!60 修复 CVE-2022-35737

From: @liusirui91 Reviewed-by: @shikemeng, @dillon_chen Signed-off-by: @dillon_chen
2022-08-16 04:13:35 +00:00 · 2022-08-16 04:13:35 +00:00 · 538587881d
commit 538587881d
parent c135d8d9cf 419bd31973
2 changed files with 86 additions and 1 deletions
--- a/0004-CVE-2022-35737.patch
+++ b/0004-CVE-2022-35737.patch
@ -0,0 +1,80 @@
 From effc07ec9c6e08d3bd17665f8800054770f8c643 Mon Sep 17 00:00:00 2001
 From: drh <>
 Date: Fri, 15 Jul 2022 12:34:31 +0000
 Subject: [PATCH] Fix the whereKeyStats() routine (part of STAT4 processing
 only) so that it is able to cope with row-value comparisons against the
 primary key index of a WITHOUT ROWID table.
 [forum:/forumpost/3607259d3c|Forum post 3607259d3c].
 FossilOrigin-Name: 2a6f761864a462de5c2d5bc666b82fb0b7e124a03443cd1482620dde344b34bb
 ---
 src/where.c        |  4 ++--
 test/rowvalue.test | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)
 diff --git a/src/where.c b/src/where.c
 index de6ea91e3..110eb4845 100644
 --- a/src/where.c
 +++ b/src/where.c
@@ -1433,7 +1433,7 @@ static int whereKeyStats(
 #endif
   assert( pRec!=0 );
   assert( pIdx->nSample>0 );
 -  assert( pRec->nField>0 && pRec->nField<=pIdx->nSampleCol );
 +  assert( pRec->nField>0 );
   /* Do a binary search to find the first sample greater than or equal
   ** to pRec. If pRec contains a single field, the set of samples to search
@@ -1479,7 +1479,7 @@ static int whereKeyStats(
   ** it is extended to two fields. The duplicates that this creates do not 
   ** cause any problems.
   */
 -  nField = pRec->nField;
 +  nField = MIN(pRec->nField, pIdx->nSample);
   iCol = 0;
   iSample = pIdx->nSample * nField;
   do{
 diff --git a/test/rowvalue.test b/test/rowvalue.test
 index 12fee8237..59b44d938 100644
 --- a/test/rowvalue.test
 +++ b/test/rowvalue.test
@@ -751,4 +751,35 @@ do_execsql_test 30.3 {
 +# 2022-07-15
 +# https://sqlite.org/forum/forumpost/3607259d3c
 +#
 +reset_db
 +do_execsql_test 33.1 {
 +  CREATE TABLE t1(a INT, b INT PRIMARY KEY) WITHOUT ROWID;
 +  INSERT INTO t1(a, b) VALUES (0, 1),(15,-7),(3,100);
 +  ANALYZE;
 +} {}
 +do_execsql_test 33.2 {
 +  SELECT * FROM t1 WHERE (b,a) BETWEEN (0,5) AND (99,-2);
 +} {0 1}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (b,a) BETWEEN (-8,5) AND (0,-2);
 +} {15 -7}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,4);
 +} {3 100}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,2);
 +} {}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (a,b) BETWEEN (-2,99) AND (1,0);
 +} {0 1}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (a,b) BETWEEN (14,99) AND (16,0);
 +} {15 -7}
 +do_execsql_test 33.3 {
 +  SELECT * FROM t1 WHERE (a,b) BETWEEN (2,99) AND (4,0);
 +} {3 100}
 +
 finish_test
 -- 
 2.25.1
--- a/sqlite.spec
+++ b/sqlite.spec
@ -6,7 +6,7 @@
 Name:    sqlite
 Version: 3.36.0
-Release: 2
+Release: 3
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@ -18,6 +18,7 @@ Source2: https://www.sqlite.org/2021/sqlite-autoconf-%{extver}.tar.gz
 Patch1: 0001-sqlite-no-malloc-usable-size.patch
 Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
 Patch3: 0003-CVE-2021-36690.patch
 Patch4: 0004-CVE-2022-35737.patch
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@ -63,6 +64,7 @@ This contains man files and HTML files for the using of sqlite.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
@ -133,6 +135,9 @@ make test
 %{_mandir}/man*/*
 %changelog
 * Tue Aug 16 2022 liusirui <liusirui@huawei.com> - 3.36.0-3
 - fix the CVE-2022-35737.
 * Sat Nov 27 2021 wbq_sky <wangbingquan@huawei.com> - 3.36.0-2
 - fix the CVE-2021-36690.