SQLite User Forum

AddressSanitizer crash when calling sqlite3_blob_open
Login
Chronological

AddressSanitizer crash when calling sqlite3_blob_open

(1) By zzjas (zzjas98) on 2025-03-10 20:51:53 [source]

Hi,

Our fuzzing tool finds an AddressSanitizer crash when calling sqlite3_blob_open().

The simplified PoC is:

#include "sqlite3.h"
#include <stdio.h>

int main() {
  sqlite3 *db = NULL;
  if (sqlite3_open(":memory:", &db) != SQLITE_OK) {
    return 0;
  }

  int wrFlag = 1;
  sqlite_int64 iRow = 2305843012958298161;
  char *zDb = "TEMP";
  char *zTable = "sqlite_master";
  char *zColumn = "sql";
  sqlite3_blob *pBlob = NULL;
  int rc = sqlite3_blob_open(db, zDb, zTable, zColumn, iRow, wrFlag, &pBlob);
  if (pBlob) {
    sqlite3_blob_close(pBlob);
  }

  sqlite3_close(db);
  return 0;
}

The stack trace is: 

==2936589==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x55e57584924f bp 0x7fff5b2b9180 sp 0x7fff5b2b9160 T0)
==2936589==The signal is caused by a READ memory access.
==2936589==Hint: address points to the zero page.
    #0 0x55e57584924f in sqlite3BtreeLockTable /home/.../sqlite/bld/sqlite3.c:82588:7
    #1 0x55e57583fc96 in sqlite3VdbeExec /home/.../sqlite/bld/sqlite3.c:102150:10
    #2 0x55e575809bf6 in sqlite3Step /home/.../sqlite/bld/sqlite3.c:91993:10
    #3 0x55e575805382 in sqlite3_step /home/.../sqlite/bld/sqlite3.c:92054:16
    #4 0x55e57580d6ac in blobSeekToRow /home/.../sqlite/bld/sqlite3.c:103331:10
    #5 0x55e57580c6b3 in sqlite3_blob_open /home/.../sqlite/bld/sqlite3.c:103591:10
    #6 0x55e5757fe36a in main /home/.../sqlite/bld/../target.c:16:12
    #7 0x7f44f7229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7f44f7229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #9 0x55e575716484 in _start (/scratch/.../sqlite/bld/target+0x36484)

To reproduce the crash, save this file as target.c in the sqlite root directory and run:

mkdir bld
cd bld

export CC=clang
export CFLAGS=-g
export CXX=clang++
export CXXFLAGS=-g
export LIB_FUZZING_ENGINE="-fsanitize=address"

../configure --shared=0
make -j$(nproc)

$CC $CFLAGS -I. -c ../target.c -o target.o
$CXX $CXXFLAGS target.o -o target $LIB_FUZZING_ENGINE ./sqlite3.o

./target

This requires a clang build with instrumentation enabled.

Could you help check if this is expected behavior or a bug? Thanks a ton in advance!

(2) By Richard Hipp (drh) on 2025-03-10 22:33:23 in reply to 1 [link] [source]

Fix by check-in 20250310223155.