port of sqlite3 fuzzer with some updates

testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc

Index: testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc
diff --git a/testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc b/testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..fda2f84551af9defcd9e1b87a78a98915e249685
--- /dev/null
+++ b/testing/libfuzzer/fuzzers/sqlite3_prepare_v2_fuzzer.cc
@@ -0,0 +1,49 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+
+#include "third_party/sqlite/sqlite3.h"
+
+static int Progress(void *not_used_ptr) {
+  return 1;
+}
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
+  if (size < 2)
+    return 0;
+
+  sqlite3* db;
+  if (SQLITE_OK != sqlite3_open(":memory:", &db))
+    return 0;
+
+  // Use first byte as random selector for other parameters.
+  int selector = data[0];

[kcc2, 2016/01/04 19:05:13]

Two problems with this approach: 
1. Now you can not feed the units to standard sqlite utilities, 
you will first need to remove the first byte. 

2. In cases there is a buffer overflow by one byte to the left 
when reading the original buffer, asan will not find it. 
I'd say this is highly unlikely in this particular case though. 

I don't say you should do something about this,
just want to leave this comment FTR. 

[mmoroz, 2016/01/15 19:08:16]

Thanks,

1. Yes, I do remove first byte at line #35.

2. That's a good point.

We can copy the data without first byte to a new buffer, but as READ
stack-overflow to the left is not likely to happen, it would be redundant
overhead. One more suggestion is to use some XOR'ed value of 3 or 4 different
bytes from data and don't remove anything from the input. It's not perfect
solution in terms of mathematics, but probably will not cause any dependencies
and non-covered cases.

+
+  // To cover both cases when progress_handler is used and isn't used.
+  if (selector & 1)
+    sqlite3_progress_handler(db, 4, &Progress, NULL);
+  else
+    sqlite3_progress_handler(db, 0, NULL, NULL);
+
+  // Remove least significant bit to make further usage of selector independent.
+  selector <<= 1;
+
+  sqlite3_stmt* statement = NULL;
+  int result = sqlite3_prepare_v2(db, (const char*)(data + 1), size - 1,
+                                  &statement, NULL);
+  if (result == SQLITE_OK) {
+    // Use selector value to randomize number of iterations.
+    for (int i = 0; i < selector; i++) {
+      if (sqlite3_step(statement) != SQLITE_ROW)
+        break;
+    }
+
+    sqlite3_finalize(statement);
+  }
+
+  sqlite3_close(db);
+  return 0;
+}