The sqlite-createtable-parser's discuss from marcobambini

feature request, extract comment from create table SQL for each column

sqlite not support COMMENT like mysql, but it keep the COMMENT after --

CREATE TABLE User
        -- A table comment
(
        uid INTEGER,    -- A field comment
        flags INTEGER   -- Another field comment
);

If there is some function like sql3column_comment to extract the original comment for each column, will be very useful for migrate manage.

Buffer overflow in sql3parse_table()

Hello, Thanks for your project, I used it in my teaching.

At some point I decided to test it using fuzzing.
I found a buffer overflow in the following file:

sql3parse_table.c

    size_t offset = state->offset;
    sql3char c = NEXT;      //  (state->buffer[state->offset++])
    uint32_t count = 1;     // count number of '('
    
    while (true) {
        c = NEXT;
        if (c == '(') ++count;
        else if (c == ')') {
            if (--count == 0) break;
        }
    }

This code will cause a memory segmentation fault

//  gcc --std=c99 -g -O0 main.c sql3parse_table.c -fsanitize=address
#include "stdint.h"
#include "sql3parse_table.h"

int main (void) {
    
    char *sql =  "CREATE TEMP TABLE IF NOT EXISTS main.foo /*  ie */ (cols the m main taEXT DEFAULT(CURR>NMELL, col2 TEXTD EFAULT CURRENT_T";
    sql3error_code err;
    
    sql3table *table = sql3parse_table(sql, 0, &err);
    if (!table) {
        printf("An error occurred while parsing table (%d).\n", err);
        return -1;
    }
    
    sql3table_free(table);
    return 0;
}

Using the debugger we can see the buffer overflow

state->buffer = "CREATE TEMP TABLE IF NOT EXISTS main.foo /*  ie */ (cols the m main taEXT DEFAULT(CURR>NMELL, col2 TEXTD EFAULT CURRENT_T"
state->offset = 5041
state->size = 121

And ASAN report:

Details

=================================================================
==10332==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5598456530ba at pc 0x55984564f16c bp 0x7ffd34ea01f0 sp 0x7ffd34ea01e8
READ of size 1 at 0x5598456530ba thread T0
    #0 0x55984564f16b in sql3parse_expression /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:798
    #1 0x55984564f93e in sql3parse_column_constraints /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:910
    #2 0x55984564fbd3 in sql3parse_column /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:955
    #3 0x5598456505e7 in sql3parse_create /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:1156
    #4 0x559845650a7b in sql3parse /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:1233
    #5 0x5598456524a3 in sql3parse_table /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:1537
    #6 0x55984564b34c in main /home/user/Research/sqlite-createtable-parser/main.c:9
    #7 0x7fa3bac461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7fa3bac46284 in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x55984564b1f0 in _start (/home/user/Research/sqlite-createtable-parser/test_error+0x21f0)

0x5598456530ba is located 0 bytes to the right of global variable '*.LC1' defined in 'main.c' (0x559845653040) of size 122
  '*.LC1' is ascii string 'CREATE TEMP TABLE IF NOT EXISTS main.foo /*  ie */ (cols the m main taEXT DEFAULT(CURR>NMELL, col2 TEXTD EFAULT CURRENT_T'
0x5598456530ba is located 38 bytes to the left of global variable '*.LC2' defined in 'main.c' (0x5598456530e0) of size 45
  '*.LC2' is ascii string 'An error occurred while parsing table (%d).
'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/Research/sqlite-createtable-parser/sql3parse_table.c:798 in sql3parse_expression
Shadow bytes around the buggy address:
  0x0ab388ac25c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab388ac25d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab388ac25e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab388ac25f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab388ac2600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab388ac2610: 00 00 00 00 00 00 00[02]f9 f9 f9 f9 00 00 00 00
  0x0ab388ac2620: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9
  0x0ab388ac2630: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0ab388ac2640: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0ab388ac2650: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ab388ac2660: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10332==ABORTING

marcobambini / sqlite-createtable-parser Goto Github PK

sqlite-createtable-parser's Issues

feature request, extract comment from create table SQL for each column

Buffer overflow in sql3parse_table()

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs