sqlite/0008-CVE-2023-7104.patch

it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001
From: mazhao <mazhao12@huawei.com>
Date: Wed, 3 Jan 2024 12:00:45 +0800
Subject: [PATCH] Fix a buffer overread in the sessions extension that could
 occur when processing a corrupt changeset.

Signed-off-by: mazhao <mazhao12@huawei.com>
---
 ext/session/sqlite3session.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index a892804..72ad427 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
         }
       }
       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
-        sqlite3_int64 v = sessionGetI64(aVal);
-        if( eType==SQLITE_INTEGER ){
-          sqlite3VdbeMemSetInt64(apOut[i], v);
+        if( (pIn->nData-pIn->iNext)<8 ){
+          rc = SQLITE_CORRUPT_BKPT;
         }else{
-          double d;
-          memcpy(&d, &v, 8);
-          sqlite3VdbeMemSetDouble(apOut[i], d);
+          sqlite3_int64 v = sessionGetI64(aVal);
+          if( eType==SQLITE_INTEGER ){
+            sqlite3VdbeMemSetInt64(apOut[i], v);
+          }else{
+            double d;
+            memcpy(&d, &v, 8);
+            sqlite3VdbeMemSetDouble(apOut[i], d);
+          }
+          pIn->iNext += 8;
         }
-        pIn->iNext += 8;
       }
     }
   }
-- 
2.34.1
fix the CVE-2023-7104 Signed-off-by: mazhao <mazhao12@huawei.com> 2024-01-03 10:31:55 +08:00			`it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001`
			`From: mazhao <mazhao12@huawei.com>`
			`Date: Wed, 3 Jan 2024 12:00:45 +0800`
			`Subject: [PATCH] Fix a buffer overread in the sessions extension that could`
			`occur when processing a corrupt changeset.`

			`Signed-off-by: mazhao <mazhao12@huawei.com>`
			`---`
			`ext/session/sqlite3session.c \| 18 +++++++++++-------`
			`1 file changed, 11 insertions(+), 7 deletions(-)`

			`diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c`
			`index a892804..72ad427 100644`
			`--- a/ext/session/sqlite3session.c`
			`+++ b/ext/session/sqlite3session.c`
			`@@ -3050,15 +3050,19 @@ static int sessionReadRecord(`
			`}`
			`}`
			`if( eType==SQLITE_INTEGER \|\| eType==SQLITE_FLOAT ){`
			`- sqlite3_int64 v = sessionGetI64(aVal);`
			`- if( eType==SQLITE_INTEGER ){`
			`- sqlite3VdbeMemSetInt64(apOut[i], v);`
			`+ if( (pIn->nData-pIn->iNext)<8 ){`
			`+ rc = SQLITE_CORRUPT_BKPT;`
			`}else{`
			`- double d;`
			`- memcpy(&d, &v, 8);`
			`- sqlite3VdbeMemSetDouble(apOut[i], d);`
			`+ sqlite3_int64 v = sessionGetI64(aVal);`
			`+ if( eType==SQLITE_INTEGER ){`
			`+ sqlite3VdbeMemSetInt64(apOut[i], v);`
			`+ }else{`
			`+ double d;`
			`+ memcpy(&d, &v, 8);`
			`+ sqlite3VdbeMemSetDouble(apOut[i], d);`
			`+ }`
			`+ pIn->iNext += 8;`
			`}`
			`- pIn->iNext += 8;`
			`}`
			`}`
			`}`
			`--`
			`2.34.1`