xref: /sqlite-3.40.0/test/ossfuzz.c (revision ea432ba2) 
1 /*
2 ** This module interfaces SQLite to the Google OSS-Fuzz, fuzzer as a service.
3 ** (https://github.com/google/oss-fuzz)
4 */
5 #include <stddef.h>
6 #include <stdint.h>
7 #include "sqlite3.h"
8 
9 /*
10 ** Progress handler callback
11 */
12 static int progress_handler(void *pReturn) {
13   return *(int*)pReturn;
14 }
15 
16 /*
17 ** Callback for sqlite3_exec().
18 */
19 static int exec_handler(void *pCnt, int argc, char **argv, char **namev){
20   int i;
21   for(i=0; i<argc; i++) sqlite3_free(sqlite3_mprintf("%s", argv[i]));
22   return ((*(int*)pCnt)--)<=0;
23 }
24 
25 /*
26 ** Main entry point.  The fuzzer invokes this function with each
27 ** fuzzed input.
28 */
29 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
30   int progressArg = 0;     /* 1 causes progress handler abort */
31   int execCnt = 0;         /* Abort row callback when count reaches zero */
32   char *zErrMsg = 0;       /* Error message returned by sqlite_exec() */
33   sqlite3 *db;             /* The database connection */
34   uint8_t uSelector;       /* First byte of input data[] */
35   int rc;                  /* Return code from various interfaces */
36   char *zSql;              /* Zero-terminated copy of data[] */
37 
38   if( size<3 ) return 0;   /* Early out if unsufficient data */
39 
40   /* Extract the selector byte from the beginning of the input.  But only
41   ** do this if the second byte is a \n.  If the second byte is not \n,
42   ** then use a default selector */
43   if( data[1]=='\n' ){
44     uSelector = data[0];  data += 2; size -= 2;
45   }else{
46     uSelector = 0xfd;
47   }
48 
49   /* Open the database connection.  Only use an in-memory database. */
50   rc = sqlite3_open_v2("fuzz.db", &db,
51            SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_MEMORY, 0);
52   if( rc ) return 0;
53 
54   /* Bit 0 of the selector enables progress callbacks.  Bit 1 is the
55   ** return code from progress callbacks */
56   if( uSelector & 1 ){
57     sqlite3_progress_handler(db, 4, progress_handler, (void*)&progressArg);
58   }
59   uSelector >>= 1;
60   progressArg = uSelector & 1;  uSelector >>= 1;
61 
62   /* Bit 2 of the selector enables foreign key constraints */
63   sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FKEY, uSelector&1, &rc);
64   uSelector >>= 1;
65 
66   /* Remaining bits of the selector determine a limit on the number of
67   ** output rows */
68   execCnt = uSelector + 1;
69 
70   /* Run the SQL.  The sqlite_exec() interface expects a zero-terminated
71   ** string, so make a copy. */
72   zSql = sqlite3_mprintf("%.*s", (int)size, data);
73   sqlite3_exec(db, zSql, exec_handler, (void*)&execCnt, &zErrMsg);
74 
75   /* Cleanup and return */
76   sqlite3_free(zErrMsg);
77   sqlite3_free(zSql);
78   sqlite3_close(db);
79   return 0;
80 }
81