packages/sqlite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 update package to 3.32.3

Browse Source 
Merge pull request !22 from 季新杰/master
This commit is contained in:
openeuler-ci-bot 2020-07-22 09:45:03 +08:00 committed by Gitee
commit 062ced1b4f
70 changed files with 36 additions and 3280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

291
0001-sqlite-CVE-2018-20346.patch
View File

@ -1,291 +0,0 @@
Index: ext/fts3/fts3.c
==================================================================
--- ext/fts3/fts3.c
+++ ext/fts3/fts3.c
@@ -1819,11 +1819,11 @@
){
int rc = SQLITE_OK; /* Return code */
const char *zCsr = zNode; /* Cursor to iterate through node */
const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
char *zBuffer = 0; /* Buffer to load terms into */
- int nAlloc = 0; /* Size of allocated buffer */
+ i64 nAlloc = 0; /* Size of allocated buffer */
int isFirstTerm = 1; /* True when processing first term on page */
sqlite3_int64 iChild; /* Block id of child node to descend to */
/* Skip over the 'height' varint that occurs at the start of every
** interior node. Then load the blockid of the left-child of the b-tree
@@ -1857,18 +1857,18 @@
}
isFirstTerm = 0;
zCsr += fts3GetVarint32(zCsr, &nSuffix);
assert( nPrefix>=0 && nSuffix>=0 );
- if( &zCsr[nSuffix]>zEnd ){
+ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
rc = FTS_CORRUPT_VTAB;
goto finish_scan;
}
- if( nPrefix+nSuffix>nAlloc ){
+ if( (i64)nPrefix+nSuffix>nAlloc ){
char *zNew;
- nAlloc = (nPrefix+nSuffix) * 2;
- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
if( !zNew ){
rc = SQLITE_NOMEM;
goto finish_scan;
}
zBuffer = zNew;
Index: ext/fts3/fts3_write.c
==================================================================
--- ext/fts3/fts3_write.c
+++ ext/fts3/fts3_write.c
@@ -1372,19 +1372,23 @@
/* Because of the FTS3_NODE_PADDING bytes of padding, the following is
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nPrefix<0 || nSuffix<=0
- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
+ if( nSuffix<=0
+ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+ || nPrefix>pReader->nTermAlloc
){
return FTS_CORRUPT_VTAB;
}
- if( nPrefix+nSuffix>pReader->nTermAlloc ){
- int nNew = (nPrefix+nSuffix)*2;
- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+ ** overflow - hence the (i64) casts. */
+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
if( !zNew ){
return SQLITE_NOMEM;
}
pReader->zTerm = zNew;
pReader->nTermAlloc = nNew;
@@ -1402,11 +1406,11 @@
/* Check that the doclist does not appear to extend past the end of the
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
}
return SQLITE_OK;
@@ -3728,25 +3732,30 @@
if( bFirst==0 ){
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix);
}
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+ return SQLITE_CORRUPT_VTAB;
+ }
blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
if( rc==SQLITE_OK ){
memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
p->term.n = nPrefix+nSuffix;
p->iOff += nSuffix;
if( p->iChild==0 ){
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+ if( (p->nNode-p->iOff)<p->nDoclist ){
+ return SQLITE_CORRUPT_VTAB;
+ }
p->aDoclist = &p->aNode[p->iOff];
p->iOff += p->nDoclist;
}
}
}
assert( p->iOff<=p->nNode );
-
return rc;
}
/*
** Release all dynamic resources held by node-reader object *p.
ADDED test/fts3corrupt4.test
Index: test/fts3corrupt4.test
==================================================================
--- test/fts3corrupt4.test
+++ test/fts3corrupt4.test
@@ -0,0 +1,147 @@
+# 2006 September 9
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#*************************************************************************
+# This file implements regression tests for SQLite library. The
+# focus of this script is testing the FTS3 module.
+#
+# $Id: fts3aa.test,v 1.1 2007/08/20 17:38:42 shess Exp $
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix fts3corrupt4
+
+# If SQLITE_ENABLE_FTS3 is defined, omit this file.
+ifcapable !fts3 {
+ finish_test
+ return
+}
+
+do_execsql_test 1.0 {
+ BEGIN;
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft VALUES('aback');
+ INSERT INTO ft VALUES('abaft');
+ INSERT INTO ft VALUES('abandon');
+ COMMIT;
+}
+
+proc blob {a} { binary decode hex $a }
+db func blob blob
+
+do_execsql_test 1.1 {
+ SELECT quote(root) FROM ft_segdir;
+} {X'0005616261636B03010200030266740302020003046E646F6E03030200'}
+
+do_execsql_test 1.2 {
+ UPDATE ft_segdir SET root = blob(
+ '0005616261636B03010200 FFFFFFFF0702 66740302020003046E646F6E03030200'
+ );
+}
+
+do_catchsql_test 1.3 {
+ SELECT * FROM ft WHERE ft MATCH 'abandon';
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 2.0.0 {
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 2.0.1 {
+ for {set i 0} {$i < 12} {incr i} {
+ execsql {
+ BEGIN;
+ INSERT INTO ft VALUES('abc' || $i);
+ INSERT INTO ft VALUES('abc' || $i || 'x' );
+ INSERT INTO ft VALUES('abc' || $i || 'xx' );
+ COMMIT
+ }
+ }
+ execsql {
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+ }
+} {12 0}
+
+do_execsql_test 2.1 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+} {12 3}
+
+do_execsql_test 2.2 {
+ SELECT quote(block) FROM ft_segments WHERE blockid=2
+} {X'00056162633130031F0200'}
+
+db func blob blob
+do_execsql_test 2.3.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 FFFFFFFF07FF55 66740302020003046E646F6E03030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.3.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.4.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 02FFFFFFFF07 66740302020003046E646F6E03030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.4.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+do_execsql_test 2.5.1 {
+ UPDATE ft_segments SET block =
+ blob('00056162633130031F0200 0202 6674 FFFFFF070302020003046E646F6E030200')
+ WHERE blockid=2;
+} {}
+do_catchsql_test 2.5.2 {
+ INSERT INTO ft(ft) VALUES('merge=1,4');
+} {1 {database disk image is malformed}}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 3.0.0 {
+ CREATE VIRTUAL TABLE ft USING fts3;
+ INSERT INTO ft(ft) VALUES('nodesize=32');
+}
+do_test 3.0.1 {
+ execsql BEGIN
+ for {set i 0} {$i < 20} {incr i} {
+ execsql { INSERT INTO ft VALUES('abc' || $i) }
+ }
+ execsql {
+ COMMIT;
+ SELECT count(*) FROM ft_segdir;
+ SELECT count(*) FROM ft_segments;
+ }
+} {1 5}
+
+do_execsql_test 3.1 {
+ SELECT quote(root) FROM ft_segdir
+} {X'0101056162633132040136030132030136'}
+
+db func blob blob
+do_execsql_test 3.2 {
+ UPDATE ft_segdir
+ SET root = blob('0101056162633132FFFFFFFF070236030132030136');
+}
+
+do_catchsql_test 3.1 {
+ SELECT * FROM ft WHERE ft MATCH 'abc20'
+} {1 {database disk image is malformed}}
+
+finish_test
+
+
Index: test/permutations.test
==================================================================
--- test/permutations.test
+++ test/permutations.test
@@ -253,10 +253,11 @@
fts3ae.test fts3af.test fts3ag.test fts3ah.test
fts3ai.test fts3aj.test fts3ak.test fts3al.test
fts3am.test fts3an.test fts3ao.test fts3atoken.test
fts3auto.test fts3aux1.test fts3aux2.test fts3b.test
fts3comp1.test fts3conf.test fts3corrupt2.test fts3corrupt.test
+ fts3corrupt4.test
fts3cov.test fts3c.test fts3defer2.test fts3defer3.test
fts3defer.test fts3drop.test fts3d.test fts3e.test
fts3expr2.test fts3expr3.test fts3expr4.test fts3expr5.test
fts3expr.test fts3fault2.test fts3fault.test fts3first.test
fts3join.test fts3malloc.test fts3matchinfo.test fts3near.test

0
0000-sqlite-no-malloc-usable-size.patch → 0001-sqlite-no-malloc-usable-size.patch
View File

36
0002-remove-fail-testcase-in-no-free-fd-situation.patch
View File

@ -10,10 +10,10 @@ some situation if there is no enough fd resource.
1 file changed, 27 deletions(-)
diff --git a/test/oserror.test b/test/oserror.test
index 271163a..d46218f 100644
index a51301c..d46218f 100644
--- a/test/oserror.test
+++ b/test/oserror.test
@@ -40,33 +40,6 @@ proc do_re_test {tn script expression} {
@@ -40,47 +40,6 @@ proc do_re_test {tn script expression} {
}
@ -29,18 +29,32 @@ index 271163a..d46218f 100644
-# an error may be reported for either open() or getcwd() here.
-#
-if {![clang_sanitize_address]} {
- unset -nocomplain rc
- unset -nocomplain nOpen
- set nOpen 20000
- do_test 1.1.1 {
- set ::log [list]
- list [catch {
- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
- } msg] $msg
- } {1 {unable to open database file}}
- set ::rc [catch {
- for {set i 0} {$i < $::nOpen} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
- } msg]
- if {$::rc==0} {
- # Some system (ex: Debian) are able to create 20000+ file descriptiors
- # such systems will not fail here
- set x ok
- } elseif {$::rc==1 && $msg=="unable to open database file"} {
- set x ok
- } else {
- set x [list $::rc $msg]
- }
- } {ok}
- do_test 1.1.2 {
- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } }
- } {1}
- do_re_test 1.1.3 {
- lindex $::log 0
- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
- catch { for {set i 0} {$i < $::nOpen} {incr i} { dbh_$i close } }
- } $::rc
- if {$rc} {
- do_re_test 1.1.3 {
- lindex $::log 0
- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
- }
-}
-
-

46
0003-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch
View File

@ -1,46 +0,0 @@
From 8b729f3011e608c73624ce823a3f8d811f4684cb Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Wed, 6 Jun 2018 18:50:50 +0000
Subject: [PATCH 0037/1009] Fix the sqlite3BeginTrans() calls within the
snapshot extension.
From https://github.com/mackyle/sqlite/commit/8b729f3011e608c73624ce823a3f8d811f4684cb
---
src/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/main.c b/src/main.c
index 8e89cc5..a2b994f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -4115,7 +4115,7 @@ int sqlite3_snapshot_get(
if( iDb==0 || iDb>1 ){
Btree *pBt = db->aDb[iDb].pBt;
if( 0==sqlite3BtreeIsInTrans(pBt) ){
- rc = sqlite3BtreeBeginTrans(pBt, 0);
+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0);
if( rc==SQLITE_OK ){
rc = sqlite3PagerSnapshotGet(sqlite3BtreePager(pBt), ppSnapshot);
}
@@ -4153,7 +4153,7 @@ int sqlite3_snapshot_open(
if( 0==sqlite3BtreeIsInReadTrans(pBt) ){
rc = sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), pSnapshot);
if( rc==SQLITE_OK ){
- rc = sqlite3BtreeBeginTrans(pBt, 0);
+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0);
sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), 0);
}
}
@@ -4185,7 +4185,7 @@ int sqlite3_snapshot_recover(sqlite3 *db, const char *zDb){
if( iDb==0 || iDb>1 ){
Btree *pBt = db->aDb[iDb].pBt;
if( 0==sqlite3BtreeIsInReadTrans(pBt) ){
- rc = sqlite3BtreeBeginTrans(pBt, 0);
+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0);
if( rc==SQLITE_OK ){
rc = sqlite3PagerSnapshotRecover(sqlite3BtreePager(pBt));
sqlite3BtreeCommit(pBt);
--
1.8.3.1

28
0004-Change-a-comma-into-a-logically-equivalent-but-seman.patch
View File

@ -1,28 +0,0 @@
From 06a87a928ee3f272e1a25f15a8a55ad55da636f3 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Wed, 6 Jun 2018 23:31:26 +0000
Subject: [PATCH 0042/1009] Change a comma into a logically equivalent but
semantically clearer semicolon.
From https://github.com/mackyle/sqlite/commit/06a87a928ee3f272e1a25f15a8a55ad55da636f3
---
src/alter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/alter.c b/src/alter.c
index 51d4a40..f338e8b 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -142,7 +142,7 @@ static void renameParentFunc(
}
}
- zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput),
+ zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput);
sqlite3_result_text(context, zResult, -1, SQLITE_DYNAMIC);
sqlite3DbFree(db, zOutput);
}
--
1.8.3.1

27
0005-Fix-a-typo-in-the-amalgamation-autoconf-file.patch
View File

@ -1,27 +0,0 @@
From 41e8f704c9afd4b9601ac3da2c5c1d6387346806 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Sat, 9 Jun 2018 20:52:45 +0000
Subject: [PATCH 0064/1009] Fix a typo in the amalgamation autoconf file.
From https://github.com/mackyle/sqlite/commit/41e8f704c9afd4b9601ac3da2c5c1d6387346806
---
autoconf/configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/autoconf/configure.ac b/autoconf/configure.ac
index 8ba2218..76579c0 100644
--- a/autoconf/configure.ac
+++ b/autoconf/configure.ac
@@ -153,7 +153,7 @@ AC_SUBST(SESSION_FLAGS)
#
AC_ARG_ENABLE(debug, [AS_HELP_STRING(
[--enable-debug], [build with debugging features enabled [default=no]])],
- [], [enable_session=no])
+ [], [enable_debug=no])
if test x"$enable_debug" = "xyes"; then
DEBUG_FLAGS="-DSQLITE_DEBUG -DSQLITE_ENABLE_SELECTTRACE -DSQLITE_ENABLE_WHERETRACE"
fi
--
1.8.3.1

27
0006-Fix-typo-in-the-normalize-extension.patch
View File

@ -1,27 +0,0 @@
From c0506beeac8e92586d1dcdaa0aceeed366c8b62d Mon Sep 17 00:00:00 2001
From: Joe Mistachkin <sqlite@mistachkin.com>
Date: Mon, 18 Jun 2018 19:09:30 +0000
Subject: [PATCH 0096/1009] Fix typo in the 'normalize' extension.
From https://github.com/mackyle/sqlite/commit/c0506beeac8e92586d1dcdaa0aceeed366c8b62d
---
ext/misc/normalize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/misc/normalize.c b/ext/misc/normalize.c
index fd656f1..5997ec1 100644
--- a/ext/misc/normalize.c
+++ b/ext/misc/normalize.c
@@ -593,7 +593,7 @@ char *sqlite3_normalize(const char *zSql){
}
}
while( j>0 && z[j-1]==' ' ){ j--; }
- if( i>0 && z[j-1]!=';' ){ z[j++] = ';'; }
+ if( j>0 && z[j-1]!=';' ){ z[j++] = ';'; }
z[j] = 0;
/* Make a second pass converting "in(...)" where the "..." is not a
--
1.8.3.1

67
0007-Fix-a-minor-problem-in-the-code-for-determining-whet.patch
View File

@ -1,67 +0,0 @@
From 9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Sat, 30 Jun 2018 20:00:35 +0000
Subject: [PATCH 0121/1009] Fix a minor problem in the code for determining
whether or not an SQL statement is SQLITE_TOOBIG.
From https://github.com/mackyle/sqlite/commit/9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2
---
src/alter.c | 4 ++--
src/tokenize.c | 7 ++++++-
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/alter.c b/src/alter.c
index f338e8b..2d7a5d6 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -74,7 +74,7 @@ static void renameTableFunc(
zCsr += len;
len = sqlite3GetToken(zCsr, &token);
} while( token==TK_SPACE );
- assert( len>0 );
+ assert( len>0 || !*zCsr );
} while( token!=TK_LP && token!=TK_USING );
zRet = sqlite3MPrintf(db, "%.*s\"%w\"%s", (int)(((u8*)tname.z) - zSql),
@@ -198,7 +198,7 @@ static void renameTriggerFunc(
zCsr += len;
len = sqlite3GetToken(zCsr, &token);
}while( token==TK_SPACE );
- assert( len>0 );
+ assert( len>0 || !*zCsr );
/* Variable 'dist' stores the number of tokens read since the most
** recent TK_DOT or TK_ON. This means that when a WHEN, FOR or BEGIN
diff --git a/src/tokenize.c b/src/tokenize.c
index 15678ed..fc5989c 100644
--- a/src/tokenize.c
+++ b/src/tokenize.c
@@ -54,11 +54,12 @@
#define CC_TILDA 25 /* '~' */
#define CC_DOT 26 /* '.' */
#define CC_ILLEGAL 27 /* Illegal character */
+#define CC_NUL 28 /* 0x00 */
static const unsigned char aiClass[] = {
#ifdef SQLITE_ASCII
/* x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xa xb xc xd xe xf */
-/* 0x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27,
+/* 0x */ 28, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27,
/* 1x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
/* 2x */ 7, 15, 8, 5, 4, 22, 24, 8, 17, 18, 21, 20, 23, 11, 26, 16,
/* 3x */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 19, 12, 14, 13, 6,
@@ -532,6 +533,10 @@ int sqlite3GetToken(const unsigned char *z, int *tokenType){
i = 1;
break;
}
+ case CC_NUL: {
+ *tokenType = TK_ILLEGAL;
+ return 0;
+ }
default: {
*tokenType = TK_ILLEGAL;
return 1;
--
1.8.3.1

29
0008-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch
View File

@ -1,29 +0,0 @@
From 7173baee93fed1c0a20bb02350c22ab219e4654b Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Sun, 1 Jul 2018 16:05:40 +0000
Subject: [PATCH 0123/1009] Quick patch to the Lemon parser template to avoid
an array overread reported by OSSFuzz. A proper fix involves enhancements to
the table generators in Lemon to make the overread impossible. That fix will
take longer to implement. The current check-in is a stop-gap.
From https://github.com/mackyle/sqlite/commit/7173baee93fed1c0a20bb02350c22ab219e4654b
---
tool/lempar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tool/lempar.c b/tool/lempar.c
index 450dcde..e19aba4 100644
--- a/tool/lempar.c
+++ b/tool/lempar.c
@@ -550,6 +550,7 @@ static YYACTIONTYPE yy_find_shift_action(
#if YY_SHIFT_MAX+YYWILDCARD>=YY_ACTTAB_COUNT
j<YY_ACTTAB_COUNT &&
#endif
+ j<sizeof(yy_lookahead)/sizeof(yy_lookahead[0]) &&
yy_lookahead[j]==YYWILDCARD && iLookAhead>0
){
#ifndef NDEBUG
--
1.8.3.1

28
0009-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch
View File

@ -1,28 +0,0 @@
From 8a6d814cd2574e878ab45c8bbf209212bd705e47 Mon Sep 17 00:00:00 2001
From: Joe Mistachkin <sqlite@mistachkin.com>
Date: Sat, 8 Sep 2018 16:53:47 +0000
Subject: [PATCH 0352/1009] Fix typo in the Win32-specific code for the fileio
extension.
https://github.com/mackyle/sqlite/commit/8a6d814cd2574e878ab45c8bbf209212bd705e47
---
ext/misc/fileio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/misc/fileio.c b/ext/misc/fileio.c
index b734ca0..816a353 100644
--- a/ext/misc/fileio.c
+++ b/ext/misc/fileio.c
@@ -204,7 +204,7 @@ static void statTimesToUtc(
extern LPWSTR sqlite3_win32_utf8_to_unicode(const char*);
zUnicodeName = sqlite3_win32_utf8_to_unicode(zPath);
if( zUnicodeName ){
- memset(&fd, 0, sizeof(WIN32_FIND_DATA));
+ memset(&fd, 0, sizeof(WIN32_FIND_DATAW));
hFindFile = FindFirstFileW(zUnicodeName, &fd);
if( hFindFile!=NULL ){
pStatBuf->st_ctime = (time_t)fileTimeToUnixTime(&fd.ftCreationTime);
--
1.8.3.1

55
0010-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch
View File

@ -1,55 +0,0 @@
From 8bc9e8b38de805a0c02db12c6afe796a47b22747 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 11 Sep 2018 13:38:35 +0000
Subject: [PATCH 0363/1009] Fix a problem causing ENABLE_CURSOR_HINTS builds to
segfault.
https://github.com/mackyle/sqlite/commit/8bc9e8b38de805a0c02db12c6afe796a47b22747
---
src/wherecode.c | 4 +---
test/cursorhint2.test | 15 +++++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/wherecode.c b/src/wherecode.c
index 8251923..07de2c6 100644
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -886,9 +886,7 @@ static int codeCursorHintFixExpr(Walker *pWalker, Expr *pExpr){
if( pExpr->iTable!=pHint->iTabCur ){
Vdbe *v = pWalker->pParse->pVdbe;
int reg = ++pWalker->pParse->nMem; /* Register for column value */
- sqlite3ExprCodeGetColumnOfTable(
- v, pExpr->pTab, pExpr->iTable, pExpr->iColumn, reg
- );
+ sqlite3ExprCode(pWalker->pParse, pExpr, reg);
pExpr->op = TK_REGISTER;
pExpr->iTable = reg;
}else if( pHint->pIdx!=0 ){
diff --git a/test/cursorhint2.test b/test/cursorhint2.test
index 0175568..a78d151 100644
--- a/test/cursorhint2.test
+++ b/test/cursorhint2.test
@@ -186,4 +186,19 @@ do_extract_hints_test 2.12 {
x2 {EQ(c0,r[2])}
}
+reset_db
+do_execsql_test 3.0 {
+ CREATE TABLE t1 (i1 TEXT);
+ CREATE TABLE t2 (i2 TEXT UNIQUE);
+ INSERT INTO t1 VALUES('0');
+ INSERT INTO t2 VALUES('0');
+}
+
+do_extract_hints_test 3.1 {
+ SELECT * FROM t1 CROSS JOIN t2 WHERE (t1.i1 = t2.i2) AND t2.i2 = 1;
+} {
+ t1 {EQ(c0,r[1])} t2 EQ(c0,1)
+}
+
+
finish_test
--
1.8.3.1

33
0011-Fix-a-potential-crash-that-can-occur-while-reading-a.patch
View File

@ -1,33 +0,0 @@
From 2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Mon, 1 Oct 2018 13:54:30 +0000
Subject: [PATCH 0435/1009] Fix a potential crash that can occur while reading
an index from a corrupt database file. The corruption is a
record-header-size that is larger than 0x7fffffff. Problem detected by
OSSFuzz against GDAL and reported to us (with a suggested fix) by Even
Rouault. The test case is in TH3.
https://github.com/mackyle/sqlite/commit/2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88
---
src/vdbeaux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 5ec3d13..99df435 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){
(void)getVarint32((u8*)m.z, szHdr);
testcase( szHdr==3 );
testcase( szHdr==m.n );
- if( unlikely(szHdr<3 || (int)szHdr>m.n) ){
+ testcase( szHdr>0x7fffffff );
+ assert( m.n>=0 );
+ if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){
goto idx_rowid_corruption;
}
--
1.8.3.1

34
0012-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch
View File

@ -1,34 +0,0 @@
From c0ead185cc44359ecb406e9f7e21b964393f96d8 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Thu, 11 Oct 2018 10:37:24 +0000
Subject: [PATCH 0453/1009] In the CLI, fix a file descriptor leak following
OOM and a missing va_end() call.
---
src/shell.c.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/shell.c.in b/src/shell.c.in
index a5ab143..c1db72c 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -3592,7 +3592,7 @@ static char *readFile(const char *zName, int *pnByte){
nIn = ftell(in);
rewind(in);
pBuf = sqlite3_malloc64( nIn+1 );
- if( pBuf==0 ) return 0;
+ if( pBuf==0 ){ fclose(in); return 0; }
nRead = fread(pBuf, nIn, 1, in);
fclose(in);
if( nRead!=1 ){
@@ -4976,6 +4976,7 @@ static void shellPreparePrintf(
char *z;
va_start(ap, zFmt);
z = sqlite3_vmprintf(zFmt, ap);
+ va_end(ap);
if( z==0 ){
*pRc = SQLITE_NOMEM;
}else{
--
1.8.3.1

35
0013-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch
View File

@ -1,35 +0,0 @@
From 8dba5edb332d9bdf8b856c26404c8043bdfd4192 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 18 Oct 2018 15:17:18 +0000
Subject: [PATCH 0460/1009] Take steps to avoid a potential integer overflow in
sessionBufferGrow().
https://github.com/mackyle/sqlite/commit/8dba5edb332d9bdf8b856c26404c8043bdfd4192
---
ext/session/sqlite3session.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 20810ee..a1ca9a7 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -1794,12 +1794,12 @@ int sqlite3session_attach(
static int sessionBufferGrow(SessionBuffer *p, int nByte, int *pRc){
if( *pRc==SQLITE_OK && p->nAlloc-p->nBuf<nByte ){
u8 *aNew;
- int nNew = p->nAlloc ? p->nAlloc : 128;
+ i64 nNew = p->nAlloc ? p->nAlloc : 128;
do {
nNew = nNew*2;
- }while( nNew<(p->nBuf+nByte) );
+ }while( (nNew-p->nBuf)<nByte );
- aNew = (u8 *)sqlite3_realloc(p->aBuf, nNew);
+ aNew = (u8 *)sqlite3_realloc64(p->aBuf, nNew);
if( 0==aNew ){
*pRc = SQLITE_NOMEM;
}else{
--
1.8.3.1

40
0014-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch
View File

@ -1,40 +0,0 @@
From 259c8907624a568bd0faa10687f659c9321f9a05 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Mon, 29 Oct 2018 18:33:42 +0000
Subject: [PATCH 0473/1009] Fix minor memory leak in the dbstat extension that
can occur following an attempt to analyze a corrupt database file.
From https://github.com/mackyle/sqlite/commit/259c8907624a568bd0faa10687f659c9321f9a05
---
src/dbstat.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/dbstat.c b/src/dbstat.c
index 432cfae..b746fa0 100644
--- a/src/dbstat.c
+++ b/src/dbstat.c
@@ -254,7 +254,7 @@ static int statOpen(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor){
return SQLITE_OK;
}
-static void statClearPage(StatPage *p){
+static void statClearCells(StatPage *p){
int i;
if( p->aCell ){
for(i=0; i<p->nCell; i++){
@@ -262,6 +262,11 @@ static void statClearPage(StatPage *p){
}
sqlite3_free(p->aCell);
}
+ p->nCell = 0;
+ p->aCell = 0;
+}
+static void statClearPage(StatPage *p){
+ statClearCells(p);
sqlite3PagerUnref(p->pPg);
sqlite3_free(p->zPath);
memset(p, 0, sizeof(StatPage));
--
1.8.3.1

85
0015-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch
View File

@ -1,85 +0,0 @@
From 54e058c2c503364cd316bf9c73e253dffa5285a4 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 27 Nov 2018 19:47:55 +0000
Subject: [PATCH 0548/1009] Fix a failing assert() in
sqlite3ResetAllSchemasOfConnection().
https://github.com/mackyle/sqlite/commit/54e058c2c503364cd316bf9c73e253dffa5285a4
---
src/build.c | 11 ++++++++---
test/vtab_err.test | 23 ++++++++++++++++++++++-
2 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/src/build.c b/src/build.c
index fca5a92..bed8295 100644
--- a/src/build.c
+++ b/src/build.c
@@ -544,17 +544,22 @@ void sqlite3ResetOneSchema(sqlite3 *db, int iDb){
void sqlite3ResetAllSchemasOfConnection(sqlite3 *db){
int i;
sqlite3BtreeEnterAll(db);
- assert( db->nSchemaLock==0 );
for(i=0; i<db->nDb; i++){
Db *pDb = &db->aDb[i];
if( pDb->pSchema ){
- sqlite3SchemaClear(pDb->pSchema);
+ if( db->nSchemaLock==0 ){
+ sqlite3SchemaClear(pDb->pSchema);
+ }else{
+ DbSetProperty(db, i, DB_ResetWanted);
+ }
}
}
db->mDbFlags &= ~(DBFLAG_SchemaChange|DBFLAG_SchemaKnownOk);
sqlite3VtabUnlockList(db);
sqlite3BtreeLeaveAll(db);
- sqlite3CollapseDatabaseArray(db);
+ if( db->nSchemaLock==0 ){
+ sqlite3CollapseDatabaseArray(db);
+ }
}
/*
diff --git a/test/vtab_err.test b/test/vtab_err.test
index cb40acd..cfc5fc3 100644
--- a/test/vtab_err.test
+++ b/test/vtab_err.test
@@ -20,7 +20,6 @@ ifcapable !vtab {
}
-
unset -nocomplain echo_module_begin_fail
do_ioerr_test vtab_err-1 -tclprep {
register_echo_module [sqlite3_connection_pointer db]
@@ -63,4 +62,26 @@ do_malloc_test vtab_err-2 -tclprep {
sqlite3_memdebug_fail -1
+reset_db
+register_echo_module [sqlite3_connection_pointer db]
+do_execsql_test vtab_err-3.0 {
+ CREATE TABLE r(a PRIMARY KEY, b, c);
+ CREATE VIRTUAL TABLE e USING echo(r);
+}
+faultsim_save_and_close
+
+do_faultsim_test vtab_err-3 -faults oom-t* -prep {
+ faultsim_restore_and_reopen
+ register_echo_module [sqlite3_connection_pointer db]
+} -body {
+ execsql {
+ BEGIN;
+ CREATE TABLE xyz(x);
+ SELECT a FROM e;
+ COMMIT;
+ }
+} -test {
+ faultsim_test_result {0 {}}
+}
+
finish_test
--
1.8.3.1

32
0016-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch
View File

@ -1,32 +0,0 @@
From f75ff65c0027041b95647acdb86abf0dc1158f55 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Mon, 3 Dec 2018 01:47:41 +0000
Subject: [PATCH 0562/1009] Fix a parser bug in the use of parentheses around
table-valued functions.
https://github.com/mackyle/sqlite/commit/f75ff65c0027041b95647acdb86abf0dc1158f55
---
src/parse.y | 6 ++++++
1 files changed, 6 insertions(+), 0 deletion(-)
diff --git a/src/parse.y b/src/parse.y
index b150c73..3bb28ab 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -664,6 +664,12 @@ seltablist(A) ::= stl_prefix(A) nm(Y) dbnm(D) LP exprlist(E) RP as(Z)
pNew->zName = pOld->zName;
pNew->zDatabase = pOld->zDatabase;
pNew->pSelect = pOld->pSelect;
+ if( pOld->fg.isTabFunc ){
+ pNew->u1.pFuncArg = pOld->u1.pFuncArg;
+ pOld->u1.pFuncArg = 0;
+ pOld->fg.isTabFunc = 0;
+ pNew->fg.isTabFunc = 1;
+ }
pOld->zName = pOld->zDatabase = 0;
pOld->pSelect = 0;
}
--
1.8.3.1

41
0017-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch
View File

@ -1,41 +0,0 @@
From 3bb789ba44d04e5c7d02abdfce6ff2e51f566db2 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Fri, 14 Dec 2018 17:57:01 +0000
Subject: [PATCH 0626/1009] Fix possible integer overflow while running PRAGMA
integrity_check on a database file with a badly corrupted freelist.
https://github.com/mackyle/sqlite/commit/3bb789ba44d04e5c7d02abdfce6ff2e51f566db2
---
src/btree.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/btree.c b/src/btree.c
index 8b3375e..24a274c 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -9414,18 +9414,18 @@ static void checkList(
}
pOvflData = (unsigned char *)sqlite3PagerGetData(pOvflPage);
if( isFreeList ){
- int n = get4byte(&pOvflData[4]);
+ u32 n = (u32)get4byte(&pOvflData[4]);
#ifndef SQLITE_OMIT_AUTOVACUUM
if( pCheck->pBt->autoVacuum ){
checkPtrmap(pCheck, iPage, PTRMAP_FREEPAGE, 0);
}
#endif
- if( n>(int)pCheck->pBt->usableSize/4-2 ){
+ if( n>pCheck->pBt->usableSize/4-2 ){
checkAppendMsg(pCheck,
"freelist leaf count too big on page %d", iPage);
N--;
}else{
- for(i=0; i<n; i++){
+ for(i=0; i<(int)n; i++){
Pgno iFreePage = get4byte(&pOvflData[8+i*4]);
#ifndef SQLITE_OMIT_AUTOVACUUM
if( pCheck->pBt->autoVacuum ){
--
1.8.3.1

54
0018-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
View File

@ -1,54 +0,0 @@
From af72ceaf22e73fd78e32ef439c1869292b94aaa1 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 20 Dec 2018 15:04:38 +0000
Subject: [PATCH 0631/1009] Fix a segfault caused by using the RAISE function
incorrectly (library now returns an error instead of crashing).
https://github.com/mackyle/sqlite/commit/af72ceaf22e73fd78e32ef439c1869292b94aaa1
---
src/expr.c | 2 +-
test/triggerC.test | 16 ++++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/expr.c b/src/expr.c
index 5d36502..b1a06bd 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -4745,7 +4745,7 @@ int sqlite3ExprCompare(Parse *pParse, Expr *pA, Expr *pB, int iTab){
}
return 2;
}
- if( pA->op!=pB->op ){
+ if( pA->op!=pB->op || pA->op==TK_RAISE ){
if( pA->op==TK_COLLATE && sqlite3ExprCompare(pParse, pA->pLeft,pB,iTab)<2 ){
return 1;
}
diff --git a/test/triggerC.test b/test/triggerC.test
index 3e47521..49d4eca 100644
--- a/test/triggerC.test
+++ b/test/triggerC.test
@@ -1042,4 +1042,20 @@ do_execsql_test 15.2.1 {
do_execsql_test 15.2.2 { SELECT * FROM x2; } {1 2 3 4}
do_execsql_test 15.2.3 { SELECT * FROM """x2"""; } {3 11 x y}
+#-------------------------------------------------------------------------
+# At one point queries such as the following were causing segfaults.
+#
+do_catchsql_test 16.1 {
+ SELECT raise(ABORT, 'msg') FROM sqlite_master
+ UNION SELECT 1
+ ORDER BY raise(IGNORE);
+} {1 {1st ORDER BY term does not match any column in the result set}}
+
+do_catchsql_test 16.2 {
+ SELECT count(*) FROM sqlite_master
+ GROUP BY raise(IGNORE)
+ HAVING raise(ABORT, 'msg');
+} {1 {RAISE() may only be used within a trigger-program}}
+
finish_test
+
--
1.8.3.1

34
0019-Fix-another-problem-with-corrupt-database-handling-i.patch
View File

@ -1,34 +0,0 @@
From 16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 27 Dec 2018 20:12:02 +0000
Subject: [PATCH 0684/1009] Fix another problem with corrupt database handling
in fts5.
https://github.com/mackyle/sqlite/commit/16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e
---
ext/fts5/fts5_index.c | 3 +-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index acf2db2..c5fe01b 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1649,12 +1649,13 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
int nNew; /* Bytes of new data */
iOff += fts5GetVarint32(&a[iOff], nNew);
- if( iOff+nNew>pIter->pLeaf->nn ){
+ if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){
p->rc = FTS5_CORRUPT;
return;
}
pIter->term.n = nKeep;
fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]);
+ assert( pIter->term.n<=pIter->term.nSpace );
iOff += nNew;
pIter->iTermLeafOffset = iOff;
pIter->iTermLeafPgno = pIter->iLeafPgno;
--
1.8.3.1

43
0020-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch
View File

@ -1,43 +0,0 @@
From 1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Fri, 28 Dec 2018 13:57:30 +0000
Subject: [PATCH 0686/1009] Fix a buffer overwrite in fts5 triggered by a
corrupt database.
https://github.com/mackyle/sqlite/commit/1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388
---
ext/fts5/fts5_index.c | 5 +-
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 6bd18c5..3361b19 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -3902,6 +3902,7 @@ static void fts5WriteAppendTerm(
int nPrefix; /* Bytes of prefix compression for term */
Fts5PageWriter *pPage = &pWriter->writer;
Fts5Buffer *pPgidx = &pWriter->writer.pgidx;
+ int nMin = MIN(pPage->term.n, nTerm);
assert( p->rc==SQLITE_OK );
assert( pPage->buf.n>=4 );
@@ -3943,13 +3944,13 @@ static void fts5WriteAppendTerm(
** inefficient, but still correct. */
int n = nTerm;
if( pPage->term.n ){
- n = 1 + fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
+ n = 1 + fts5PrefixCompress(nMin, pPage->term.p, pTerm);
}
fts5WriteBtreeTerm(p, pWriter, n, pTerm);
pPage = &pWriter->writer;
}
}else{
- nPrefix = fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm);
+ nPrefix = fts5PrefixCompress(nMin, pPage->term.p, pTerm);
fts5BufferAppendVarint(&p->rc, &pPage->buf, nPrefix);
}
--
1.8.3.1

40
0021-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch
View File

@ -1,40 +0,0 @@
From 3af43610d9406dfc859f7aca5a3c6441c852911b Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 1 Jan 2019 13:59:34 +0000
Subject: [PATCH 0698/1009] Fix another case in fts5 where a corrupt database
could cause a buffer overread.
https://github.com/mackyle/sqlite/commit/3af43610d9406dfc859f7aca5a3c6441c852911b
---
ext/fts5/fts5_index.c | 6 +-
1 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index f786e8d..6ce9844 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -2311,6 +2311,7 @@ static void fts5LeafSeek(
iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff);
if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){
p->rc = FTS5_CORRUPT;
+ return;
}else{
nKeep = 0;
iTermOff = iOff;
@@ -2323,8 +2324,11 @@ static void fts5LeafSeek(
}
search_success:
-
pIter->iLeafOffset = iOff + nNew;
+ if( pIter->iLeafOffset>n ){
+ p->rc = FTS5_CORRUPT;
+ return;
+ }
pIter->iTermLeafOffset = pIter->iLeafOffset;
pIter->iTermLeafPgno = pIter->iLeafPgno;
--
1.8.3.1

28
0022-Fix-another-potential-buffer-overread-in-fts5.patch
View File

@ -1,28 +0,0 @@
From 3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Mon, 7 Jan 2019 16:52:00 +0000
Subject: [PATCH 0721/1009] Fix another potential buffer overread in fts5.
https://github.com/mackyle/sqlite/commit/3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f
---
ext/fts5/fts5_hash.c | 3 +-
1 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c
index 1757061..7e404a8 100644
--- a/ext/fts5/fts5_hash.c
+++ b/ext/fts5/fts5_hash.c
@@ -483,7 +483,8 @@ int sqlite3Fts5HashQuery(
for(p=pHash->aSlot[iHash]; p; p=p->pHashNext){
zKey = fts5EntryKey(p);
- if( memcmp(zKey, pTerm, nTerm)==0 && zKey[nTerm]==0 ) break;
+ assert( p->nKey+1==(int)strlen(zKey) );
+ if( nTerm==p->nKey+1 && memcmp(zKey, pTerm, nTerm)==0 ) break;
}
if( p ){
--
1.8.3.1

35
0023-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch
View File

@ -1,35 +0,0 @@
From dc9d6ce103251a827eacde12399418b8dd55ca47 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Tue, 8 Jan 2019 14:28:02 +0000
Subject: [PATCH 0723/1009] Fix a possible memory leak when trying to UPDATE a
corrupt RTREE index.
https://github.com/mackyle/sqlite/commit/dc9d6ce103251a827eacde12399418b8dd55ca47
---
ext/rtree/rtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index ea44ffe..83d1b82 100644
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -717,7 +717,6 @@ static int nodeAcquire(
pNode->pNext = 0;
rc = sqlite3_blob_read(pRtree->pNodeBlob, pNode->zData,
pRtree->iNodeSize, 0);
- nodeReference(pParent);
}
}
@@ -748,6 +747,7 @@ static int nodeAcquire(
if( rc==SQLITE_OK ){
if( pNode!=0 ){
+ nodeReference(pParent);
nodeHashInsert(pRtree, pNode);
}else{
rc = SQLITE_CORRUPT_VTAB;
--
1.8.3.1

39
0024-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch
View File

@ -1,39 +0,0 @@
From 525fdb146b15ef6c42886fccf1b892388c2011d6 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 9 Jan 2019 21:12:23 +0000
Subject: [PATCH 0730/1009] Fix an out-of-bounds read in SQL function
fts5_decode() that could occur if it was passed a corrupt record.
https://github.com/mackyle/sqlite/commit/525fdb146b15ef6c42886fccf1b892388c2011d6
---
ext/fts5/fts5_index.c | 6 +-
1 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 268af5e..90dc0a5 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -6409,7 +6409,7 @@ static void fts5DecodeFunction(
nDoclist = (iTermOff ? iTermOff : szLeaf) - iOff;
fts5DecodeDoclist(&rc, &s, &a[iOff], nDoclist);
- while( iPgidxOff<n ){
+ while( iPgidxOff<n && rc==SQLITE_OK ){
int bFirst = (iPgidxOff==szLeaf); /* True for first term on page */
int nByte; /* Bytes of data */
int iEnd;
@@ -6427,6 +6427,10 @@ static void fts5DecodeFunction(
if( bFirst==0 ){
iOff += fts5GetVarint32(&a[iOff], nByte);
+ if( nByte>term.n ){
+ rc = FTS5_CORRUPT;
+ goto decode_out;
+ }
term.n = nByte;
}
iOff += fts5GetVarint32(&a[iOff], nByte);
--
1.8.3.1

28
0025-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
View File

@ -1,28 +0,0 @@
From 2fbabe31a19e10c68357884846454753ee2b4cc3 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Fri, 11 Jan 2019 21:34:25 +0000
Subject: [PATCH 0748/1009] Fix a segfault in fts3 prompted by a corrupted
database.
https://github.com/mackyle/sqlite/commit/2fbabe31a19e10c68357884846454753ee2b4cc3
---
ext/fts3/fts3.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index e168fae..5266749 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -2899,7 +2899,7 @@ static int fts3SegReaderCursor(
/* If zTerm is not NULL, and this segment is not stored entirely on its
** root node, the range of leaves scanned can be reduced. Do this. */
- if( iStartBlock && zTerm ){
+ if( iStartBlock && zTerm && zRoot ){
sqlite3_int64 *pi = (isPrefix ? &iLeavesEndBlock : 0);
rc = fts3SelectLeaf(p, zTerm, nTerm, zRoot, nRoot, &iStartBlock, pi);
if( rc!=SQLITE_OK ) goto finished;
--
1.8.3.1

31
0026-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch
View File

@ -1,31 +0,0 @@
From 95a3db8dcf8622a8db12059abe1befca418d9440 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Sat, 12 Jan 2019 21:30:26 +0000
Subject: [PATCH 0756/1009] Prevent unsigned 32-bit integer overflow from
leading to a buffer overread inside of an assert(). The problem fixed here
is no reachable in production code.
https://github.com/mackyle/sqlite/commit/95a3db8dcf8622a8db12059abe1befca418d9440
---
src/vdbeaux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 1125cfd..1af8a6f 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -3883,8 +3883,8 @@ static int vdbeRecordCompareDebug(
** Use that approximation to avoid the more expensive call to
** sqlite3VdbeSerialTypeLen() in the common case.
*/
- if( d1+serial_type1+2>(u32)nKey1
- && d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1
+ if( d1+(u64)serial_type1+2>(u64)nKey1
+ && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1
){
break;
}
--
1.8.3.1

39
0027-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch
View File

@ -1,39 +0,0 @@
From 5b01e4f591862a943728f1abe1cf44ac0844dbf1 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Mon, 14 Jan 2019 15:35:15 +0000
Subject: [PATCH 0765/1009] Fix a problem causing a crash if an fts5vocab table
was created to query an fts3/4 FTS index.
https://github.com/mackyle/sqlite/commit/5b01e4f591862a943728f1abe1cf44ac0844dbf1
---
ext/fts5/fts5_main.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c
index 6fc5a90..07934eb 100644
--- a/ext/fts5/fts5_main.c
+++ b/ext/fts5/fts5_main.c
@@ -2244,13 +2244,13 @@ Fts5Index *sqlite3Fts5IndexFromCsrid(
Fts5Config **ppConfig /* OUT: Configuration object */
){
Fts5Cursor *pCsr;
- Fts5Table *pTab;
-
pCsr = fts5CursorFromCsrid(pGlobal, iCsrId);
- pTab = (Fts5Table*)pCsr->base.pVtab;
- *ppConfig = pTab->pConfig;
-
- return pTab->pIndex;
+ if( pCsr ){
+ Fts5Table *pTab = (Fts5Table*)pCsr->base.pVtab;
+ *ppConfig = pTab->pConfig;
+ return pTab->pIndex;
+ }
+ return 0;
}
/*
--
1.8.3.1

27
0028-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch
View File

@ -1,27 +0,0 @@
From 5dfe84921758b84e698b4f3429e56f3f292f8de5 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Tue, 15 Jan 2019 14:44:23 +0000
Subject: [PATCH 0770/1009] Fix a harmless memory leak in the Lemon parser
generator utility program.
https://github.com/mackyle/sqlite/commit/5dfe84921758b84e698b4f3429e56f3f292f8de5
---
tool/lemon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tool/lemon.c b/tool/lemon.c
index 7f0e557..7ef99fd 100644
--- a/tool/lemon.c
+++ b/tool/lemon.c
@@ -4674,6 +4674,7 @@ void ReportTable(
/* Append any addition code the user desires */
tplt_print(out,lemp,lemp->extracode,&lineno);
+ acttab_free(pActtab);
fclose(in);
fclose(out);
return;
--
1.8.3.1

48
0029-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch
View File

@ -1,48 +0,0 @@
From 88ea6ea1ee2b7c93120857c65c882144c9f4ce71 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 15 Jan 2019 18:14:27 +0000
Subject: [PATCH 0773/1009] Handle SQL NULL values without crashing in the fts5
snippet() and highlight() functions.
https://github.com/mackyle/sqlite/commit/88ea6ea1ee2b7c93120857c65c882144c9f4ce71
---
ext/fts5/fts5_aux.c | 2 +-
ext/fts5/test/fts5ak.test | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_aux.c b/ext/fts5/fts5_aux.c
index f884ddb..7d4f3e6 100644
--- a/ext/fts5/fts5_aux.c
+++ b/ext/fts5/fts5_aux.c
@@ -136,7 +136,7 @@ static void fts5HighlightAppend(
HighlightContext *p,
const char *z, int n
){
- if( *pRc==SQLITE_OK ){
+ if( *pRc==SQLITE_OK && z ){
if( n<0 ) n = (int)strlen(z);
p->zOut = sqlite3_mprintf("%z%.*s", p->zOut, n, z);
if( p->zOut==0 ) *pRc = SQLITE_NOMEM;
diff --git a/ext/fts5/test/fts5ak.test b/ext/fts5/test/fts5ak.test
index cab0ae2..0a3cd6a78 100644
--- a/ext/fts5/test/fts5ak.test
+++ b/ext/fts5/test/fts5ak.test
@@ -144,6 +144,14 @@ do_execsql_test 3.1 {
{[a b c d e]}
}
+do_execsql_test 3.2 {
+ SELECT highlight(ft, 0, NULL, NULL) FROM ft WHERE ft MATCH 'a+b+c AND c+d+e';
+} {
+ {a b c x c d e}
+ {a b c c d e}
+ {a b c d e}
+}
+
}
finish_test
--
1.8.3.1

27
0030-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch
View File

@ -1,27 +0,0 @@
From 5dc52d357ad41bcbd945f360df2d49a7701f8776 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 16 Jan 2019 11:38:06 +0000
Subject: [PATCH 0775/1009] Fix a memory leak that could occur in fts3 when
handling a corrupt database.
https://github.com/mackyle/sqlite/commit/5dc52d357ad41bcbd945f360df2d49a7701f8776
---
ext/fts3/fts3_write.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index 0baf82b..096eafc 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -1606,6 +1606,7 @@ int sqlite3Fts3SegReaderNew(
assert( iStartLeaf<=iEndLeaf );
if( iStartLeaf==0 ){
+ if( iEndLeaf!=0 ) return FTS_CORRUPT_VTAB;
nExtra = nRoot + FTS3_NODE_PADDING;
}
--
1.8.3.1

47
0031-Fix-a-buffer-overwrite-that-could-occur-when-running.patch
View File

@ -1,47 +0,0 @@
From 1634068a27a93898908802f514ae41c1a3aa3bf9 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 17 Jan 2019 19:11:10 +0000
Subject: [PATCH 0787/1009] Fix a buffer overwrite that could occur when
running an fts5 prefix query against a corrupt database.
https://github.com/mackyle/sqlite/commit/1634068a27a93898908802f514ae41c1a3aa3bf9
---
ext/fts5/fts5_index.c | 11 +-
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 426cf61..259ae35 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -4959,6 +4959,8 @@ static void fts5MergePrefixLists(
int iOff2 = 0;
u8 *a1 = &i1.aPoslist[i1.nSize];
u8 *a2 = &i2.aPoslist[i2.nSize];
+ int nCopy;
+ u8 *aCopy;
i64 iPrev = 0;
Fts5PoslistWriter writer;
@@ -5002,11 +5004,16 @@ static void fts5MergePrefixLists(
if( iPos1!=iPrev ){
sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos1);
}
- fts5BufferSafeAppendBlob(&tmp, &a1[iOff1], i1.nPoslist-iOff1);
+ aCopy = &a1[iOff1];
+ nCopy = i1.nPoslist - iOff1;
}else{
assert( iPos2>=0 && iPos2!=iPrev );
sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos2);
- fts5BufferSafeAppendBlob(&tmp, &a2[iOff2], i2.nPoslist-iOff2);
+ aCopy = &a2[iOff2];
+ nCopy = i2.nPoslist - iOff2;
+ }
+ if( nCopy>0 ){
+ fts5BufferSafeAppendBlob(&tmp, aCopy, nCopy);
}
/* WRITEPOSLISTSIZE */
--
1.8.3.1

27
0032-Fix-another-corruption-related-crash-in-fts5.patch
View File

@ -1,27 +0,0 @@
From 80b709ea4c758f5f8fcb125082a17ceb5b9f5c76 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 17 Jan 2019 20:06:56 +0000
Subject: [PATCH 0789/1009] Fix another corruption related crash in fts5.
https://github.com/mackyle/sqlite/commit/80b709ea4c758f5f8fcb125082a17ceb5b9f5c76
---
ext/fts5/fts5_index.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 259ae35..66ab9be 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
int nNew; /* Bytes of new data */
iOff += fts5GetVarint32(&a[iOff], nNew);
- if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){
+ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){
p->rc = FTS5_CORRUPT;
return;
}
--
1.8.3.1

36
0033-Avoid-integer-overflow-when-computing-the-array-of-a.patch
View File

@ -1,36 +0,0 @@
From a47d7130bcbf6dbf2c3d0cb33555a68e288cc407 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Fri, 18 Jan 2019 18:52:17 +0000
Subject: [PATCH 0794/1009] Avoid integer overflow when computing the array of
a bounding box with the rtree_i32 virtual table.
https://github.com/mackyle/sqlite/commit/a47d7130bcbf6dbf2c3d0cb33555a68e288cc407
---
ext/rtree/rtree.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index c998d95..73d0661 100644
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -1999,11 +1999,11 @@ static RtreeDValue cellArea(Rtree *pRtree, RtreeCell *p){
#endif
{
switch( pRtree->nDim ){
- case 5: area = p->aCoord[9].i - p->aCoord[8].i;
- case 4: area *= p->aCoord[7].i - p->aCoord[6].i;
- case 3: area *= p->aCoord[5].i - p->aCoord[4].i;
- case 2: area *= p->aCoord[3].i - p->aCoord[2].i;
- default: area *= p->aCoord[1].i - p->aCoord[0].i;
+ case 5: area = (i64)p->aCoord[9].i - (i64)p->aCoord[8].i;
+ case 4: area *= (i64)p->aCoord[7].i - (i64)p->aCoord[6].i;
+ case 3: area *= (i64)p->aCoord[5].i - (i64)p->aCoord[4].i;
+ case 2: area *= (i64)p->aCoord[3].i - (i64)p->aCoord[2].i;
+ default: area *= (i64)p->aCoord[1].i - (i64)p->aCoord[0].i;
}
}
return area;
--
1.8.3.1

31
0034-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch
View File

@ -1,31 +0,0 @@
From 7c66bd37c346c0bbf92502edec140b488e4af6e2 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 22 Jan 2019 12:21:28 +0000
Subject: [PATCH 0813/1009] Fix another segfault caused by a corrupt fts3
database.
https://github.com/mackyle/sqlite/commit/7c66bd37c346c0bbf92502edec140b488e4af6e2
---
ext/fts3/fts3_write.c | 5 ++
1 files changed, 5 insertions(+), 0 deletion(-)
diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c
index df3c07e..3e195c3 100644
--- a/ext/fts3/fts3_write.c
+++ b/ext/fts3/fts3_write.c
@@ -2255,6 +2255,11 @@ static int fts3SegWriterAdd(
nPrefix = fts3PrefixCompress(pWriter->zTerm, pWriter->nTerm, zTerm, nTerm);
nSuffix = nTerm-nPrefix;
+ /* If nSuffix is zero or less, then zTerm/nTerm must be a prefix of
+ ** pWriter->zTerm/pWriter->nTerm. i.e. must be equal to or less than when
+ ** compared with BINARY collation. This indicates corruption. */
+ if( nSuffix<=0 ) return FTS_CORRUPT_VTAB;
+
/* Figure out how many bytes are required by this new entry */
nReq = sqlite3Fts3VarintLen(nPrefix) + /* varint containing prefix size */
sqlite3Fts3VarintLen(nSuffix) + /* varint containing suffix size */
--
1.8.3.1

87
0035-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch
View File

@ -1,87 +0,0 @@
From ec2409b34e42389034ecf6ae616a85de97c0fd8c Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 22 Jan 2019 21:17:40 +0000
Subject: [PATCH 0820/1009] Fix a buffer overrun that could occur in fts5 if a
prefix query is made on a corrupt database.
https://github.com/mackyle/sqlite/commit/ec2409b34e42389034ecf6ae616a85de97c0fd8c
---
ext/fts5/fts5.h | 8 +-
ext/fts5/fts5Int.h | 2 +-
ext/fts5/fts5_index.c | 2 +-
ext/fts5/fts5_main.c | 5 +
ext/fts5/test/fts5corrupt3.test | 217 ++++++++++++++++++++++++++++++++++++++++
5 files changed, 226 insertions(+), 8 deletions(-)
diff --git a/ext/fts5/fts5.h b/ext/fts5/fts5.h
index 8273785..f0b7d55 100644
--- a/ext/fts5/fts5.h
+++ b/ext/fts5/fts5.h
@@ -120,12 +120,8 @@ struct Fts5PhraseIter {
**
** Usually, output parameter *piPhrase is set to the phrase number, *piCol
** to the column in which it occurs and *piOff the token offset of the
-** first token of the phrase. The exception is if the table was created
-** with the offsets=0 option specified. In this case *piOff is always
-** set to -1.
-**
-** Returns SQLITE_OK if successful, or an error code (i.e. SQLITE_NOMEM)
-** if an error occurs.
+** first token of the phrase. Returns SQLITE_OK if successful, or an error
+** code (i.e. SQLITE_NOMEM) if an error occurs.
**
** This API can be quite slow if used with an FTS5 table created with the
** "detail=none" or "detail=column" option.
diff --git a/ext/fts5/fts5Int.h b/ext/fts5/fts5Int.h
index 4855abe..629bcf0 100644
--- a/ext/fts5/fts5Int.h
+++ b/ext/fts5/fts5Int.h
@@ -274,7 +274,7 @@ void sqlite3Fts5Put32(u8*, int);
int sqlite3Fts5Get32(const u8*);
#define FTS5_POS2COLUMN(iPos) (int)(iPos >> 32)
-#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0xFFFFFFFF)
+#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0x7FFFFFFF)
typedef struct Fts5PoslistReader Fts5PoslistReader;
struct Fts5PoslistReader {
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 66ab9be..165d094 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -5122,7 +5122,7 @@ static void fts5SetupPrefixIter(
}
fts5MultiIterFree(p1);
- pData = fts5IdxMalloc(p, sizeof(Fts5Data) + doclist.n);
+ pData = fts5IdxMalloc(p, sizeof(Fts5Data)+doclist.n+FTS5_DATA_ZERO_PADDING);
if( pData ){
pData->p = (u8*)&pData[1];
pData->nn = pData->szLeaf = doclist.n;
diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c
index bb34234..c98df4f 100644
--- a/ext/fts5/fts5_main.c
+++ b/ext/fts5/fts5_main.c
@@ -1777,6 +1777,7 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){
int rc = SQLITE_OK;
Fts5PoslistReader *aIter; /* One iterator for each phrase */
int nIter; /* Number of iterators/phrases */
+ int nCol = ((Fts5Table*)pCsr->base.pVtab)->pConfig->nCol;
nIter = sqlite3Fts5ExprPhraseCount(pCsr->pExpr);
if( pCsr->aInstIter==0 ){
@@ -1830,6 +1831,10 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){
aInst[0] = iBest;
aInst[1] = FTS5_POS2COLUMN(aIter[iBest].iPos);
aInst[2] = FTS5_POS2OFFSET(aIter[iBest].iPos);
+ if( aInst[1]<0 || aInst[1]>=nCol ){
+ rc = FTS5_CORRUPT;
+ break;
+ }
sqlite3Fts5PoslistReaderNext(&aIter[iBest]);
}
}
--
1.8.3.1

94
0036-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch
View File

@ -1,94 +0,0 @@
From 64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 23 Jan 2019 19:17:05 +0000
Subject: [PATCH 0823/1009] Fix another fts5 crash that can occur if the
database is corrupted.
https://github.com/mackyle/sqlite/commit/64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd
---
ext/fts5/fts5_index.c | 58 ++++++-----
1 files changed, 23 insertions(+), 25 deletions(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 57fce0a..eced245 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -4127,7 +4127,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){
int i;
Fts5Buffer buf;
memset(&buf, 0, sizeof(Fts5Buffer));
- for(i=0; i<pIter->nSeg; i++){
+ for(i=0; i<pIter->nSeg && p->rc==SQLITE_OK; i++){
Fts5SegIter *pSeg = &pIter->aSeg[i];
if( pSeg->pSeg==0 ){
/* no-op */
@@ -4147,33 +4147,41 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){
iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno);
pData = fts5DataRead(p, iLeafRowid);
if( pData ){
- fts5BufferZero(&buf);
- fts5BufferGrow(&p->rc, &buf, pData->nn);
- fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr);
- fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n);
- fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p);
- fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff, &pData->p[iOff]);
- if( p->rc==SQLITE_OK ){
- /* Set the szLeaf field */
- fts5PutU16(&buf.p[2], (u16)buf.n);
- }
+ if( iOff>pData->szLeaf ){
+ /* This can occur if the pages that the segments occupy overlap - if
+ ** a single page has been assigned to more than one segment. In
+ ** this case a prior iteration of this loop may have corrupted the
+ ** segment currently being trimmed. */
+ p->rc = FTS5_CORRUPT;
+ }else{
+ fts5BufferZero(&buf);
+ fts5BufferGrow(&p->rc, &buf, pData->nn);
+ fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr);
+ fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n);
+ fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p);
+ fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff,&pData->p[iOff]);
+ if( p->rc==SQLITE_OK ){
+ /* Set the szLeaf field */
+ fts5PutU16(&buf.p[2], (u16)buf.n);
+ }
- /* Set up the new page-index array */
- fts5BufferAppendVarint(&p->rc, &buf, 4);
- if( pSeg->iLeafPgno==pSeg->iTermLeafPgno
- && pSeg->iEndofDoclist<pData->szLeaf
- ){
- int nDiff = pData->szLeaf - pSeg->iEndofDoclist;
- fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4);
- fts5BufferAppendBlob(&p->rc, &buf,
- pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff]
- );
- }
+ /* Set up the new page-index array */
+ fts5BufferAppendVarint(&p->rc, &buf, 4);
+ if( pSeg->iLeafPgno==pSeg->iTermLeafPgno
+ && pSeg->iEndofDoclist<pData->szLeaf
+ ){
+ int nDiff = pData->szLeaf - pSeg->iEndofDoclist;
+ fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4);
+ fts5BufferAppendBlob(&p->rc, &buf,
+ pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff]
+ );
+ }
+ pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno;
+ fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid);
+ fts5DataWrite(p, iLeafRowid, buf.p, buf.n);
+ }
fts5DataRelease(pData);
- pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno;
- fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid);
- fts5DataWrite(p, iLeafRowid, buf.p, buf.n);
}
}
}
--
1.8.3.1

28
0037-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch
View File

@ -1,28 +0,0 @@
From ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 23 Jan 2019 20:31:56 +0000
Subject: [PATCH 0826/1009] Fix an assert() in vdbemem.c that could fire if the
database was corrupt.
https://github.com/mackyle/sqlite/commit/ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6
---
src/vdbemem.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/src/vdbemem.c b/src/vdbemem.c
index db8fedd..8493df7 100644
--- a/src/vdbemem.c
+++ b/src/vdbemem.c
@@ -243,7 +243,7 @@ SQLITE_NOINLINE int sqlite3VdbeMemGrow(Mem *pMem, int n, int bPreserve){
** if unable to complete the resizing.
*/
int sqlite3VdbeMemClearAndResize(Mem *pMem, int szNew){
- assert( szNew>0 );
+ assert( CORRUPT_DB || szNew>0 );
assert( (pMem->flags & MEM_Dyn)==0 || pMem->szMalloc==0 );
if( pMem->szMalloc<szNew ){
return sqlite3VdbeMemGrow(pMem, szNew, 0);
--
1.8.3.1

35
0038-Fix-a-potential-problem-with-INSERT-INTO-.-SELECT-FR.patch
View File

@ -1,35 +0,0 @@
From b9338e8475463b29b7f05fb28c78c3f35a7ce814 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 24 Jan 2019 15:16:17 +0000
Subject: [PATCH 0830/1009] Fix a potential problem with "INSERT INTO ...
SELECT * FROM" (or VACUUM) statements on a corrupted database.
https://github.com/mackyle/sqlite/commit/b9338e8475463b29b7f05fb28c78c3f35a7ce814
---
src/btree.c | 7 +--
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/btree.c b/src/btree.c
index b68bca1..401f02e 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -804,11 +804,12 @@ static int btreeMoveto(
UnpackedRecord *pIdxKey; /* Unpacked index key */
if( pKey ){
+ KeyInfo *pKeyInfo = pCur->pKeyInfo;
assert( nKey==(i64)(int)nKey );
- pIdxKey = sqlite3VdbeAllocUnpackedRecord(pCur->pKeyInfo);
+ pIdxKey = sqlite3VdbeAllocUnpackedRecord(pKeyInfo);
if( pIdxKey==0 ) return SQLITE_NOMEM_BKPT;
- sqlite3VdbeRecordUnpack(pCur->pKeyInfo, (int)nKey, pKey, pIdxKey);
- if( pIdxKey->nField==0 ){
+ sqlite3VdbeRecordUnpack(pKeyInfo, (int)nKey, pKey, pIdxKey);
+ if( pIdxKey->nField==0 || pIdxKey->nField>pKeyInfo->nAllField ){
rc = SQLITE_CORRUPT_BKPT;
goto moveto_done;
}
--
1.8.3.1

79
0039-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch
View File

@ -1,79 +0,0 @@
From 2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Fri, 25 Jan 2019 17:26:59 +0000
Subject: [PATCH 0842/1009] Fix a segfault that could follow an OOM when
querying a table that has one or more columns with default values "true" or
"false".
https://github.com/mackyle/sqlite/commit/2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1
---
src/vdbemem.c | 8 +++++---
test/insertfault.test | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 3 deletions(-)
create mode 100644 test/insertfault.test
diff --git a/src/vdbemem.c b/src/vdbemem.c
index 8493df7..8d9e44b 100644
--- a/src/vdbemem.c
+++ b/src/vdbemem.c
@@ -1530,9 +1530,11 @@ static int valueFromExpr(
}
#endif
else if( op==TK_TRUEFALSE ){
- pVal = valueNew(db, pCtx);
- pVal->flags = MEM_Int;
- pVal->u.i = pExpr->u.zToken[4]==0;
+ pVal = valueNew(db, pCtx);
+ if( pVal ){
+ pVal->flags = MEM_Int;
+ pVal->u.i = pExpr->u.zToken[4]==0;
+ }
}
*ppVal = pVal;
diff --git a/test/insertfault.test b/test/insertfault.test
new file mode 100644
index 0000000..53849a1
--- /dev/null
+++ b/test/insertfault.test
@@ -0,0 +1,36 @@
+# 2019-01-26
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+# Test cases for INSERT
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix insertfault
+
+do_execsql_test 1.0 {
+ CREATE TABLE t1(a INTEGER PRIMARY KEY, b, c, d DEFAULT true);
+ INSERT INTO t1 DEFAULT VALUES;
+ SELECT * FROM t1;
+} {1 {} {} 1}
+faultsim_save_and_close
+
+breakpoint
+do_faultsim_test 1 -faults oom* -prep {
+ faultsim_restore_and_reopen
+ db eval { SELECT * FROM sqlite_master }
+} -body {
+ execsql { SELECT * FROM t1 }
+} -test {
+ faultsim_test_result {0 {1 {} {} 1}}
+}
+
+
+finish_test
--
1.8.3.1

27
0040-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch
View File

@ -1,27 +0,0 @@
From 896da092c4debe2e865ccfbc94939aae2feda5fc Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Mon, 28 Jan 2019 16:50:42 +0000
Subject: [PATCH 0858/1009] Fix a buffer overread in fts3 that could occur when
accessing a corrupt database.
https://github.com/mackyle/sqlite/commit/896da092c4debe2e865ccfbc94939aae2feda5fc
---
ext/fts3/fts3.c | 1 +
1 files changed, 1 insertions(+)
diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index 36e41d2..bd0003d 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -2810,6 +2810,7 @@ static int fts3TermSelectMerge(
pTS->anOutput[0] = nDoclist;
if( pTS->aaOutput[0] ){
memcpy(pTS->aaOutput[0], aDoclist, nDoclist);
+ memset(&pTS->aaOutput[0][nDoclist], 0, FTS3_VARINT_MAX);
}else{
return SQLITE_NOMEM;
}
--
1.8.3.1

28
0041-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch
View File

@ -1,28 +0,0 @@
From 850b66a5848d73428951382ca909c3663b905a9e Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Tue, 29 Jan 2019 11:42:43 +0000
Subject: [PATCH 0862/1009] Fix a buffer overrun triggered by a merge operation
on a corrupt fts5 database.
https://github.com/mackyle/sqlite/commit/850b66a5848d73428951382ca909c3663b905a9e
---
ext/fts5/fts5_index.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index cec4415..e1bb8d4 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -4145,7 +4145,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){
u8 aHdr[4] = {0x00, 0x00, 0x00, 0x00};
iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno);
- pData = fts5DataRead(p, iLeafRowid);
+ pData = fts5LeafRead(p, iLeafRowid);
if( pData ){
if( iOff>pData->szLeaf ){
/* This can occur if the pages that the segments occupy overlap - if
--
1.8.3.1

29
0042-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch
View File

@ -1,29 +0,0 @@
From 06895c18a8afdfd7b46c09bb5623f1d68e82a955 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 30 Jan 2019 12:15:27 +0000
Subject: [PATCH 0868/1009] Fix another buffer overread in fts5 that may occur
when accessing a corrupt database.
https://github.com/mackyle/sqlite/commit/06895c18a8afdfd7b46c09bb5623f1d68e82a955
---
ext/fts5/fts5_index.c | 3 +-
1 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index e1bb8d4..32732b9 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -3104,7 +3104,8 @@ static void fts5SegiterPoslist(
Fts5Colset *pColset,
Fts5Buffer *pBuf
){
- if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos) ){
+ if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos+FTS5_DATA_ZERO_PADDING) ){
+ memset(&pBuf->p[pBuf->n+pSeg->nPos], 0, FTS5_DATA_ZERO_PADDING);
if( pColset==0 ){
fts5ChunkIterate(p, pSeg, (void*)pBuf, fts5PoslistCallback);
}else{
--
1.8.3.1

41
0043-Fix-another-buffer-overrun-that-could-occur-when-que.patch
View File

@ -1,41 +0,0 @@
From 536bdac3ff692d5ebf13d6b7ff129721444f281b Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 31 Jan 2019 14:37:18 +0000
Subject: [PATCH 0878/1009] Fix another buffer overrun that could occur when
quering a corrupt database using an fts5vocab table.
https://github.com/mackyle/sqlite/commit/536bdac3ff692d5ebf13d6b7ff129721444f281b
---
ext/fts5/fts5_index.c | 2 +-
ext/fts5/fts5_vocab.c | 1 +
1 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 32732b9..bb87714 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
int nNew; /* Bytes of new data */
iOff += fts5GetVarint32(&a[iOff], nNew);
- if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){
+ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n || nNew==0 ){
p->rc = FTS5_CORRUPT;
return;
}
diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c
index bfb6821..2550c9d 100644
--- a/ext/fts5/fts5_vocab.c
+++ b/ext/fts5/fts5_vocab.c
@@ -484,6 +484,7 @@ static int fts5VocabNextMethod(sqlite3_vtab_cursor *pCursor){
int nTerm;
zTerm = sqlite3Fts5IterTerm(pCsr->pIter, &nTerm);
+ assert( nTerm>=0 );
if( pCsr->nLeTerm>=0 ){
int nCmp = MIN(nTerm, pCsr->nLeTerm);
int bCmp = memcmp(pCsr->zLeTerm, zTerm, nCmp);
--
1.8.3.1

37
0044-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch
View File

@ -1,37 +0,0 @@
From 032f34b06b09b35542a7dd6242e2032cbed59b6e Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Mon, 11 Feb 2019 16:12:09 +0000
Subject: [PATCH 0939/1009] Fix another segfault that could occur in fts5 with
a corrupted database.
https://github.com/mackyle/sqlite/commit/032f34b06b09b35542a7dd6242e2032cbed59b6e
---
ext/fts5/fts5_index.c | 7 +-
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 5ce75bd..741e579 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -4169,13 +4169,14 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){
/* Set up the new page-index array */
fts5BufferAppendVarint(&p->rc, &buf, 4);
if( pSeg->iLeafPgno==pSeg->iTermLeafPgno
- && pSeg->iEndofDoclist<pData->szLeaf
- ){
+ && pSeg->iEndofDoclist<pData->szLeaf
+ && pSeg->iPgidxOff<=pData->nn
+ ){
int nDiff = pData->szLeaf - pSeg->iEndofDoclist;
fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4);
fts5BufferAppendBlob(&p->rc, &buf,
pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff]
- );
+ );
}
pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno;
--
1.8.3.1

28
0045-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch
View File

@ -1,28 +0,0 @@
From d651ad3b3d42dfe3fc26023ae2c61d04802cd721 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Tue, 19 Feb 2019 17:45:31 +0000
Subject: [PATCH 0956/1009] Fix a potential memory leak in RBU if the
rbu_fossil_delta() SQL function is misused. Misuse never happens in a
working RBU system, so this is not a particularly important fix.
https://github.com/mackyle/sqlite/commit/d651ad3b3d42dfe3fc26023ae2c61d04802cd721
---
ext/rbu/sqlite3rbu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ext/rbu/sqlite3rbu.c b/ext/rbu/sqlite3rbu.c
index e86606b..1a78adc 100644
--- a/ext/rbu/sqlite3rbu.c
+++ b/ext/rbu/sqlite3rbu.c
@@ -684,6 +684,7 @@ static void rbuFossilDeltaFunc(
}else{
nOut2 = rbuDeltaApply(aOrig, nOrig, aDelta, nDelta, aOut);
if( nOut2!=nOut ){
+ sqlite3_free(aOut);
sqlite3_result_error(context, "corrupt fossil delta", -1);
}else{
sqlite3_result_blob(context, aOut, nOut, sqlite3_free);
--
1.8.3.1

29
0046-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch
View File

@ -1,29 +0,0 @@
From 7003b1922263ee4b6131fd458537808ccae22f41 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Tue, 5 Mar 2019 23:49:17 +0000
Subject: [PATCH 1002/1009] Fix a potential 32-bit integer overflow in the
"showdb" utility program when it is trying to interpret a corrupt database
file.
https://github.com/mackyle/sqlite/commit/7003b1922263ee4b6131fd458537808ccae22f41
---
tool/showdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tool/showdb.c b/tool/showdb.c
index ba7a362..cb6ddab 100644
--- a/tool/showdb.c
+++ b/tool/showdb.c
@@ -828,7 +828,7 @@ static void page_usage_cell(
while( ovfl && (cnt++)<g.mxPage ){
page_usage_msg(ovfl, "overflow %d from cell %d of page %d",
cnt, cellno, pgno);
- a = fileRead((ovfl-1)*g.pagesize, 4);
+ a = fileRead((ovfl-1)*(sqlite3_int64)g.pagesize, 4);
ovfl = decodeInt32(a);
sqlite3_free(a);
}
--
1.8.3.1

86
0047-sqlite-CVE-2019-8457-out-of-bounds-read.patch
View File

@ -1,86 +0,0 @@
From 808d7ed1f82a24f7367006e43174c0c322e24590 Mon Sep 17 00:00:00 2001
From: SQLite Maintainers
Date: Thu, 15 Aug 2019 15:08:23 +0800
Subject: [PATCH] fix out of bounds read
Enhance the rtreenode() function of rtree (used for testing)
so that it uses the newer sqlite3_str object for better performance and
improved error reporting.
---
ext/rtree/rtree.c | 35 ++++++++++++++++-------------------
1 file changed, 16 insertions(+), 19 deletions(-)
diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index 56bf836..53c7adf 100644
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -3689,49 +3689,46 @@ rtreeInit_fail:
** <num-dimension>*2 coordinates.
*/
static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
- char *zText = 0;
RtreeNode node;
Rtree tree;
int ii;
+ int nData;
+ int errCode;
+ sqlite3_str *pOut;
UNUSED_PARAMETER(nArg);
memset(&node, 0, sizeof(RtreeNode));
memset(&tree, 0, sizeof(Rtree));
tree.nDim = (u8)sqlite3_value_int(apArg[0]);
+ if( tree.nDim<1 || tree.nDim>5 ) return;
tree.nDim2 = tree.nDim*2;
tree.nBytesPerCell = 8 + 8 * tree.nDim;
node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
+ nData = sqlite3_value_bytes(apArg[1]);
+ if( nData<4 ) return;
+ if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+ pOut = sqlite3_str_new(0);
for(ii=0; ii<NCELL(&node); ii++){
- char zCell[512];
- int nCell = 0;
RtreeCell cell;
int jj;
nodeGetCell(&tree, &node, ii, &cell);
- sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
- nCell = (int)strlen(zCell);
+ if( ii>0 ) sqlite3_str_append(pOut, " ", 1);
+ sqlite3_str_appendf(pOut, "{%lld", cell.iRowid);
for(jj=0; jj<tree.nDim2; jj++){
#ifndef SQLITE_RTREE_INT_ONLY
- sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
- (double)cell.aCoord[jj].f);
+ sqlite3_str_appendf(pOut, " %g", (double)cell.aCoord[jj].f);
#else
- sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
- cell.aCoord[jj].i);
+ sqlite3_str_appendf(pOut, " %d", cell.aCoord[jj].i);
#endif
- nCell = (int)strlen(zCell);
- }
-
- if( zText ){
- char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
- sqlite3_free(zText);
- zText = zTextNew;
- }else{
- zText = sqlite3_mprintf("{%s}", zCell);
}
+ sqlite3_str_append(pOut, "}", 1);
}
- sqlite3_result_text(ctx, zText, -1, sqlite3_free);
+ errCode = sqlite3_str_errcode(pOut);
+ sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
+ sqlite3_result_error_code(ctx, errCode);
}
/* This routine implements an SQL function that returns the "depth" parameter
--
1.8.3.1

65
0048-sqlite-CVE-2019-16168.patch
View File

@ -1,65 +0,0 @@
From f555312151f716b54558776bce53bef9edb69d3a Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Mon, 14 Oct 2019 05:23:59 -0400
Subject: [PATCH] fix CVE-2019-16168
---
src/analyze.c | 4 +++-
src/where.c | 1 +
test/analyzeC.test | 13 +++++++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/analyze.c b/src/analyze.c
index 48fd495..552330b 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1497,7 +1497,9 @@ static void decodeIntArray(
if( sqlite3_strglob("unordered*", z)==0 ){
pIndex->bUnordered = 1;
}else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
+ int sz = sqlite3Atoi(z+3);
+ if( sz<2 ) sz = 2;
+ pIndex->szIdxRow = sqlite3LogEst(sz);
}else if( sqlite3_strglob("noskipscan*", z)==0 ){
pIndex->noSkipScan = 1;
}
diff --git a/src/where.c b/src/where.c
index b83915e..1df9b46 100644
--- a/src/where.c
+++ b/src/where.c
@@ -2585,6 +2585,7 @@ static int whereLoopAddBtreeIndex(
** it to pNew->rRun, which is currently set to the cost of the index
** seek only. Then, if this is a non-covering index, add the cost of
** visiting the rows in the main table. */
+ assert( pSrc->pTab->szTabRow>0 );
rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
diff --git a/test/analyzeC.test b/test/analyzeC.test
index 02faa9c..246da89 100644
--- a/test/analyzeC.test
+++ b/test/analyzeC.test
@@ -132,6 +132,19 @@ do_execsql_test 4.3 {
SELECT count(a) FROM t1;
} {/.*INDEX t1ca.*/}
+# 2019-08-15.
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
+# 2 or more to avoid a division by zero in the query planner.
+#
+do_execsql_test 4.4 {
+ DROP TABLE IF EXISTS t44;
+ CREATE TABLE t44(a PRIMARY KEY);
+ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
+ ANALYZE sqlite_master;
+ SELECT 0 FROM t44 WHERE a IN(1,2,3);
+} {}
+
# The sz=NNN parameter works even if there is other extraneous text
# in the sqlite_stat1.stat column.
--
1.8.3.1

27
0049-Fix-CVE-2019-19646.patch
View File

@ -1,27 +0,0 @@
From b097449afefa53e05637aaa43197c66cece575c7 Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Tue, 17 Dec 2019 10:53:58 -0500
Subject: [PATCH] Backport Fix CVE-2019-19646
---
src/pragma.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/pragma.c b/src/pragma.c
index 4699c96..eda1a16 100644
--- a/src/pragma.c
+++ b/src/pragma.c
@@ -1571,7 +1571,9 @@ void sqlite3Pragma(
if( j==pTab->iPKey ) continue;
if( pTab->aCol[j].notNull==0 ) continue;
sqlite3ExprCodeGetColumnOfTable(v, pTab, iDataCur, j, 3);
- sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG);
+ if( sqlite3VdbeGetOp(v,-1)->opcode==OP_Column ){
+ sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG);
+ }
jmp2 = sqlite3VdbeAddOp1(v, OP_NotNull, 3); VdbeCoverage(v);
zErr = sqlite3MPrintf(db, "NULL value in %s.%s", pTab->zName,
pTab->aCol[j].zName);
--
1.8.3.1

50
0050-Fix-CVE-2019-9936.patch
View File

@ -1,50 +0,0 @@
From abaf16dea291800e0f450c0b60d9da9f2149d6a9 Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Mon, 30 Dec 2019 16:17:34 -0500
Subject: [PATCH] fix CVE-2019-9936
---
ext/fts5/fts5_hash.c | 3 ++-
ext/fts5/test/fts5aa.test | 12 ++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c
index 7e404a8..c35b5d5 100644
--- a/ext/fts5/fts5_hash.c
+++ b/ext/fts5/fts5_hash.c
@@ -445,7 +445,8 @@ static int fts5HashEntrySort(
for(iSlot=0; iSlot<pHash->nSlot; iSlot++){
Fts5HashEntry *pIter;
for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){
- if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){
+ if( pTerm==0
+ || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm)) ){
Fts5HashEntry *pEntry = pIter;
pEntry->pScanNext = 0;
for(i=0; ap[i]; i++){
diff --git a/ext/fts5/test/fts5aa.test b/ext/fts5/test/fts5aa.test
index 6fa3ad8..5c9b894 100644
--- a/ext/fts5/test/fts5aa.test
+++ b/ext/fts5/test/fts5aa.test
@@ -603,6 +603,18 @@ do_execsql_test 23.2 {
SELECT * FROM t11, t10 WHERE t10.rowid IS NULL;
}
+#-------------------------------------------------------------------------
+do_execsql_test 25.0 {
+ CREATE VIRTUAL TABLE t13 USING fts5(x, detail=%DETAIL%);
+}
+do_execsql_test 25.1 {
+ BEGIN;
+ INSERT INTO t13 VALUES('AAAA');
+SELECT * FROM t13('BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB*');
+
+ END;
+}
+
}
expand_all_sql db
--
1.8.3.1

236
0051-Fix-CVE-2019-9937.patch
View File

@ -1,236 +0,0 @@
From cc12b9c512451199cacf89a999977886ba4f183e Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Tue, 31 Dec 2019 21:45:30 -0500
Subject: [PATCH] backport-fix-CVE-2019-9937
---
ext/fts5/fts5Int.h | 3 ++-
ext/fts5/fts5_hash.c | 55 ++++++++++++++++++++++++++++++++---------------
ext/fts5/fts5_index.c | 25 ++++++++++++++-------
ext/fts5/test/fts5aa.test | 21 +++++++++++++++++-
4 files changed, 77 insertions(+), 27 deletions(-)
diff --git a/ext/fts5/fts5Int.h b/ext/fts5/fts5Int.h
index 1f8a297..984d625 100644
--- a/ext/fts5/fts5Int.h
+++ b/ext/fts5/fts5Int.h
@@ -565,8 +565,9 @@ void sqlite3Fts5HashClear(Fts5Hash*);
int sqlite3Fts5HashQuery(
Fts5Hash*, /* Hash table to query */
+ int nPre,
const char *pTerm, int nTerm, /* Query term */
- const u8 **ppDoclist, /* OUT: Pointer to doclist for pTerm */
+ void **ppObj, /* OUT: Pointer to doclist for pTerm */
int *pnDoclist /* OUT: Size of doclist in bytes */
);
diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c
index c35b5d5..eae785a 100644
--- a/ext/fts5/fts5_hash.c
+++ b/ext/fts5/fts5_hash.c
@@ -187,19 +187,25 @@ static int fts5HashResize(Fts5Hash *pHash){
return SQLITE_OK;
}
-static void fts5HashAddPoslistSize(Fts5Hash *pHash, Fts5HashEntry *p){
+static int fts5HashAddPoslistSize(
+ Fts5Hash *pHash,
+ Fts5HashEntry *p,
+ Fts5HashEntry *p2
+){
+ int nRet = 0;
if( p->iSzPoslist ){
- u8 *pPtr = (u8*)p;
+ u8 *pPtr = p2 ? (u8*)p2 : (u8*)p;
+ int nData = p->nData;
if( pHash->eDetail==FTS5_DETAIL_NONE ){
- assert( p->nData==p->iSzPoslist );
+ assert( nData==p->iSzPoslist );
if( p->bDel ){
- pPtr[p->nData++] = 0x00;
+ pPtr[nData++] = 0x00;
if( p->bContent ){
- pPtr[p->nData++] = 0x00;
+ pPtr[nData++] = 0x00;
}
}
}else{
- int nSz = (p->nData - p->iSzPoslist - 1); /* Size in bytes */
+ int nSz = (nData - p->iSzPoslist - 1); /* Size in bytes */
int nPos = nSz*2 + p->bDel; /* Value of nPos field */
assert( p->bDel==0 || p->bDel==1 );
@@ -209,14 +215,19 @@ static void fts5HashAddPoslistSize(Fts5Hash *pHash, Fts5HashEntry *p){
int nByte = sqlite3Fts5GetVarintLen((u32)nPos);
memmove(&pPtr[p->iSzPoslist + nByte], &pPtr[p->iSzPoslist + 1], nSz);
sqlite3Fts5PutVarint(&pPtr[p->iSzPoslist], nPos);
- p->nData += (nByte-1);
+ nData += (nByte-1);
}
}
- p->iSzPoslist = 0;
- p->bDel = 0;
- p->bContent = 0;
+ nRet = nData - p->nData;
+ if( p2==0 ){
+ p->iSzPoslist = 0;
+ p->bDel = 0;
+ p->bContent = 0;
+ p->nData = nData;
+ }
}
+ return nRet;
}
/*
@@ -328,7 +339,7 @@ int sqlite3Fts5HashWrite(
/* If this is a new rowid, append the 4-byte size field for the previous
** entry, and the new rowid for this entry. */
if( iRowid!=p->iRowid ){
- fts5HashAddPoslistSize(pHash, p);
+ fts5HashAddPoslistSize(pHash, p, 0);
p->nData += sqlite3Fts5PutVarint(&pPtr[p->nData], iRowid - p->iRowid);
p->iRowid = iRowid;
bNew = 1;
@@ -474,8 +485,9 @@ static int fts5HashEntrySort(
*/
int sqlite3Fts5HashQuery(
Fts5Hash *pHash, /* Hash table to query */
+ int nPre,
const char *pTerm, int nTerm, /* Query term */
- const u8 **ppDoclist, /* OUT: Pointer to doclist for pTerm */
+ void **ppOut, /* OUT: Pointer to new object */
int *pnDoclist /* OUT: Size of doclist in bytes */
){
unsigned int iHash = fts5HashKey(pHash->nSlot, (const u8*)pTerm, nTerm);
@@ -489,11 +501,20 @@ int sqlite3Fts5HashQuery(
}
if( p ){
- fts5HashAddPoslistSize(pHash, p);
- *ppDoclist = (const u8*)&zKey[nTerm+1];
- *pnDoclist = p->nData - (sizeof(Fts5HashEntry) + nTerm + 1);
+ int nHashPre = sizeof(Fts5HashEntry) + nTerm + 1;
+ int nList = p->nData - nHashPre;
+ u8 *pRet = (u8*)(*ppOut = sqlite3_malloc64(nPre + nList + 10));
+ if( pRet ){
+ Fts5HashEntry *pFaux = (Fts5HashEntry*)&pRet[nPre-nHashPre];
+ memcpy(&pRet[nPre], &((u8*)p)[nHashPre], nList);
+ nList += fts5HashAddPoslistSize(pHash, p, pFaux);
+ *pnDoclist = nList;
+ }else{
+ *pnDoclist = 0;
+ return SQLITE_NOMEM;
+ }
}else{
- *ppDoclist = 0;
+ *ppOut = 0;
*pnDoclist = 0;
}
@@ -526,7 +547,7 @@ void sqlite3Fts5HashScanEntry(
if( (p = pHash->pScan) ){
char *zKey = fts5EntryKey(p);
int nTerm = (int)strlen(zKey);
- fts5HashAddPoslistSize(pHash, p);
+ fts5HashAddPoslistSize(pHash, p, 0);
*pzTerm = zKey;
*ppDoclist = (const u8*)&zKey[nTerm+1];
*pnDoclist = p->nData - (sizeof(Fts5HashEntry) + nTerm + 1);
diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index ddad6c8..37ef61d 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -2452,31 +2452,40 @@ static void fts5SegIterHashInit(
int flags, /* Mask of FTS5INDEX_XXX flags */
Fts5SegIter *pIter /* Object to populate */
){
- const u8 *pList = 0;
int nList = 0;
const u8 *z = 0;
int n = 0;
+ Fts5Data *pLeaf = 0;
assert( p->pHash );
assert( p->rc==SQLITE_OK );
if( pTerm==0 || (flags & FTS5INDEX_QUERY_SCAN) ){
+ const u8 *pList = 0;
+
p->rc = sqlite3Fts5HashScanInit(p->pHash, (const char*)pTerm, nTerm);
sqlite3Fts5HashScanEntry(p->pHash, (const char**)&z, &pList, &nList);
n = (z ? (int)strlen((const char*)z) : 0);
+ if( pList ){
+ pLeaf = fts5IdxMalloc(p, sizeof(Fts5Data));
+ if( pLeaf ){
+ pLeaf->p = pList;
+ }
+ }
}else{
- pIter->flags |= FTS5_SEGITER_ONETERM;
- sqlite3Fts5HashQuery(p->pHash, (const char*)pTerm, nTerm, &pList, &nList);
+ p->rc = sqlite3Fts5HashQuery(p->pHash, sizeof(Fts5Data),
+ (const char*)pTerm, nTerm, (void**)&pLeaf, &nList
+ );
+ if( pLeaf ){
+ pLeaf->p = (u8*)&pLeaf[1];
+ }
z = pTerm;
n = nTerm;
+ pIter->flags |= FTS5_SEGITER_ONETERM;
}
- if( pList ){
- Fts5Data *pLeaf;
+ if( pLeaf ){
sqlite3Fts5BufferSet(&p->rc, &pIter->term, n, z);
- pLeaf = fts5IdxMalloc(p, sizeof(Fts5Data));
- if( pLeaf==0 ) return;
- pLeaf->p = (u8*)pList;
pLeaf->nn = pLeaf->szLeaf = nList;
pIter->pLeaf = pLeaf;
pIter->iLeafOffset = fts5GetVarint(pLeaf->p, (u64*)&pIter->iRowid);
diff --git a/ext/fts5/test/fts5aa.test b/ext/fts5/test/fts5aa.test
index 5c9b894..b76a7f6 100644
--- a/ext/fts5/test/fts5aa.test
+++ b/ext/fts5/test/fts5aa.test
@@ -427,7 +427,7 @@ proc funk {} {
db eval { UPDATE n1_config SET v=50 WHERE k='version' }
set fd [db incrblob main n1_data block 10]
fconfigure $fd -encoding binary -translation binary
- puts -nonewline $fd "\x44\x45"
+# puts -nonewline $fd "\x44\x45"
close $fd
}
db func funk funk
@@ -604,6 +604,25 @@ do_execsql_test 23.2 {
}
#-------------------------------------------------------------------------
+do_execsql_test 24.0 {
+ CREATE VIRTUAL TABLE t12 USING fts5(x, detail=%DETAIL%);
+ INSERT INTO t12 VALUES('aaaa');
+}
+do_execsql_test 24.1 {
+ BEGIN;
+ DELETE FROM t12 WHERE rowid=1;
+ SELECT * FROM t12('aaaa');
+ INSERT INTO t12 VALUES('aaaa');
+ END;
+}
+do_execsql_test 24.2 {
+ INSERT INTO t12(t12) VALUES('integrity-check');
+}
+do_execsql_test 24.3 {
+ SELECT * FROM t12('aaaa');
+} {aaaa}
+
+#-------------------------------------------------------------------------
do_execsql_test 25.0 {
CREATE VIRTUAL TABLE t13 USING fts5(x, detail=%DETAIL%);
}
--
1.8.3.1

72
0052-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch
View File

@ -1,72 +0,0 @@
From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Wed, 18 Dec 2019 20:51:58 +0000
Subject: [PATCH] Fix CVE-2019-19923
Continue to back away from the LEFT JOIN optimization of
check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
query is DISTINCT. Without this fix, if an index scan is run on the table
within the view on the right-hand side of the LEFT JOIN, stale result
registers might be accessed yielding incorrect results, and/or an
OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
NULL-pointer dereference. This problem was found by the Yongheng and Rui
fuzzer.
FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 8 ++++++--
test/join.test | 13 +++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/select.c b/src/select.c
index 529df0f..4510b77 100644
--- a/src/select.c
+++ b/src/select.c
@@ -3582,6 +3582,7 @@ static void substSelect(
** (3b) the FROM clause of the subquery may not contain a virtual
** table and
** (3c) the outer query may not be an aggregate.
+** (3d) the outer query may not be DISTINCT.
**
** (4) The subquery can not be DISTINCT.
**
@@ -3770,8 +3771,11 @@ static int flattenSubquery(
*/
if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
isLeftJoin = 1;
- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
- /* (3a) (3c) (3b) */
+ if( pSubSrc->nSrc>1 /* (3a) */
+ || isAgg /* (3b) */
+ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */
+ || (p->selFlags & SF_Distinct)!=0 /* (3d) */
+ ){
return 0;
}
}
diff --git a/test/join.test b/test/join.test
index 8c6f463..8c6a53d 100644
--- a/test/join.test
+++ b/test/join.test
@@ -844,4 +844,17 @@ do_execsql_test join-15.110 {
ORDER BY a1, a2, a3, a4, a5;
} {1 {} {} {} {} 1 11 {} {} {} 1 12 {} {} {} 1 12 121 {} {} 1 13 {} {} {}}
+# 2019-12-18 problem with a LEFT JOIN where the RHS is a view.
+# Detected by Yongheng and Rui.
+# Follows from the optimization attempt of check-in 41c27bc0ff1d3135
+# on 2017-04-18
+#
+reset_db
+do_execsql_test join-22.10 {
+ CREATE TABLE t0(a, b);
+ CREATE INDEX t0a ON t0(a);
+ INSERT INTO t0 VALUES(10,10),(10,11),(10,12);
+ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ;
+} {11}
+
finish_test
--
2.19.1

50
0053-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch
View File

@ -1,50 +0,0 @@
From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 20:37:32 +0000
Subject: [PATCH] Fix CVE-2019-19924
When an error occurs while rewriting the parser tree for
window functions in the sqlite3WindowRewrite() routine, make sure that
pParse->nErr is set, and make sure that this shuts down any subsequent code
generation that might depend on the transformations that were implemented.
This fixes a problem discovered by the Yongheng and Rui fuzzer.
FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/expr.c | 2 ++
src/vdbeaux.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/expr.c b/src/expr.c
index 36ca515..8fd8af9 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -344,6 +344,8 @@ static int codeCompare(
int addr;
CollSeq *p4;
+ if( pParse->nErr ) return 0;
+
p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index ba2396c..df8bcc2 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
*/
static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
assert( p->nOp>0 || p->aOp==0 );
- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
+ || p->pParse->nErr>0 );
if( p->nOp ){
assert( p->aOp );
sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
--
2.19.1

55
0054-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch
View File

@ -1,55 +0,0 @@
From 54d501092d88c0cf89bec4279951f548fb0b8618 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 15:15:40 +0000
Subject: [PATCH] Fix CVE-2019-19925
Fix the zipfile extension so that INSERT works even if the
pathname of the file being inserted is a NULL. Bug discovered by the
Yongheng and Rui fuzzer.
FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
ext/misc/zipfile.c | 1 +
test/zipfile.test | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index 9f2258e..01cd0ca 100644
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -1617,6 +1617,7 @@ static int zipfileUpdate(
if( rc==SQLITE_OK ){
zPath = (const char*)sqlite3_value_text(apVal[2]);
+ if( zPath==0 ) zPath = "";
nPath = (int)strlen(zPath);
mTime = zipfileGetTime(apVal[4]);
}
diff --git a/test/zipfile.test b/test/zipfile.test
index ebc4977..abf432c 100644
--- a/test/zipfile.test
+++ b/test/zipfile.test
@@ -761,4 +761,17 @@ do_execsql_test 11.11 {
SELECT name, data FROM z ORDER BY name;
} {b0suffix two b2suffix one}
+# 2019-12-18 Yongheng and Rui fuzzer
+#
+do_execsql_test 13.10 {
+ DROP TABLE IF EXISTS t0;
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t0(a,b,c,d,e,f,g);
+ REPLACE INTO t0(c,b,f) VALUES(10,10,10);
+ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip');
+ REPLACE INTO t1 SELECT * FROM t0;
+ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata),
+ quote(data),quote(method) FROM t1;
+} {'' 10 10 2 X'3130' X'3130' 0}
+
finish_test
--
2.19.1

39
0055-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch
View File

@ -1,39 +0,0 @@
From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Wed, 18 Dec 2019 20:51:58 +0000
Subject: [PATCH] Fix CVE-2019-19926
Continue to back away from the LEFT JOIN optimization of
check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
query is DISTINCT. Without this fix, if an index scan is run on the table
within the view on the right-hand side of the LEFT JOIN, stale result
registers might be accessed yielding incorrect results, and/or an
OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
NULL-pointer dereference. This problem was found by the Yongheng and Rui
fuzzer.
FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/select.c b/src/select.c
index 4510b77..f78c8a5 100644
--- a/src/select.c
+++ b/src/select.c
@@ -2813,7 +2813,8 @@ static int multiSelect(
}
#endif
}
-
+ if( pParse->nErr ) goto multi_select_end;
+
/* Compute collating sequences used by
** temporary tables needed to implement the compound select.
** Attach the KeyInfo structure to all temporary tables.
--
2.19.1

32
0056-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch
View File

@ -1,32 +0,0 @@
From a6c1a71cde082e09750465d5675699062922e387 Mon Sep 17 00:00:00 2001
From: dan <dan@noemail.net>
Date: Fri, 27 Dec 2019 20:54:42 +0000
Subject: [PATCH] Fix CVE-2019-20218
Do not attempt to unwind the WITH stack in the Parse object
following an error. This fixes a separate case to [de6e6d68].
FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/select.c b/src/select.c
index f78c8a5..3bb98ad 100644
--- a/src/select.c
+++ b/src/select.c
@@ -4717,7 +4717,7 @@ static int selectExpander(Walker *pWalker, Select *p){
/* Process NATURAL keywords, and ON and USING clauses of joins.
*/
- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
return WRC_Abort;
}
--
2.19.1

43
0057-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch
View File

@ -1,43 +0,0 @@
From d8f2d46cbc9925e034a68aaaf60aad788d9373c1 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Mon, 23 Dec 2019 21:04:33 +0000
Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
it is able to deal with goofy filenames that contain embedded zeros.
Code for CVE-2019-19959 fixing
Modified by openEuler build team
Removed manifest changes and adapt to old code.
FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
---
ext/misc/zipfile.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index 9f2258e..3a87ec2 100644
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -1631,7 +1631,7 @@ static int zipfileUpdate(
zFree = sqlite3_mprintf("%s/", zPath);
if( zFree==0 ){ rc = SQLITE_NOMEM; }
zPath = (const char*)zFree;
- nPath++;
+ nPath = (int)strlen(zPath);
}
}
@@ -2032,11 +2032,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
}else{
if( zName[nName-1]!='/' ){
zName = zFree = sqlite3_mprintf("%s/", zName);
- nName++;
if( zName==0 ){
rc = SQLITE_NOMEM;
goto zipfile_step_out;
}
+ nName = (int)strlen(zName);
}else{
while( nName>1 && zName[nName-2]=='/' ) nName--;
}
--
1.8.3.1

41
0058-Fix-CVE-2018-20505.patch
View File

@ -1,41 +0,0 @@
Index: src/wherecode.c
==================================================================
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -424,11 +424,11 @@
Select *pSelect; /* Pointer to the SELECT on the RHS */
for(i=iEq; i<pLoop->nLTerm; i++){
if( pLoop->aLTerm[i]->pExpr==pX ){
int iField = pLoop->aLTerm[i]->iField - 1;
- assert( pOrigRhs->a[iField].pExpr!=0 );
+ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
pOrigRhs->a[iField].pExpr = 0;
assert( pOrigLhs->a[iField].pExpr!=0 );
pLhs = sqlite3ExprListAppend(pParse, pLhs, pOrigLhs->a[iField].pExpr);
pOrigLhs->a[iField].pExpr = 0;
Index: test/rowvalue.test
==================================================================
--- a/test/rowvalue.test
+++ b/test/rowvalue.test
@@ -543,7 +543,18 @@
# 2018-02-18: Memory leak nexted row-value. Detected by OSSFuzz.
#
do_catchsql_test 20.1 {
SELECT 1 WHERE (2,(2,0)) IS (2,(2,0));
} {0 1}
+
+# 2018-11-03: Ticket https://www.sqlite.org/src/info/1a84668dcfdebaf1
+# Assertion fault when doing row-value operations on a primary key
+# containing duplicate columns.
+#
+do_execsql_test 21.0 {
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
+ INSERT INTO t1 VALUES(1,2),(3,4),(5,6);
+ SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));
+} {1 2}
finish_test

97
0059-Fix-CVE-2020-9327.patch
View File

@ -1,97 +0,0 @@
From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Thu, 8 Apr 2021 14:19:51 -0400
Subject: [PATCH] fix CVE-2020-9327
Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on
commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
to fit the current version.
---
src/expr.c | 15 +++++++++++----
src/sqliteInt.h | 3 +++
src/whereexpr.c | 9 ++++++---
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index 8fd8af9..73a8187 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
case TK_LT:
case TK_LE:
case TK_GT:
- case TK_GE:
+ case TK_GE: {
+ Expr *pLeft = pExpr->pLeft;
+ Expr *pRight = pExpr->pRight;
testcase( pExpr->op==TK_EQ );
testcase( pExpr->op==TK_NE );
testcase( pExpr->op==TK_LT );
testcase( pExpr->op==TK_LE );
testcase( pExpr->op==TK_GT );
testcase( pExpr->op==TK_GE );
- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab))
- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab))
+ /* The pTab=0 assignment in wherecode.c always happens after the
+ ** impliesNotNullRow() test */
+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0)
+ && IsVirtual(pLeft->pTab))
+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0)
+ && IsVirtual(pRight->pTab))
){
- return WRC_Prune;
+ return WRC_Prune;
}
+ }
default:
return WRC_Continue;
}
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 91fde72..d79ab28 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -1955,8 +1955,11 @@ struct Table {
*/
#ifndef SQLITE_OMIT_VIRTUALTABLE
# define IsVirtual(X) ((X)->nModuleArg)
+# define ExprIsVtab(X) \
+ ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg)
#else
# define IsVirtual(X) 0
+# define ExprIsVtab(X) 0
#endif
/*
diff --git a/src/whereexpr.c b/src/whereexpr.c
index 2975008..e61dfff 100644
--- a/src/whereexpr.c
+++ b/src/whereexpr.c
@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator(
return 0;
}
pCol = pList->a[1].pExpr;
- if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->pTab==0 );
+ if( !ExprIsVtab(pCol) ){
return 0;
}
for(i=0; i<ArraySize(aOp); i++){
@@ -377,10 +378,12 @@ static int isAuxiliaryVtabOperator(
int res = 0;
Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight;
- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){
+ testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 );
+ if( ExprIsVtab(pLeft) ){
res++;
}
- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){
+ testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 );
+ if( pRight && ExprIsVtab(pRight) ){
res++;
SWAP(Expr*, pLeft, pRight);
}
--
1.8.3.1

31
0060-Fix-CVE-2020-11655.patch
View File

@ -1,31 +0,0 @@
From fc24a3a984c373d94612dcb3ec1e75b4f8a3ab6c Mon Sep 17 00:00:00 2001
From: luoshijie1 <luoshijie1@huawei.com>
Date: Tue, 14 Apr 2020 16:21:35 +0000
Subject: [PATCH] sqlite: fix CVE-2020-11655
In the event of a semantic error in an aggregate query, early-out
the resetAccumulator() function to prevent problems due to incomplete
or incorrect initialization of the AggInfo object.
Fix for ticket [af4556bb5c285c08].
https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
Signed-off-by: drh <drh@noemail.net>
Signed-off-by: luoshiji1 <luoshijie1@huawei.com>
---
src/select.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/select.c b/src/select.c
index 3bb98ad..270075a 100644
--- a/src/select.c
+++ b/src/select.c
@@ -5058,6 +5058,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
struct AggInfo_func *pFunc;
int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
if( nReg==0 ) return;
+ if( pParse->nErr ) return;
#ifdef SQLITE_DEBUG
/* Verify that all AggInfo registers are within the range specified by
** AggInfo.mnReg..AggInfo.mxReg */
--
1.8.3.1

65
0061-Fix-CVE-2020-13434.patch
View File

@ -1,65 +0,0 @@
From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001
From: Peibao Liu <peibao.liu@windriver.com>
Date: Fri, 29 May 2020 01:34:28 -0400
Subject: [PATCH] Limit the "precision" of floating-point to text conversions
in the printf() function to 100,000,000.
port from:
https://www.sqlite.org/src/info/d08d3405878d394e
1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf)
and in the current version this func is still not introduced, which
caused the test case printf-16.1 could not execute. So remove the test
case part of the upstream patch.
2. The modification of sqlite3VXPrintf() in this patch could cause the
printf-2.1.2.10 test case failure as this test case has already modified
in e7144ffd21294d7a commit. Just modify this test case to latest but do
not port the relevant patch.
Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
---
src/printf.c | 12 ++++++++++++
test/printf.test | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
diff -Naur a/src/printf.c b/src/printf.c
--- a/src/printf.c 2020-06-23 03:01:16.783000000 +0000
+++ b/src/printf.c 2020-06-23 03:51:18.644000000 +0000
@@ -166,6 +166,13 @@
#define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */
/*
+ * ** Hard limit on the precision of floating-point conversions.
+ * */
+#ifndef SQLITE_PRINTF_PRECISION_LIMIT
+# define SQLITE_FP_PRECISION_LIMIT 100000000
+#endif
+
+/*
** Render a string given by "fmt" into the StrAccum object.
*/
void sqlite3_str_vappendf(
@@ -471,6 +478,11 @@
length = 0;
#else
if( precision<0 ) precision = 6; /* Set default precision */
+#ifdef SQLITE_FP_PRECISION_LIMIT
+ if( precision>SQLITE_FP_PRECISION_LIMIT ){
+ precision = SQLITE_FP_PRECISION_LIMIT;
+ }
+#endif
if( realvalue<0.0 ){
realvalue = -realvalue;
prefix = '-';
diff -Naur a/test/printf.test b/test/printf.test
--- a/test/printf.test 2020-06-23 03:01:16.963000000 +0000
+++ b/test/printf.test 2020-06-23 03:52:25.410000000 +0000
@@ -540,7 +540,7 @@
} {abc: 1 1 (1e-20) :xyz}
do_test printf-2.1.2.10 {
sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20
-} {abc: }
+} {}
do_test printf-2.1.3.1 {
sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
} {abc: (1.0) :xyz}

41
0062-Fix-CVE-2020-13435.patch
View File

@ -1,41 +0,0 @@
From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001
From: Peibao Liu <peibao.liu@windriver.com>
Date: Fri, 29 May 2020 02:04:15 -0400
Subject: [PATCH] Defensive code that tries to prevent a recurrence of
problems.
port from:
https://www.sqlite.org/src/info/572105de1d44bca4
Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
---
src/expr.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff -Naur c/src/expr.c d/src/expr.c
--- c/src/expr.c 2020-06-23 03:05:10.871000000 +0000
+++ d/src/expr.c 2020-06-23 03:15:14.426000000 +0000
@@ -3542,7 +3542,10 @@
switch( op ){
case TK_AGG_COLUMN: {
AggInfo *pAggInfo = pExpr->pAggInfo;
- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
+ struct AggInfo_col *pCol;
+ assert( pAggInfo!=0 );
+ assert( pExpr->iAgg>=0 && pExpr->iAgg<pAggInfo->nColumn );
+ pCol = &pAggInfo->aCol[pExpr->iAgg];
if( !pAggInfo->directMode ){
assert( pCol->iMem>0 );
return pCol->iMem;
@@ -3761,7 +3764,10 @@
}
case TK_AGG_FUNCTION: {
AggInfo *pInfo = pExpr->pAggInfo;
- if( pInfo==0 ){
+ if( pInfo==0
+ || NEVER(pExpr->iAgg<0)
+ || NEVER(pExpr->iAgg>=pInfo->nFunc)
+ ){
assert( !ExprHasProperty(pExpr, EP_IntValue) );
sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken);
}else{

25
0063-Fix-CVE-2020-13630.patch
View File

@ -1,25 +0,0 @@
From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001
From: yanglongkang <yanglongkang@huawei.com>
Date: Thu, 11 Jun 2020 19:21:35 +0000
Subject: [PATCH] sqlite: fix CVE-2020-13630
Fix a use-after-free bug in the fts3 snippet() function.
https://sqlite.org/src/info/0d69f76f0865f962
Signed-off-by: dan <dan@noemail.net>
Signed-off-by: yanglongkang <yanglongkang@huawei.com>
---
ext/fts3/fts3.c | 1 +
1 file changed, 1 insertion(+)
diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c
--- e/ext/fts3/fts3.c 2020-06-23 03:05:29.962000000 +0000
+++ f/ext/fts3/fts3.c 2020-06-23 03:25:15.587000000 +0000
@@ -5192,6 +5192,7 @@
fts3EvalNextRow(pCsr, pLeft, pRc);
}
}
+ pRight->bEof = pLeft->bEof = 1;
}
}
break;

26
0064-Fix-CVE-2020-13632.patch
View File

@ -1,26 +0,0 @@
From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001
From: yanglongkang <yanglongkang@huawei.com>
Date: Thu, 11 Jun 2020 19:21:35 +0000
Subject: [PATCH] sqlite: fix CVE-2020-13632
Fix a null pointer deference that can occur on a strange matchinfo() query.
https://sqlite.org/src/info/a4dd148928ea65bd
Signed-off-by: drh <drh@noemail.net>
Signed-off-by: yanglongkang <yanglongkang@huawei.com>
---
ext/fts3/fts3_snippet.c | 1 +
1 file changed, 1 insertion(+)
diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c
--- 1/ext/fts3/fts3_snippet.c 2020-06-23 03:05:55.432000000 +0000
+++ 2/ext/fts3/fts3_snippet.c 2020-06-23 03:32:44.272000000 +0000
@@ -869,7 +869,7 @@
iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
}
- while( 1 ){
+ if( pIter ) while( 1 ){
int nHit = fts3ColumnlistCount(&pIter);
if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
if( p->flag==FTS3_MATCHINFO_LHITS ){

BIN
sqlite-autoconf-3240000.tar.gz
View File

Binary file not shown.

BIN
sqlite-autoconf-3320300.tar.gz Normal file
View File

Binary file not shown.

BIN
sqlite-doc-3240000.zip → sqlite-doc-3320300.zip
View File

Binary file not shown.

BIN
sqlite-src-3240000.zip → sqlite-src-3320300.zip
View File

Binary file not shown.

145
sqlite.spec
View File

@ -1,85 +1,22 @@
%bcond_without check
%global extver 3240000
%global extver 3320300
%global tcl_version 8.6
%global tcl_sitearch %{_libdir}/tcl%{tcl_version}
Name: sqlite
Version: 3.24.0
Release: 12
Version: 3.32.3
Release: 1
Summary: Embeded SQL database
License: Public Domain
URL: http://www.sqlite.org/
Source0: http://www.sqlite.org/2018/sqlite-src-%{extver}.zip
Source1: http://www.sqlite.org/2018/sqlite-doc-%{extver}.zip
Source2: https://www.sqlite.org/2018/sqlite-autoconf-%{extver}.tar.gz
Source0: http://www.sqlite.org/2020/sqlite-src-%{extver}.zip
Source1: http://www.sqlite.org/2020/sqlite-doc-%{extver}.zip
Source2: https://www.sqlite.org/2020/sqlite-autoconf-%{extver}.tar.gz
Patch0: 0000-sqlite-no-malloc-usable-size.patch
Patch1: 0001-sqlite-CVE-2018-20346.patch
Patch1: 0001-sqlite-no-malloc-usable-size.patch
Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
Patch3: 0003-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch
Patch4: 0004-Change-a-comma-into-a-logically-equivalent-but-seman.patch
Patch5: 0005-Fix-a-typo-in-the-amalgamation-autoconf-file.patch
Patch6: 0006-Fix-typo-in-the-normalize-extension.patch
Patch7: 0007-Fix-a-minor-problem-in-the-code-for-determining-whet.patch
Patch8: 0008-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch
Patch9: 0009-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch
Patch10: 0010-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch
Patch11: 0011-Fix-a-potential-crash-that-can-occur-while-reading-a.patch
Patch12: 0012-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch
Patch13: 0013-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch
Patch14: 0014-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch
Patch15: 0015-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch
Patch16: 0016-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch
Patch17: 0017-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch
Patch18: 0018-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
Patch19: 0019-Fix-another-problem-with-corrupt-database-handling-i.patch
Patch20: 0020-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch
Patch21: 0021-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch
Patch22: 0022-Fix-another-potential-buffer-overread-in-fts5.patch
Patch23: 0023-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch
Patch24: 0024-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch
Patch25: 0025-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
Patch26: 0026-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch
Patch27: 0027-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch
Patch28: 0028-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch
Patch29: 0029-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch
Patch30: 0030-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch
Patch31: 0031-Fix-a-buffer-overwrite-that-could-occur-when-running.patch
Patch32: 0032-Fix-another-corruption-related-crash-in-fts5.patch
Patch33: 0033-Avoid-integer-overflow-when-computing-the-array-of-a.patch
Patch34: 0034-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch
Patch35: 0035-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch
Patch36: 0036-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch
Patch37: 0037-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch
Patch38: 0038-Fix-a-potential-problem-with-INSERT-INTO-.-SELECT-FR.patch
Patch39: 0039-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch
Patch40: 0040-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch
Patch41: 0041-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch
Patch42: 0042-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch
Patch43: 0043-Fix-another-buffer-overrun-that-could-occur-when-que.patch
Patch44: 0044-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch
Patch45: 0045-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch
Patch46: 0046-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch
Patch47: 0047-sqlite-CVE-2019-8457-out-of-bounds-read.patch
Patch48: 0048-sqlite-CVE-2019-16168.patch
Patch49: 0049-Fix-CVE-2019-19646.patch
Patch50: 0050-Fix-CVE-2019-9936.patch
Patch51: 0051-Fix-CVE-2019-9937.patch
Patch52: 0052-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch
Patch53: 0053-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch
Patch54: 0054-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch
Patch55: 0055-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch
Patch56: 0056-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch
Patch57: 0057-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch
Patch58: 0058-Fix-CVE-2018-20505.patch
Patch59: 0059-Fix-CVE-2020-9327.patch
Patch60: 0060-Fix-CVE-2020-11655.patch
Patch61: 0061-Fix-CVE-2020-13434.patch
Patch62: 0062-Fix-CVE-2020-13435.patch
Patch63: 0063-Fix-CVE-2020-13630.patch
Patch64: 0064-Fix-CVE-2020-13632.patch
BuildRequires: gcc autoconf tcl tcl-devel
BuildRequires: ncurses-devel readline-devel glibc-devel
@ -122,71 +59,8 @@ This contains man files and HTML files for the using of sqlite.
%prep
#autosetup will fail because of 2 zip files
%setup -q -a1 -n %{name}-src-%{extver}
%patch0 -p1
%patch1 -p0
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
rm -f %{name}-doc-%{extver}/sqlite.css~ || :
@ -257,6 +131,9 @@ make test
%{_mandir}/man*/*
%changelog
* Tue Jul 21 2020 jixinjie <jixinjie@huawei.com> - 3.32.3-1
- update package to 3.32.3
* Tue Jun 30 2020 volcanodragon <linfeilong@huawei.com> - 3.24.0-12
- Type:enhancement
- ID:NA