SQLite User Forum

Segmentation fault in idxGetTableInfo
Login

Segmentation fault in idxGetTableInfo

(1.1) By ardu (798532734) on 2021-07-08 10:28:00 edited from 1.0 [link] [source]

Describe

There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.

VERSION

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

trunk (8c432642572c8c4b7251f413def0725b3b8e9e7fe10230aa0aabe86b58e5902d)

date: 2021-07-07 19:44:32

System info

Ubuntu 18.04.5 LTS

clang version 10.0.0

POC content

create TEMP  table t1(allint);1;
CREATE TRIGGER t02AFTER DELETE ON t1
WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
BEGIN
INSERT INTO t0 VALUES(o00.x);
END;
C@EATE TABLE a0(y RE FM t1 
CREATE TRIGGER t00 AFTER DELETE ON t1
WHE0)FROM t1;
INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
 INTO t1 VALUES(74,raOM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000礸t(20WAL;
PRAGMA cache_size = 10;
CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1;   /*   2 */
INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/                                                                                                                                                                                                                   ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1;  ;/*   8 */
INSERT INTO tH SELECT randomblob(000) FROM t1;   /*  16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 
CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1;   /*   2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cachepoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 FROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl_checkpoint;
INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSEme;
ATTACH'merory:' AS noname;AL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkAS noname;
ATTACH'merory:' AS inmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cachb_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
INSERT INT- tÿÿÿme;
ATTACH'merory:' AS inm§mJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = WAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLEÿÿx PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
 CROM t1;   /*   2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA caory:' AS inm§mJ±;
PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl]checkpoint;
IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSERT INTO t1 SEme;
ATTACH'merory:' AS noname;
ATTACH'merory:' AS A cache_size;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_s10) FROM t1; ATE T0;
CREATE TABLE t1TTACH'merory:' AS 0;
CREATE TABLE tF(x PRIMARY KEY);
PRAGMA wal_chBckpoint;
INSERT INTO t1ALUES(randomblob(800));VA 
ώώώ
   J
/
.expe
      -
-s 1:
/
.expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1;   /*  RT = WAL;
PRAGMA cache_size= V0;CREA0;
AREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INinmGmJme;

ASAN OUTPUT

==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
==46696==The signal is caused by a READ memory access.
==46696==Hint: address points to the zero page.
    #0 0x7f2d6f5974e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
    #3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
    #4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
    #5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
    #6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
    #7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
    #8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
    #9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)

(2) By Stephan Beal (stephan) on 2021-07-08 09:31:43 in reply to 1.0 [link] [source]

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

For future reference: the git commit numbers mean nothing in this project. The git export is a read-only, one-way export of the main source tree:

https://sqlite.org/src/timeline

You're more likely to get a useful response when referring to the "native" commit hashes instead of the git hashes.

(3) By ardu (798532734) on 2021-07-08 10:15:52 in reply to 2 [link] [source]

ok,thanks

(4) By Richard Hipp (drh) on 2021-07-08 12:15:03 in reply to 1.1 [link] [source]

(5) By ardu (798532734) on 2021-07-09 08:52:58 in reply to 4 [source]

Thanks for quick fix