oss-fuzz/sqlite3/sqlite3_fuzzer.cc

// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <stddef.h>
#include <stdint.h>

#include <algorithm>
#include <array>
#include <string>
#include <vector>

#include "sqlite3.h"


static const std::array<uint8_t, 6> kBadKeyword{{'R', 'E', 'G', 'E', 'X', 'P'}};


bool checkForBadKeyword(const uint8_t* data, size_t size) {
  auto it = std::search(
      data, data + size, kBadKeyword.begin(), kBadKeyword.end(),
      [](char c1, char c2) { return std::toupper(c1) == std::toupper(c2); });

  if (it != data + size)
    return true;

  return false;
}


static int Progress(void *not_used_ptr) {
  return 1;
}


// Entry point for LibFuzzer.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < 2)
    return 0;

  if (checkForBadKeyword(data, size))
    return 0;

  sqlite3* db;
  int return_code = sqlite3_open_v2(
      "db.db",
      &db,
      SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_MEMORY, 0);


  if (SQLITE_OK != return_code)
    return 0;

  // Use first byte as random selector for other parameters.
  int selector = data[0];

  // To cover both cases when progress_handler is used and isn't used.
  if (selector & 1)
    sqlite3_progress_handler(db, 4, &Progress, NULL);
  else
    sqlite3_progress_handler(db, 0, NULL, NULL);

  // Remove least significant bit to make further usage of selector independent.
  selector >>= 1;

  sqlite3_stmt* statement = NULL;
  int result = sqlite3_prepare_v2(db, reinterpret_cast<const char*>(data + 1),
                                  static_cast<int>(size - 1), &statement, NULL);
  if (result == SQLITE_OK) {
    // Use selector value to randomize number of iterations.
    for (int i = 0; i < selector; i++) {
      if (sqlite3_step(statement) != SQLITE_ROW)
        break;
    }

    sqlite3_finalize(statement);
  }

  sqlite3_close(db);
  return 0;
}