From 18657a960e125336f704ea058e25c27bd3900dcb Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 5 May 2024 19:28:19 +0200
Subject: Adding upstream version 3.40.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 test/dbfuzz2.c | 402 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 402 insertions(+)
 create mode 100644 test/dbfuzz2.c

(limited to 'test/dbfuzz2.c')

diff --git a/test/dbfuzz2.c b/test/dbfuzz2.c
new file mode 100644
index 0000000..f006291
--- /dev/null
+++ b/test/dbfuzz2.c
@@ -0,0 +1,402 @@
+/*
+** 2018-10-26
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+**
+** This program is designed for fuzz-testing SQLite database files using
+** the -fsanitize=fuzzer option of clang.
+**
+** The -fsanitize=fuzzer option causes a main() to be inserted automatically.
+** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly.
+** Each D is a fuzzed database file.  The code in this file runs various
+** SQL statements against that database, trying to provoke a failure.
+**
+** For best results the seed database files should have these tables:
+**
+**   Table "t1" with columns "a" and "b"
+**   Tables "t2" and "t3 with the same number of compatible columns
+**       "t3" should have a column names "x"
+**   Table "t4" with a column "x" that is compatible with t3.x.
+**
+** Any of these tables can be virtual tables, for example FTS or RTree tables.
+**
+** To run this test:
+**
+**     mkdir dir
+**     cp dbfuzz2-seed*.db dir
+**     clang-6.0 -I. -g -O1 -fsanitize=fuzzer -DTHREADSAFE=0 \
+**       -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl
+**     ./a.out dir
+*/
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <stdint.h>
+#ifndef _WIN32
+#include <sys/time.h>
+#include <sys/resource.h>
+#endif
+#include "sqlite3.h"
+
+/*
+** This is the is the SQL that is run against the database.
+*/
+static const char *azSql[] = {
+  "PRAGMA integrity_check;",
+  "SELECT * FROM sqlite_schema;",
+  "SELECT sum(length(name)) FROM dbstat;",
+  "UPDATE t1 SET b=a, a=b WHERE a<b;",
+  "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;",
+  "INSERT INTO t3 SELECT * FROM t2;",
+  "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);",
+  "REINDEX;",
+  "DROP TABLE t3;",
+  "VACUUM;",
+};
+
+/* Output verbosity level.  0 means complete silence */
+int eVerbosity = 0;
+
+/* True to activate PRAGMA vdbe_debug=on */
+static int bVdbeDebug = 0;
+
+/* Maximum size of the in-memory database file */
+static sqlite3_int64 szMax = 104857600;
+
+/* Progress handler callback data */
+static int nCb = 0;                  /* Number of callbacks seen so far */
+static int mxCb = 250000;            /* Maximum allowed callbacks */
+
+/***** Copy/paste from ext/misc/memtrace.c ***************************/
+/* The original memory allocation routines */
+static sqlite3_mem_methods memtraceBase;
+static FILE *memtraceOut;
+
+/* Methods that trace memory allocations */
+static void *memtraceMalloc(int n){
+  if( memtraceOut ){
+    fprintf(memtraceOut, "MEMTRACE: allocate %d bytes\n", 
+            memtraceBase.xRoundup(n));
+  }
+  return memtraceBase.xMalloc(n);
+}
+static void memtraceFree(void *p){
+  if( p==0 ) return;
+  if( memtraceOut ){
+    fprintf(memtraceOut, "MEMTRACE: free %d bytes\n", memtraceBase.xSize(p));
+  }
+  memtraceBase.xFree(p);
+}
+static void *memtraceRealloc(void *p, int n){
+  if( p==0 ) return memtraceMalloc(n);
+  if( n==0 ){
+    memtraceFree(p);
+    return 0;
+  }
+  if( memtraceOut ){
+    fprintf(memtraceOut, "MEMTRACE: resize %d -> %d bytes\n",
+            memtraceBase.xSize(p), memtraceBase.xRoundup(n));
+  }
+  return memtraceBase.xRealloc(p, n);
+}
+static int memtraceSize(void *p){
+  return memtraceBase.xSize(p);
+}
+static int memtraceRoundup(int n){
+  return memtraceBase.xRoundup(n);
+}
+static int memtraceInit(void *p){
+  return memtraceBase.xInit(p);
+}
+static void memtraceShutdown(void *p){
+  memtraceBase.xShutdown(p);
+}
+
+/* The substitute memory allocator */
+static sqlite3_mem_methods ersaztMethods = {
+  memtraceMalloc,
+  memtraceFree,
+  memtraceRealloc,
+  memtraceSize,
+  memtraceRoundup,
+  memtraceInit,
+  memtraceShutdown
+};
+
+/* Begin tracing memory allocations to out. */
+int sqlite3MemTraceActivate(FILE *out){
+  int rc = SQLITE_OK;
+  if( memtraceBase.xMalloc==0 ){
+    rc = sqlite3_config(SQLITE_CONFIG_GETMALLOC, &memtraceBase);
+    if( rc==SQLITE_OK ){
+      rc = sqlite3_config(SQLITE_CONFIG_MALLOC, &ersaztMethods);
+    }
+  }
+  memtraceOut = out;
+  return rc;
+}
+
+/* Deactivate memory tracing */
+int sqlite3MemTraceDeactivate(void){
+  int rc = SQLITE_OK;
+  if( memtraceBase.xMalloc!=0 ){
+    rc = sqlite3_config(SQLITE_CONFIG_MALLOC, &memtraceBase);
+    if( rc==SQLITE_OK ){
+      memset(&memtraceBase, 0, sizeof(memtraceBase));
+    }
+  }
+  memtraceOut = 0;
+  return rc;
+}
+/***** End copy/paste from ext/misc/memtrace.c ***************************/
+
+/*
+** Progress handler callback
+**
+** Count the number of callbacks and cause an abort once the limit is
+** reached.
+*/
+static int progress_handler(void *pNotUsed){
+  nCb++;
+  if( nCb<mxCb ) return 0;
+  if( eVerbosity>=1 ){
+    printf("-- Progress limit of %d reached\n", mxCb);
+  }
+  return 1;
+}
+
+/* libFuzzer invokes this routine with fuzzed database files (in aData).
+** This routine run SQLite against the malformed database to see if it
+** can provoke a failure or malfunction.
+*/
+int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){
+  unsigned char *a;
+  sqlite3 *db;
+  int rc;
+  int i;
+  sqlite3_int64 x;
+  char *zErr = 0;
+
+  if( eVerbosity>=1 ){
+    printf("************** nByte=%d ***************\n", (int)nByte);
+    fflush(stdout);
+  }
+  if( sqlite3_initialize() ) return 0;
+  rc = sqlite3_open(0, &db);
+  if( rc ) return 1;
+  a = sqlite3_malloc64(nByte+1);
+  if( a==0 ) return 1;
+  memcpy(a, aData, nByte);
+  sqlite3_deserialize(db, "main", a, nByte, nByte,
+        SQLITE_DESERIALIZE_RESIZEABLE |
+        SQLITE_DESERIALIZE_FREEONCLOSE);
+  x = szMax;
+#ifdef SQLITE_FCNTL_SIZE_LIMIT
+  sqlite3_file_control(db, "main", SQLITE_FCNTL_SIZE_LIMIT, &x);
+#endif
+  if( bVdbeDebug ){
+    sqlite3_exec(db, "PRAGMA vdbe_debug=ON", 0, 0, 0);
+  }
+  if( mxCb>0 ){
+    sqlite3_progress_handler(db, 10, progress_handler, 0);
+  }
+#ifdef SQLITE_TESTCTRL_PRNG_SEED
+  sqlite3_test_control(SQLITE_TESTCTRL_PRNG_SEED, 1, db);
+#endif
+  for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){
+    if( eVerbosity>=1 ){
+      printf("%s\n", azSql[i]);
+      fflush(stdout);
+    }
+    zErr = 0;
+    nCb = 0;
+    rc = sqlite3_exec(db, azSql[i], 0, 0, &zErr);
+    if( rc && eVerbosity>=1 ){
+      printf("-- rc=%d zErr=%s\n", rc, zErr);
+    }
+    sqlite3_free(zErr);
+  }
+  rc = sqlite3_close(db);
+  if( rc!=SQLITE_OK ){
+    fprintf(stdout, "sqlite3_close() returns %d\n", rc);
+  }
+  if( sqlite3_memory_used()!=0 ){
+    int nAlloc = 0;
+    int nNotUsed = 0;
+    sqlite3_status(SQLITE_STATUS_MALLOC_COUNT, &nAlloc, &nNotUsed, 0);
+    fprintf(stderr,"Memory leak: %lld bytes in %d allocations\n",
+            sqlite3_memory_used(), nAlloc);
+    exit(1);
+  }
+  return 0;
+}
+
+/*
+** Return the number of "v" characters in a string.  Return 0 if there
+** are any characters in the string other than "v".
+*/
+static int numberOfVChar(const char *z){
+  int N = 0;
+  while( z[0] && z[0]=='v' ){
+    z++;
+    N++;
+  }
+  return z[0]==0 ? N : 0;
+}
+
+/* libFuzzer invokes this routine once when the executable starts, to
+** process the command-line arguments.
+*/
+int LLVMFuzzerInitialize(int *pArgc, char ***pArgv){
+  int i, j, n;
+  int argc = *pArgc;
+  char **argv = *pArgv;
+  for(i=j=1; i<argc; i++){
+    char *z = argv[i];
+    if( z[0]=='-' ){
+      z++;
+      if( z[0]=='-' ) z++;
+      if( z[0]=='v' && (n = numberOfVChar(z))>0 ){
+        eVerbosity += n;
+        continue;
+      }
+      if( strcmp(z,"vdbe-debug")==0 ){
+        bVdbeDebug = 1;
+        continue;
+      }
+      if( strcmp(z,"limit")==0 ){
+        if( i+1==argc ){
+          fprintf(stderr, "missing argument to %s\n", argv[i]);
+          exit(1);
+        }
+        mxCb = strtol(argv[++i], 0, 0);
+        continue;
+      }
+      if( strcmp(z,"memtrace")==0 ){
+        sqlite3MemTraceActivate(stdout);
+        continue;
+      }
+      if( strcmp(z,"max-db-size")==0 ){
+        if( i+1==argc ){
+          fprintf(stderr, "missing argument to %s\n", argv[i]);
+          exit(1);
+        }
+        szMax = strtol(argv[++i], 0, 0);
+        continue;
+      }
+      if( strcmp(z, "lookaside")==0 ){
+        int sz, nSlot;
+        if( i+2>=argc ){
+          fprintf(stderr, 
+             "--lookaside requires two arguments: slot-size num-slots\n");
+          exit(1);
+        }
+        sz = atoi(argv[++i]);
+        nSlot = atoi(argv[++i]);
+        sqlite3_config(SQLITE_CONFIG_LOOKASIDE, sz, nSlot);
+        continue;
+      }
+#ifndef _WIN32
+      if( strcmp(z,"max-stack")==0
+       || strcmp(z,"max-data")==0
+       || strcmp(z,"max-as")==0
+      ){
+        struct rlimit x,y;
+        int resource = RLIMIT_STACK;
+        char *zType = "RLIMIT_STACK";
+        if( i+1==argc ){
+          fprintf(stderr, "missing argument to %s\n", argv[i]);
+          exit(1);
+        }
+        if( z[4]=='d' ){
+          resource = RLIMIT_DATA;
+          zType = "RLIMIT_DATA";
+        }
+        if( z[4]=='a' ){
+          resource = RLIMIT_AS;
+          zType = "RLIMIT_AS";
+        }
+        memset(&x,0,sizeof(x));
+        getrlimit(resource, &x);
+        y.rlim_cur = atoi(argv[++i]);
+        y.rlim_max = x.rlim_cur;
+        setrlimit(resource, &y);
+        memset(&y,0,sizeof(y));
+        getrlimit(resource, &y);
+        printf("%s changed from %d to %d\n", 
+               zType, (int)x.rlim_cur, (int)y.rlim_cur);
+        continue;
+      }
+#endif /* _WIN32 */
+    }
+    argv[j++] = argv[i];
+  }
+  argv[j] = 0;
+  *pArgc = j;
+  return 0;
+}
+
+#ifdef STANDALONE
+/*
+** Read an entire file into memory.  Space to hold the file comes
+** from malloc().
+*/
+static unsigned char *readFile(const char *zName, int *pnByte){
+  FILE *in = fopen(zName, "rb");
+  long nIn;
+  size_t nRead;
+  unsigned char *pBuf;
+  if( in==0 ) return 0;
+  fseek(in, 0, SEEK_END);
+  nIn = ftell(in);
+  rewind(in);
+  pBuf = malloc( nIn+1 );
+  if( pBuf==0 ){ fclose(in); return 0; }
+  nRead = fread(pBuf, nIn, 1, in);
+  fclose(in);
+  if( nRead!=1 ){
+    free(pBuf);
+    return 0;
+  }
+  pBuf[nIn] = 0;
+  if( pnByte ) *pnByte = nIn;
+  return pBuf;
+}
+#endif /* STANDALONE */
+
+#ifdef STANDALONE
+int main(int argc, char **argv){
+  int i;
+  LLVMFuzzerInitialize(&argc, &argv);
+  for(i=1; i<argc; i++){
+    unsigned char *pIn;
+    int nIn;
+    pIn = readFile(argv[i], &nIn);
+    if( pIn ){
+      LLVMFuzzerTestOneInput((const uint8_t*)pIn, (size_t)nIn);
+      free(pIn);
+    }
+  }
+#ifdef RUSAGE_SELF
+  if( eVerbosity>0 ){
+    struct rusage x;
+    printf("SQLite %s\n", sqlite3_sourceid());
+    memset(&x, 0, sizeof(x));
+    if( getrusage(RUSAGE_SELF, &x)==0 ){
+      printf("Maximum RSS = %ld KB\n", x.ru_maxrss);
+    }
+  }
+#endif
+  return 0;
+}
+#endif /*STANDALONE*/
-- 
cgit v1.2.3