Hi everyone, We tested sqlite with an automatic tool (based on the fuzzer AFL). Some test cases triggering UBSan integer related errors were generated. We manually checked those test cases and filtered out benign cases. Finally, we identified and report 4 cases that could trigger bugs. Below is the information for reproducing the bugs. - sqlite version: sqlite-amalgamation-3330000 - operating system: Ubuntu 16.04.7 - compiler: clang version 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final) - compilation commands: ``` clang -g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds -fsanitize=pointer-overflow -fsanitize=null -DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION -DSQLITE_DEFAULT_MEMSTATUS=0 -DSQLITE_MAX_EXPR_DEPTH=0 -DSQLITE_OMIT_DECLTYPE -DSQLITE_OMIT_DEPRECATED -DSQLITE_DEFAULT_PAGE_SIZE=512 -DSQLITE_DEFAULT_CACHE_SIZE=10 -DSQLITE_DISABLE_INTRINSIC -DSQLITE_DISABLE_LFS -DYYSTACKDEPTH=20 -DSQLITE_OMIT_LOOKASIDE -DSQLITE_OMIT_WAL -DSQLITE_OMIT_PROGRESS_CALLBACK -DSQLITE_DEFAULT_LOOKASIDE='64,5' -DSQLITE_OMIT_PROGRESS_CALLBACK -DSQLITE_OMIT_SHARED_CACHE -I. shell.c sqlite3.c -o sqlite3 ``` - inputs: the bug triggering inputs can be found in [this link](https://drive.google.com/file/d/17v7FunI4XoR-IjsNLoo2PWFaQhGB_kXA/view?usp=sharing). Each input has the name `sqlite[].stdin` where `[]` is the index from 1 to 4. To reproduce the bugs, you need to run command `cat sqlite[].stdin | sqlite3`. For `sqlite3.stdin`, you need to create a blank file named `7` under the same directory before running the command. After successfully reproducing the bugs, you are expected to see the following error messages that are relevant to the bugs: - For `sqlite1.stdin`: ``` shell.c:787:13: runtime error: left shift of 922337203685477580 by 4 places cannot be represented in type 'sqlite3_int64' (aka 'long long') ``` - For `sqlite2.stdin`: ``` shell.c:792:12: runtime error: signed integer overflow: 8888888888888888888 * 10 cannot be represented in type 'long long' ``` - For `sqlite3.stdin`: ``` sqlite3.c:31888:10: runtime error: unsigned integer overflow: 7777777777777777777 * 10 cannot be represented in type 'unsigned long long' ``` - For `sqlite4.stdin`: ``` sqlite3.c:50586:31: runtime error: unsigned integer overflow: 10 - 100 cannot be represented in type 'unsigned int' sqlite3.c:50586:22: runtime error: unsigned integer overflow: 100 + 4294967206 cannot be represented in type 'unsigned int' sqlite3.c:68587:20: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'u32' (aka 'unsigned int') ``` Looking forward to your feedbacks on the bugs. Thanks! Best, Jingxuan