sqlite3_overload_function crash when fuzzing
(1) By hopper-vul (hopper) on 2022-12-15 10:05:07 [link] [source]
Hi,
When fuzzing sqlite3, i found the sqlite3_overload_function() will crash if the second argument zName
is fed with some strings.
By inspecting the body of sqlite3_overload_function, i found the input zName
is directly passed to sqlite3_mprintf
which caused a format string error.
Is this possibly injure application security? Or need some checks?
(2) By anonymous on 2022-12-15 11:20:31 in reply to 1 [source]
That bit of code is insufficiently paranoid.
--- src/main.c
+++ src/main.c
@@ -2117,11 +2117,11 @@
#endif
sqlite3_mutex_enter(db->mutex);
rc = sqlite3FindFunction(db, zName, nArg, SQLITE_UTF8, 0)!=0;
sqlite3_mutex_leave(db->mutex);
if( rc ) return SQLITE_OK;
- zCopy = sqlite3_mprintf(zName);
+ zCopy = sqlite3_mprintf("%s", zName);
if( zCopy==0 ) return SQLITE_NOMEM;
return sqlite3_create_function_v2(db, zName, nArg, SQLITE_UTF8,
zCopy, sqlite3InvalidFunction, 0, 0, sqlite3_free);
}