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708
62708     if( (pVal->flags&(MEM_Str|MEM_Term))==(MEM_Str|MEM_Term) &&
pVal->enc==enc ){

#0  sqlite3ValueText (pVal=0x1, enc=1 '\001') at sqlite3.c:62708
#1  0x0000000000598fcd in sqlite3_value_text (pVal=<optimized out>) at
#2  strftimeFunc (context=0x7fffffffca90, argc=0, argv=0xaa02d8) at
#3  0x00000000007883fb in sqlite3VdbeExec (p=0xa8d5a8) at sqlite3.c:70606
#4  0x00000000007aaf11 in sqlite3Step (p=0xaa0018) at sqlite3.c:67809
#5  sqlite3_step (pStmt=<optimized out>) at sqlite3.c:2339
#6  0x0000000000425228 in shell_exec (db=0xa8d5a8,
zSql=zSql@entry=0xa8d510 "select(select strftime());",
pzErrMsg=pzErrMsg@entry=0x7fffffffce68, xCallback=0x41dd80
    at shell.c:1365
#7  0x000000000042a933 in process_input (p=p@entry=0x7fffffffcf50,
in=0x7ffff7565640 <_IO_2_1_stdin_>) at shell.c:3697

-- test4.sql --
select n()AND+#00;
-- eof --

This dies for me at:

#0  sqlite3ExprIsInteger (p=p@entry=0xa9edb8,
pValue=pValue@entry=0x7fffffffc9a4) at sqlite3.c:16463
#1  0x00000000004f3aed in sqlite3ExprIsInteger (pValue=0x7fffffffc9a4,
p=0xa9edb8) at sqlite3.c:81085
#2  exprAlwaysFalse (p=0xa9edb8) at sqlite3.c:15665
#3  sqlite3ExprAnd (db=0xa8d598, pLeft=0xa9eeb8, pRight=0xa9edb8) at
#4  0x0000000000687b86 in sqlite3PExpr (pParse=0xa9f0c8, op=72,
pLeft=0xa9eeb8, pRight=0xa9edb8, pToken=0x0)
    at sqlite3.c:81167
#5  0x0000000000752a7c in spanBinaryExpr (pLeft=<optimized out>,
pLeft=<optimized out>, pRight=<optimized out>,
    pRight=<optimized out>, op=<optimized out>, pParse=<optimized
out>, pOut=<optimized out>) at sqlite3.c:120313
#6  yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>) at
#7  sqlite3Parser (yyp=0xa9f368, yymajor=-13916, yyminor=...,
pParse=0x3d5, pParse@entry=0xa9f0c8) at sqlite3.c:58144

sqlite-users mailing list

Reply via email to