/src/sqlite3/test/ossfuzz.c

Source (jump to first uncovered line)
/*
** This module interfaces SQLite to the Google OSS-Fuzz, fuzzer as a service.
** (https://github.com/google/oss-fuzz)
*/
#include <stddef.h>
#if !defined(_MSC_VER)
# include <stdint.h>
#endif
#include <stdio.h>
#include <string.h>
#include "sqlite3.h"

#if defined(_MSC_VER)
typedef unsigned char uint8_t;
#endif

/* Global debugging settings.  OSS-Fuzz will have all debugging turned
** off.  But if LLVMFuzzerTestOneInput() is called interactively from
** the ossshell utility program, then these flags might be set.
*/
static unsigned mDebug = 0;
#define FUZZ_SQL_TRACE       0x0001   /* Set an sqlite3_trace() callback */
#define FUZZ_SHOW_MAX_DELAY  0x0002   /* Show maximum progress callback delay */
#define FUZZ_SHOW_ERRORS     0x0004   /* Print error messages from SQLite */

/* The ossshell utility program invokes this interface to see the
** debugging flags.  Unused by OSS-Fuzz.
*/
void ossfuzz_set_debug_flags(unsigned x){
  mDebug = x;
}

/* Return the current real-world time in milliseconds since the
** Julian epoch (-4714-11-24).
*/
static sqlite3_int64 timeOfDay(void){
  static sqlite3_vfs *clockVfs = 0;
  sqlite3_int64 t;
  if( clockVfs==0 ){
    clockVfs = sqlite3_vfs_find(0);
    if( clockVfs==0 ) return 0;
  }
  if( clockVfs->iVersion>=2 && clockVfs->xCurrentTimeInt64!=0 ){
    clockVfs->xCurrentTimeInt64(clockVfs, &t);
  }else{
    double r;
    clockVfs->xCurrentTime(clockVfs, &r);
    t = (sqlite3_int64)(r*86400000.0);
  }
  return t;
}

/* An instance of the following object is passed by pointer as the
** client data to various callbacks.
*/
typedef struct FuzzCtx {
  sqlite3 *db;               /* The database connection */
  sqlite3_int64 iCutoffTime; /* Stop processing at this time. */
  sqlite3_int64 iLastCb;     /* Time recorded for previous progress callback */
  sqlite3_int64 mxInterval;  /* Longest interval between two progress calls */
  unsigned nCb;              /* Number of progress callbacks */
  unsigned execCnt;          /* Number of calls to the sqlite3_exec callback */
} FuzzCtx;

/*
** Progress handler callback.
**
** The argument is the cutoff-time after which all processing should
** stop.  So return non-zero if the cut-off time is exceeded.
*/
static int progress_handler(void *pClientData) {
  FuzzCtx *p = (FuzzCtx*)pClientData;
  sqlite3_int64 iNow = timeOfDay();
  int rc = iNow>=p->iCutoffTime;
  sqlite3_int64 iDiff = iNow - p->iLastCb;
  if( iDiff > p->mxInterval ) p->mxInterval = iDiff;
  p->nCb++;
  return rc;
}

/*
** Disallow debugging pragmas such as "PRAGMA vdbe_debug" and
** "PRAGMA parser_trace" since they can dramatically increase the
** amount of output without actually testing anything useful.
*/
static int block_debug_pragmas(
  void *Notused,
  int eCode,
  const char *zArg1,
  const char *zArg2,
  const char *zArg3,
  const char *zArg4
){
  if( eCode==SQLITE_PRAGMA
   && (sqlite3_strnicmp("vdbe_", zArg1, 5)==0
        || sqlite3_stricmp("parser_trace", zArg1)==0)
  ){
    return SQLITE_DENY;
  }
  return SQLITE_OK;
}

/*
** Callback for sqlite3_exec().
*/
static int exec_handler(void *pClientData, int argc, char **argv, char **namev){
  FuzzCtx *p = (FuzzCtx*)pClientData;
  int i;
  if( argv ){
    for(i=0; i<argc; i++) sqlite3_free(sqlite3_mprintf("%s", argv[i]));
  }
  return (p->execCnt--)<=0 || progress_handler(pClientData);
}

/*
** Main entry point.  The fuzzer invokes this function with each
** fuzzed input.
*/
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  char *zErrMsg = 0;       /* Error message returned by sqlite_exec() */
  uint8_t uSelector;       /* First byte of input data[] */
  int rc;                  /* Return code from various interfaces */
  char *zSql;              /* Zero-terminated copy of data[] */
  FuzzCtx cx;              /* Fuzzing context */

  memset(&cx, 0, sizeof(cx));
  if( size<3 ) return 0;   /* Early out if unsufficient data */

  /* Extract the selector byte from the beginning of the input.  But only
  ** do this if the second byte is a \n.  If the second byte is not \n,
  ** then use a default selector */
  if( data[1]=='\n' ){
    uSelector = data[0];  data += 2; size -= 2;
  }else{
    uSelector = 0xfd;
  }

  /* Open the database connection.  Only use an in-memory database. */
  if( sqlite3_initialize() ) return 0;
  rc = sqlite3_open_v2("fuzz.db", &cx.db,
           SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_MEMORY, 0);
  if( rc ) return 0;

  /* Invoke the progress handler frequently to check to see if we
  ** are taking too long.  The progress handler will return true
  ** (which will block further processing) if more than 10 seconds have
  ** elapsed since the start of the test.
  */
  cx.iLastCb = timeOfDay();
  cx.iCutoffTime = cx.iLastCb + 10000;  /* Now + 10 seconds */
#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
  sqlite3_progress_handler(cx.db, 10, progress_handler, (void*)&cx);
#endif

  /* Set a limit on the maximum size of a prepared statement */
  sqlite3_limit(cx.db, SQLITE_LIMIT_VDBE_OP, 25000);

  /* Limit total memory available to SQLite to 20MB */
  sqlite3_hard_heap_limit64(20000000);

  /* Set a limit on the maximum length of a string or BLOB.  Without this
  ** limit, fuzzers will invoke randomblob(N) for a large N, and the process
  ** will timeout trying to generate the huge blob */
  sqlite3_limit(cx.db, SQLITE_LIMIT_LENGTH, 50000);

  /* Bit 1 of the selector enables foreign key constraints */
  sqlite3_db_config(cx.db, SQLITE_DBCONFIG_ENABLE_FKEY, uSelector&1, &rc);
  uSelector >>= 1;

  /* Do not allow debugging pragma statements that might cause excess output */
  sqlite3_set_authorizer(cx.db, block_debug_pragmas, 0);

  /* Remaining bits of the selector determine a limit on the number of
  ** output rows */
  cx.execCnt = uSelector + 1;

  /* Run the SQL.  The sqlite_exec() interface expects a zero-terminated
  ** string, so make a copy. */
  zSql = sqlite3_mprintf("%.*s", (int)size, data);
#ifndef SQLITE_OMIT_COMPLETE
  sqlite3_complete(zSql);
#endif
  sqlite3_exec(cx.db, zSql, exec_handler, (void*)&cx, &zErrMsg);

  /* Show any errors */
  if( (mDebug & FUZZ_SHOW_ERRORS)!=0 && zErrMsg ){
    printf("Error: %s\n", zErrMsg);
  }

  /* Cleanup and return */
  sqlite3_free(zErrMsg);
  sqlite3_free(zSql);
  sqlite3_exec(cx.db, "PRAGMA temp_store_directory=''", 0, 0, 0);
  sqlite3_close(cx.db);

  if( mDebug & FUZZ_SHOW_MAX_DELAY ){
    printf("Progress callback count....... %d\n", cx.nCb);
    printf("Max time between callbacks.... %d ms\n", (int)cx.mxInterval);
  }
  return 0;
}

Coverage Report

Created: 2024-01-20 12:40

Line	Count	Source (jump to first uncovered line)
1		/*
2		** This module interfaces SQLite to the Google OSS-Fuzz, fuzzer as a service.
3		** (https://github.com/google/oss-fuzz)
4		*/
5		#include <stddef.h>
6		#if !defined(_MSC_VER)
7		# include <stdint.h>
8		#endif
9		#include <stdio.h>
10		#include <string.h>
11		#include "sqlite3.h"
12
13		#if defined(_MSC_VER)
14		typedef unsigned char uint8_t;
15		#endif
16
17		/* Global debugging settings. OSS-Fuzz will have all debugging turned
18		** off. But if LLVMFuzzerTestOneInput() is called interactively from
19		** the ossshell utility program, then these flags might be set.
20		*/
21		static unsigned mDebug = 0;
22		#define FUZZ_SQL_TRACE 0x0001 /* Set an sqlite3_trace() callback */
23	259k	#define FUZZ_SHOW_MAX_DELAY 0x0002 /* Show maximum progress callback delay */
24	259k	#define FUZZ_SHOW_ERRORS 0x0004 /* Print error messages from SQLite */
25
26		/* The ossshell utility program invokes this interface to see the
27		** debugging flags. Unused by OSS-Fuzz.
28		*/
29	0	void ossfuzz_set_debug_flags(unsigned x){
30	0	mDebug = x;
31	0	}
32
33		/* Return the current real-world time in milliseconds since the
34		** Julian epoch (-4714-11-24).
35		*/
36	8.54G	static sqlite3_int64 timeOfDay(void){
37	8.54G	static sqlite3_vfs *clockVfs = 0;
38	8.54G	sqlite3_int64 t;
39	8.54G	if( clockVfs==0 ){
40	1.76k	clockVfs = sqlite3_vfs_find(0);
41	1.76k	if( clockVfs==0 ) return 0;
42	1.76k	}
43	8.54G	if( clockVfs->iVersion>=2 && clockVfs->xCurrentTimeInt64!=0 ){
44	8.54G	clockVfs->xCurrentTimeInt64(clockVfs, &t);
45	8.54G	}else{
46	0	double r;
47	0	clockVfs->xCurrentTime(clockVfs, &r);
48	0	t = (sqlite3_int64)(r*86400000.0);
49	0	}
50	8.54G	return t;
51	8.54G	}
52
53		/* An instance of the following object is passed by pointer as the
54		** client data to various callbacks.
55		*/
56		typedef struct FuzzCtx {
57		sqlite3 db; / The database connection */
58		sqlite3_int64 iCutoffTime; /* Stop processing at this time. */
59		sqlite3_int64 iLastCb; /* Time recorded for previous progress callback */
60		sqlite3_int64 mxInterval; /* Longest interval between two progress calls */
61		unsigned nCb; /* Number of progress callbacks */
62		unsigned execCnt; /* Number of calls to the sqlite3_exec callback */
63		} FuzzCtx;
64
65		/*
66		** Progress handler callback.
67		**
68		** The argument is the cutoff-time after which all processing should
69		** stop. So return non-zero if the cut-off time is exceeded.
70		*/
71	8.54G	static int progress_handler(void *pClientData) {
72	8.54G	FuzzCtx p = (FuzzCtx)pClientData;
73	8.54G	sqlite3_int64 iNow = timeOfDay();
74	8.54G	int rc = iNow>=p->iCutoffTime;
75	8.54G	sqlite3_int64 iDiff = iNow - p->iLastCb;
76	8.54G	if( iDiff > p->mxInterval ) p->mxInterval = iDiff;
77	8.54G	p->nCb++;
78	8.54G	return rc;
79	8.54G	}
80
81		/*
82		** Disallow debugging pragmas such as "PRAGMA vdbe_debug" and
83		** "PRAGMA parser_trace" since they can dramatically increase the
84		** amount of output without actually testing anything useful.
85		*/
86		static int block_debug_pragmas(
87		void *Notused,
88		int eCode,
89		const char *zArg1,
90		const char *zArg2,
91		const char *zArg3,
92		const char *zArg4
93	12.5M	){
94	12.5M	if( eCode==SQLITE_PRAGMA
95	12.5M	&& (sqlite3_strnicmp("vdbe_", zArg1, 5)==0
96	390k	\|\| sqlite3_stricmp("parser_trace", zArg1)==0)
97	12.5M	){
98	29	return SQLITE_DENY;
99	29	}
100	12.5M	return SQLITE_OK;
101	12.5M	}
102
103		/*
104		** Callback for sqlite3_exec().
105		*/
106	1.11M	static int exec_handler(void pClientData, int argc, char argv, char *namev){
107	1.11M	FuzzCtx p = (FuzzCtx)pClientData;
108	1.11M	int i;
109	1.11M	if( argv ){
110	3.15M	for(i=0; i<argc; i++) sqlite3_free(sqlite3_mprintf("%s", argv[i]));
111	1.11M	}
112	1.11M	return (p->execCnt--)<=0 \|\| progress_handler(pClientData);
113	1.11M	}
114
115		/*
116		** Main entry point. The fuzzer invokes this function with each
117		** fuzzed input.
118		*/
119	259k	int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
120	259k	char zErrMsg = 0; / Error message returned by sqlite_exec() */
121	259k	uint8_t uSelector; /* First byte of input data[] */
122	259k	int rc; /* Return code from various interfaces */
123	259k	char zSql; / Zero-terminated copy of data[] */
124	259k	FuzzCtx cx; /* Fuzzing context */
125
126	259k	memset(&cx, 0, sizeof(cx));
127	259k	if( size<3 ) return 0; /* Early out if unsufficient data */
128
129		/* Extract the selector byte from the beginning of the input. But only
130		** do this if the second byte is a \n. If the second byte is not \n,
131		** then use a default selector */
132	259k	if( data[1]=='\n' ){
133	1.64k	uSelector = data[0]; data += 2; size -= 2;
134	257k	}else{
135	257k	uSelector = 0xfd;
136	257k	}
137
138		/* Open the database connection. Only use an in-memory database. */
139	259k	if( sqlite3_initialize() ) return 0;
140	259k	rc = sqlite3_open_v2("fuzz.db", &cx.db,
141	259k	SQLITE_OPEN_READWRITE \| SQLITE_OPEN_CREATE \| SQLITE_OPEN_MEMORY, 0);
142	259k	if( rc ) return 0;
143
144		/* Invoke the progress handler frequently to check to see if we
145		** are taking too long. The progress handler will return true
146		** (which will block further processing) if more than 10 seconds have
147		** elapsed since the start of the test.
148		*/
149	259k	cx.iLastCb = timeOfDay();
150	259k	cx.iCutoffTime = cx.iLastCb + 10000; /* Now + 10 seconds */
151	259k	#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
152	259k	sqlite3_progress_handler(cx.db, 10, progress_handler, (void*)&cx);
153	259k	#endif
154
155		/* Set a limit on the maximum size of a prepared statement */
156	259k	sqlite3_limit(cx.db, SQLITE_LIMIT_VDBE_OP, 25000);
157
158		/* Limit total memory available to SQLite to 20MB */
159	259k	sqlite3_hard_heap_limit64(20000000);
160
161		/* Set a limit on the maximum length of a string or BLOB. Without this
162		** limit, fuzzers will invoke randomblob(N) for a large N, and the process
163		** will timeout trying to generate the huge blob */
164	259k	sqlite3_limit(cx.db, SQLITE_LIMIT_LENGTH, 50000);
165
166		/* Bit 1 of the selector enables foreign key constraints */
167	259k	sqlite3_db_config(cx.db, SQLITE_DBCONFIG_ENABLE_FKEY, uSelector&1, &rc);
168	259k	uSelector >>= 1;
169
170		/* Do not allow debugging pragma statements that might cause excess output */
171	259k	sqlite3_set_authorizer(cx.db, block_debug_pragmas, 0);
172
173		/* Remaining bits of the selector determine a limit on the number of
174		** output rows */
175	259k	cx.execCnt = uSelector + 1;
176
177		/* Run the SQL. The sqlite_exec() interface expects a zero-terminated
178		** string, so make a copy. */
179	259k	zSql = sqlite3_mprintf("%.*s", (int)size, data);
180	259k	#ifndef SQLITE_OMIT_COMPLETE
181	259k	sqlite3_complete(zSql);
182	259k	#endif
183	259k	sqlite3_exec(cx.db, zSql, exec_handler, (void*)&cx, &zErrMsg);
184
185		/* Show any errors */
186	259k	if( (mDebug & FUZZ_SHOW_ERRORS)!=0 && zErrMsg ){
187	0	printf("Error: %s\n", zErrMsg);
188	0	}
189
190		/* Cleanup and return */
191	259k	sqlite3_free(zErrMsg);
192	259k	sqlite3_free(zSql);
193	259k	sqlite3_exec(cx.db, "PRAGMA temp_store_directory=''", 0, 0, 0);
194	259k	sqlite3_close(cx.db);
195
196	259k	if( mDebug & FUZZ_SHOW_MAX_DELAY ){
197	0	printf("Progress callback count....... %d\n", cx.nCb);
198	0	printf("Max time between callbacks.... %d ms\n", (int)cx.mxInterval);
199	0	}
200	259k	return 0;
201	259k	}