sqlite3_overload_function crash when fuzzing

(1) By hopper-vul (hopper) on 2022-12-15 10:05:07 [link] [source]

Hi, When fuzzing sqlite3, i found the sqlite3_overload_function() will crash if the second argument zName is fed with some strings.

By inspecting the body of sqlite3_overload_function, i found the input zName is directly passed to sqlite3_mprintf which caused a format string error.

Is this possibly injure application security? Or need some checks?

(2) By anonymous on 2022-12-15 11:20:31 in reply to 1 [source]

That bit of code is insufficiently paranoid.

--- src/main.c
+++ src/main.c
@@ -2117,11 +2117,11 @@
 #endif
   sqlite3_mutex_enter(db->mutex);
   rc = sqlite3FindFunction(db, zName, nArg, SQLITE_UTF8, 0)!=0;
   sqlite3_mutex_leave(db->mutex);
   if( rc ) return SQLITE_OK;
-  zCopy = sqlite3_mprintf(zName);
+  zCopy = sqlite3_mprintf("%s", zName);
   if( zCopy==0 ) return SQLITE_NOMEM;
   return sqlite3_create_function_v2(db, zName, nArg, SQLITE_UTF8,
                            zCopy, sqlite3InvalidFunction, 0, 0, sqlite3_free);
 }

(3) By Dan Kennedy (dan) on 2022-12-15 11:58:10 in reply to 2 [link] [source]

Thanks for looking into this. Now fixed here:

https://sqlite.org/src/info/9fa2b94c

Dan.