commit 81a5c3e4716e82e33d385171412ee5801e2657a0 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:17:27 2019 -0400 Package init diff --git a/0000-sqlite-3.6.23-lemon-system-template.patch b/0000-sqlite-3.6.23-lemon-system-template.patch new file mode 100644 index 0000000..3d3b0aa --- /dev/null +++ b/0000-sqlite-3.6.23-lemon-system-template.patch @@ -0,0 +1,21 @@ +diff -up sqlite-3.6.23/tool/lemon.c.system-template sqlite-3.6.23/tool/lemon.c +--- sqlite-3.6.23/tool/lemon.c.system-template 2010-03-10 16:40:35.000000000 +0200 ++++ sqlite-3.6.23/tool/lemon.c 2010-03-10 16:40:39.000000000 +0200 +@@ -3363,6 +3363,8 @@ PRIVATE FILE *tplt_open(struct lemon *le + tpltname = buf; + }else if( access(templatename,004)==0 ){ + tpltname = templatename; ++ }else if( access("/usr/share/lemon/lempar.c", R_OK)==0){ ++ tpltname = "/usr/share/lemon/lempar.c"; + }else{ + tpltname = pathsearch(lemp->argv0,templatename,0); + } +@@ -3374,7 +3376,7 @@ PRIVATE FILE *tplt_open(struct lemon *le + } + in = fopen(tpltname,"rb"); + if( in==0 ){ +- fprintf(stderr,"Can't open the template file \"%s\".\n",templatename); ++ fprintf(stderr,"Can't open the template file \"%s\".\n",tpltname); + lemp->errorcnt++; + return 0; + } diff --git a/0001-sqlite-3.7.7.1-stupid-openfiles-test.patch b/0001-sqlite-3.7.7.1-stupid-openfiles-test.patch new file mode 100644 index 0000000..101f0d4 --- /dev/null +++ b/0001-sqlite-3.7.7.1-stupid-openfiles-test.patch @@ -0,0 +1,37 @@ +--- sqlite-src-3240000/test/oserror.test.old 2018-06-05 08:40:35.656122573 +0200 ++++ sqlite-src-3240000/test/oserror.test 2018-06-05 08:40:45.614935197 +0200 +@@ -51,20 +51,20 @@ + # a call to getcwd() may fail if there are no free file descriptors. So + # an error may be reported for either open() or getcwd() here. + # +-if {![clang_sanitize_address]} { +- do_test 1.1.1 { +- set ::log [list] +- list [catch { +- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } +- } msg] $msg +- } {1 {unable to open database file}} +- do_test 1.1.2 { +- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } +- } {1} +- do_re_test 1.1.3 { +- lindex $::log 0 +- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } +-} ++#if {![clang_sanitize_address]} { ++# do_test 1.1.1 { ++# set ::log [list] ++# list [catch { ++# for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } ++# } msg] $msg ++# } {1 {unable to open database file}} ++# do_test 1.1.2 { ++# catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } ++# } {1} ++# do_re_test 1.1.3 { ++# lindex $::log 0 ++# } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } ++#} + + + # Test a failure in open() due to the path being a directory. diff --git a/0002-sqlite-3.12.2-no-malloc-usable-size.patch b/0002-sqlite-3.12.2-no-malloc-usable-size.patch new file mode 100644 index 0000000..b983bd3 --- /dev/null +++ b/0002-sqlite-3.12.2-no-malloc-usable-size.patch @@ -0,0 +1,24 @@ +diff -up sqlite-src-3120200/configure.ac.malloc_usable_size sqlite-src-3120200/configure.ac +--- sqlite-src-3120200/configure.ac.malloc_usable_size 2016-04-25 09:46:48.134690570 +0200 ++++ sqlite-src-3120200/configure.ac 2016-04-25 09:48:41.622637181 +0200 +@@ -108,7 +108,7 @@ AC_CHECK_HEADERS([sys/types.h stdlib.h s + ######### + # Figure out whether or not we have these functions + # +-AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64]) ++AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64]) + + ######### + # By default, we use the amalgamation (this may be changed below...) +diff -up sqlite-src-3120200/configure.malloc_usable_size sqlite-src-3120200/configure +--- sqlite-src-3120200/configure.malloc_usable_size 2016-04-25 09:47:12.594679063 +0200 ++++ sqlite-src-3120200/configure 2016-04-25 09:49:28.684615042 +0200 +@@ -10275,7 +10275,7 @@ done + ######### + # Figure out whether or not we have these functions + # +-for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64 ++for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64 + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/0003-sqlite-3.8.0-percentile-test.patch b/0003-sqlite-3.8.0-percentile-test.patch new file mode 100644 index 0000000..f828fa5 --- /dev/null +++ b/0003-sqlite-3.8.0-percentile-test.patch @@ -0,0 +1,15 @@ +# On i686 arch the removed test fails with result 2749999.50004681 instead of expected +# 2749999.5. This patch is temporary workaround and should be dropped as soon as a valid +# fix is found. + +diff -up sqlite-src-3080002/test/percentile.test.broken sqlite-src-3080002/test/percentile.test +--- sqlite-src-3080002/test/percentile.test.broken 2013-09-16 13:19:53.406004041 +0200 ++++ sqlite-src-3080002/test/percentile.test 2013-09-16 13:20:00.079024945 +0200 +@@ -195,7 +195,6 @@ ifcapable vtab { + foreach {in out} { + 0 0.0 + 100 9999990.0 +- 50 2749999.5 + 10 99999.9 + } { + do_test percentile-2.1.$in { diff --git a/0004-sqlite-3.8.10.1-tcl-regress-tests.patch b/0004-sqlite-3.8.10.1-tcl-regress-tests.patch new file mode 100644 index 0000000..bdeb6da --- /dev/null +++ b/0004-sqlite-3.8.10.1-tcl-regress-tests.patch @@ -0,0 +1,137 @@ +This patch disables a test which caused failed assertion in tcl 8.6.3. +According to sqlite upstream[1], this should be fixed in tcl 8.6.5. + +[1] http://mailinglists.sqlite.org/cgi-bin/mailman/private/sqlite-users/2015-May/059518.html + +diff -up sqlite-src-3130000/test/shell1.test.orig sqlite-src-3130000/test/shell1.test +--- sqlite-src-3140100/test/shell1.test.orig 2016-08-12 02:17:02.000000000 +0200 ++++ sqlite-src-3140100/test/shell1.test 2016-08-15 15:00:59.869664051 +0200 +@@ -855,67 +855,67 @@ do_test shell1-4.6 { + + # Test using arbitrary byte data with the shell via standard input/output. + # +-do_test shell1-5.0 { +- # +- # NOTE: Skip NUL byte because it appears to be incompatible with command +- # shell argument parsing. +- # +- for {set i 1} {$i < 256} {incr i} { +- # +- # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats +- # command channels opened for it as textual ones), the carriage +- # return character (and on Windows, the end-of-file character) +- # cannot be used here. +- # +- if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { +- continue +- } +- if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue +- if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue +- set hex [format %02X $i] +- set char [subst \\x$hex]; set oldChar $char +- set escapes [list] +- if {$tcl_platform(platform)=="windows"} { +- # +- # NOTE: On Windows, we need to escape all the whitespace characters, +- # the alarm (\a) character, and those with special meaning to +- # the SQLite shell itself. +- # +- set escapes [list \ +- \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ +- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] +- } else { +- # +- # NOTE: On Unix, we need to escape most of the whitespace characters +- # and those with special meaning to the SQLite shell itself. +- # The alarm (\a), backspace (\b), and carriage-return (\r) +- # characters do not appear to require escaping on Unix. For +- # the alarm and backspace characters, this is probably due to +- # differences in the command shell. For the carriage-return, +- # it is probably due to differences in how Tcl handles command +- # channel end-of-line translations. +- # +- set escapes [list \ +- \t \\t \n \\n \v \\v \f \\f \ +- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] +- } +- set char [string map $escapes $char] +- set x [catchcmdex test.db ".print $char\n"] +- set code [lindex $x 0] +- set res [lindex $x 1] +- if {$code ne "0"} { +- error "failed with error: $res" +- } +- if {$res ne "$oldChar\n"} { +- if {[llength $res] > 0} { +- set got [format %02X [scan $res %c]] +- } else { +- set got +- } +- error "failed with byte $hex mismatch, got $got" +- } +- } +-} {} ++#do_test shell1-5.0 { ++# # ++# # NOTE: Skip NUL byte because it appears to be incompatible with command ++# # shell argument parsing. ++# # ++# for {set i 1} {$i < 256} {incr i} { ++# # ++# # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats ++# # command channels opened for it as textual ones), the carriage ++# # return character (and on Windows, the end-of-file character) ++# # cannot be used here. ++# # ++# if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { ++# continue ++# } ++# if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue ++# if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue ++# set hex [format %02X $i] ++# set char [subst \\x$hex]; set oldChar $char ++# set escapes [list] ++# if {$tcl_platform(platform)=="windows"} { ++# # ++# # NOTE: On Windows, we need to escape all the whitespace characters, ++# # the alarm (\a) character, and those with special meaning to ++# # the SQLite shell itself. ++# # ++# set escapes [list \ ++# \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ ++# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] ++# } else { ++# # ++# # NOTE: On Unix, we need to escape most of the whitespace characters ++# # and those with special meaning to the SQLite shell itself. ++# # The alarm (\a), backspace (\b), and carriage-return (\r) ++# # characters do not appear to require escaping on Unix. For ++# # the alarm and backspace characters, this is probably due to ++# # differences in the command shell. For the carriage-return, ++# # it is probably due to differences in how Tcl handles command ++# # channel end-of-line translations. ++# # ++# set escapes [list \ ++# \t \\t \n \\n \v \\v \f \\f \ ++# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] ++# } ++# set char [string map $escapes $char] ++# set x [catchcmdex test.db ".print $char\n"] ++# set code [lindex $x 0] ++# set res [lindex $x 1] ++# if {$code ne "0"} { ++# error "failed with error: $res" ++# } ++# if {$res ne "$oldChar\n"} { ++# if {[llength $res] > 0} { ++# set got [format %02X [scan $res %c]] ++# } else { ++# set got ++# } ++# error "failed with byte $hex mismatch, got $got" ++# } ++# } ++#} {} + + # These test cases do not work on MinGW + if 0 { diff --git a/0005-sqlite-3.16-datetest-2.2c.patch b/0005-sqlite-3.16-datetest-2.2c.patch new file mode 100644 index 0000000..63857db --- /dev/null +++ b/0005-sqlite-3.16-datetest-2.2c.patch @@ -0,0 +1,14 @@ +--- sqlite-src-3160100/test/date.test.orig 2017-01-04 14:48:46.113737093 +0100 ++++ sqlite-src-3160100/test/date.test 2017-01-04 14:49:11.144833563 +0100 +@@ -76,11 +76,6 @@ datetest 2.1c datetime(0,'unixepochx') N + datetest 2.1d datetime('2003-10-22','unixepoch') NULL + datetest 2.2 datetime(946684800,'unixepoch') {2000-01-01 00:00:00} + datetest 2.2b datetime('946684800','unixepoch') {2000-01-01 00:00:00} +-for {set i 0} {$i<1000} {incr i} { +- set sql [format {strftime('%%H:%%M:%%f',1237962480.%03d,'unixepoch')} $i] +- set res [format {06:28:00.%03d} $i] +- datetest 2.2c-$i $sql $res +-} + datetest 2.3 {date('2003-10-22','weekday 0')} 2003-10-26 + datetest 2.4 {date('2003-10-22','weekday 1')} 2003-10-27 + datetest 2.4a {date('2003-10-22','weekday 1')} 2003-10-27 diff --git a/0006-sqlite-3.18.0-sync2-dirsync.patch b/0006-sqlite-3.18.0-sync2-dirsync.patch new file mode 100644 index 0000000..0c7d0a5 --- /dev/null +++ b/0006-sqlite-3.18.0-sync2-dirsync.patch @@ -0,0 +1,90 @@ +--- sqlite-src-3180000/test/sync2.test.sync2-dirsync 2017-03-30 21:26:42.000000000 +0200 ++++ sqlite-src-3180000/test/sync2.test 2017-04-03 13:16:14.422329691 +0200 +@@ -44,6 +44,15 @@ + uplevel [list do_test $tn [list execsql_sync $sql] [list {*}$res]] + } + ++# Wrapper over the expected sync count, takes DIRSYNC into consideration ++proc expected_sync_count {sync_count} { ++ ifcapable dirsync { ++ return $sync_count ++ } else { ++ return [ incr sync_count -1 ] ++ } ++} ++ + #----------------------------------------------------------------------- + # Tests for journal mode. + # +@@ -53,13 +62,13 @@ + INSERT INTO t1 VALUES(1, 2); + } + +-do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } 4 ++do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } [ expected_sync_count 4 ] + + # synchronous=normal. So, 1 sync on the directory, 1 on the journal, 1 + # on the db file. 3 in total. + do_execsql_test 1.2.1 { PRAGMA main.synchronous = NORMAL } + do_execsql_test 1.2.2 { PRAGMA main.synchronous } 1 +-do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } 3 ++do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } [ expected_sync_count 3 ] + + # synchronous=off. No syncs. + do_execsql_test 1.3.1 { PRAGMA main.synchronous = OFF } +@@ -70,7 +79,7 @@ + # 2 on the journal, 1 on the db file. 4 in total. + do_execsql_test 1.4.1 { PRAGMA main.synchronous = FULL } + do_execsql_test 1.4.2 { PRAGMA main.synchronous } 2 +-do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } 4 ++do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } [ expected_sync_count 4 ] + + #----------------------------------------------------------------------- + # Tests for wal mode. +@@ -79,7 +88,7 @@ + + # sync=full, journal_mode=wal. One sync on the directory, two on the + # wal file. +-do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } 3 ++do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } [ expected_sync_count 3 ] + + # One sync on the wal file. + do_execsql_sync_test 1.7 { INSERT INTO t1 VALUES(13, 14) } 1 +@@ -112,7 +121,7 @@ + + # Wal mode, sync=normal. The first transaction does one sync on directory, + # one on the wal file. The second does no syncs. +- do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } 2 ++ do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } [ expected_sync_count 2 ] + do_execsql_sync_test 1.11.2 { INSERT INTO t1 VALUES(21, 22) } 0 + do_execsql_test 1.11.3 { PRAGMA main.synchronous } 1 + +@@ -129,14 +138,14 @@ + # Delete mode, sync=full. The first transaction does one sync on + # directory, two on the journal file, one on the db. The second does + # the same. +- do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } 4 +- do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } 4 ++ do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } [ expected_sync_count 4 ] ++ do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } [ expected_sync_count 4 ] + do_execsql_test 1.15.3 { PRAGMA main.synchronous } 2 + + # Switch back to wal mode. + do_execsql_test 1.16 { PRAGMA journal_mode = wal } {wal} + +- do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } 2 ++ do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } [ expected_sync_count 2 ] + do_execsql_sync_test 1.17.2 { INSERT INTO t1 VALUES(32, 33) } 0 + do_execsql_test 1.17.3 { PRAGMA main.synchronous } 1 + +@@ -152,8 +161,8 @@ + # Close and reopen the db. Back to synchronous=normal. + db close + sqlite3 db test.db +- do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } 4 +- do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } 4 ++ do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } [ expected_sync_count 4 ] ++ do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } [ expected_sync_count 4 ] + do_execsql_test 1.20.3 { PRAGMA main.synchronous } 2 + } + diff --git a/0007-sqlite-CVE-2018-20346.patch b/0007-sqlite-CVE-2018-20346.patch new file mode 100644 index 0000000..1fdbecc --- /dev/null +++ b/0007-sqlite-CVE-2018-20346.patch @@ -0,0 +1,291 @@ +Index: ext/fts3/fts3.c +================================================================== +--- ext/fts3/fts3.c ++++ ext/fts3/fts3.c +@@ -1819,11 +1819,11 @@ + ){ + int rc = SQLITE_OK; /* Return code */ + const char *zCsr = zNode; /* Cursor to iterate through node */ + const char *zEnd = &zCsr[nNode];/* End of interior node buffer */ + char *zBuffer = 0; /* Buffer to load terms into */ +- int nAlloc = 0; /* Size of allocated buffer */ ++ i64 nAlloc = 0; /* Size of allocated buffer */ + int isFirstTerm = 1; /* True when processing first term on page */ + sqlite3_int64 iChild; /* Block id of child node to descend to */ + + /* Skip over the 'height' varint that occurs at the start of every + ** interior node. Then load the blockid of the left-child of the b-tree +@@ -1857,18 +1857,18 @@ + } + isFirstTerm = 0; + zCsr += fts3GetVarint32(zCsr, &nSuffix); + + assert( nPrefix>=0 && nSuffix>=0 ); +- if( &zCsr[nSuffix]>zEnd ){ ++ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){ + rc = FTS_CORRUPT_VTAB; + goto finish_scan; + } +- if( nPrefix+nSuffix>nAlloc ){ ++ if( (i64)nPrefix+nSuffix>nAlloc ){ + char *zNew; +- nAlloc = (nPrefix+nSuffix) * 2; +- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc); ++ nAlloc = ((i64)nPrefix+nSuffix) * 2; ++ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc); + if( !zNew ){ + rc = SQLITE_NOMEM; + goto finish_scan; + } + zBuffer = zNew; + +Index: ext/fts3/fts3_write.c +================================================================== +--- ext/fts3/fts3_write.c ++++ ext/fts3/fts3_write.c +@@ -1372,19 +1372,23 @@ + + /* Because of the FTS3_NODE_PADDING bytes of padding, the following is + ** safe (no risk of overread) even if the node data is corrupted. */ + pNext += fts3GetVarint32(pNext, &nPrefix); + pNext += fts3GetVarint32(pNext, &nSuffix); +- if( nPrefix<0 || nSuffix<=0 +- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] ++ if( nSuffix<=0 ++ || (&pReader->aNode[pReader->nNode] - pNext)pReader->nTermAlloc + ){ + return FTS_CORRUPT_VTAB; + } + +- if( nPrefix+nSuffix>pReader->nTermAlloc ){ +- int nNew = (nPrefix+nSuffix)*2; +- char *zNew = sqlite3_realloc(pReader->zTerm, nNew); ++ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are ++ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer ++ ** overflow - hence the (i64) casts. */ ++ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){ ++ i64 nNew = ((i64)nPrefix+nSuffix)*2; ++ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew); + if( !zNew ){ + return SQLITE_NOMEM; + } + pReader->zTerm = zNew; + pReader->nTermAlloc = nNew; +@@ -1402,11 +1406,11 @@ + + /* Check that the doclist does not appear to extend past the end of the + ** b-tree node. And that the final byte of the doclist is 0x00. If either + ** of these statements is untrue, then the data structure is corrupt. + */ +- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] ++ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)nDoclist + || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1]) + ){ + return FTS_CORRUPT_VTAB; + } + return SQLITE_OK; +@@ -3728,25 +3732,30 @@ + if( bFirst==0 ){ + p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix); + } + p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix); + ++ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){ ++ return SQLITE_CORRUPT_VTAB; ++ } + blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc); + if( rc==SQLITE_OK ){ + memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix); + p->term.n = nPrefix+nSuffix; + p->iOff += nSuffix; + if( p->iChild==0 ){ + p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist); ++ if( (p->nNode-p->iOff)nDoclist ){ ++ return SQLITE_CORRUPT_VTAB; ++ } + p->aDoclist = &p->aNode[p->iOff]; + p->iOff += p->nDoclist; + } + } + } + + assert( p->iOff<=p->nNode ); +- + return rc; + } + + /* + ** Release all dynamic resources held by node-reader object *p. + +ADDED test/fts3corrupt4.test +Index: test/fts3corrupt4.test +================================================================== +--- test/fts3corrupt4.test ++++ test/fts3corrupt4.test +@@ -0,0 +1,147 @@ ++# 2006 September 9 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#************************************************************************* ++# This file implements regression tests for SQLite library. The ++# focus of this script is testing the FTS3 module. ++# ++# $Id: fts3aa.test,v 1.1 2007/08/20 17:38:42 shess Exp $ ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++set testprefix fts3corrupt4 ++ ++# If SQLITE_ENABLE_FTS3 is defined, omit this file. ++ifcapable !fts3 { ++ finish_test ++ return ++} ++ ++do_execsql_test 1.0 { ++ BEGIN; ++ CREATE VIRTUAL TABLE ft USING fts3; ++ INSERT INTO ft VALUES('aback'); ++ INSERT INTO ft VALUES('abaft'); ++ INSERT INTO ft VALUES('abandon'); ++ COMMIT; ++} ++ ++proc blob {a} { binary decode hex $a } ++db func blob blob ++ ++do_execsql_test 1.1 { ++ SELECT quote(root) FROM ft_segdir; ++} {X'0005616261636B03010200030266740302020003046E646F6E03030200'} ++ ++do_execsql_test 1.2 { ++ UPDATE ft_segdir SET root = blob( ++ '0005616261636B03010200 FFFFFFFF0702 66740302020003046E646F6E03030200' ++ ); ++} ++ ++do_catchsql_test 1.3 { ++ SELECT * FROM ft WHERE ft MATCH 'abandon'; ++} {1 {database disk image is malformed}} ++ ++#------------------------------------------------------------------------- ++reset_db ++do_execsql_test 2.0.0 { ++ CREATE VIRTUAL TABLE ft USING fts3; ++ INSERT INTO ft(ft) VALUES('nodesize=32'); ++} ++do_test 2.0.1 { ++ for {set i 0} {$i < 12} {incr i} { ++ execsql { ++ BEGIN; ++ INSERT INTO ft VALUES('abc' || $i); ++ INSERT INTO ft VALUES('abc' || $i || 'x' ); ++ INSERT INTO ft VALUES('abc' || $i || 'xx' ); ++ COMMIT ++ } ++ } ++ execsql { ++ SELECT count(*) FROM ft_segdir; ++ SELECT count(*) FROM ft_segments; ++ } ++} {12 0} ++ ++do_execsql_test 2.1 { ++ INSERT INTO ft(ft) VALUES('merge=1,4'); ++ SELECT count(*) FROM ft_segdir; ++ SELECT count(*) FROM ft_segments; ++} {12 3} ++ ++do_execsql_test 2.2 { ++ SELECT quote(block) FROM ft_segments WHERE blockid=2 ++} {X'00056162633130031F0200'} ++ ++db func blob blob ++do_execsql_test 2.3.1 { ++ UPDATE ft_segments SET block = ++ blob('00056162633130031F0200 FFFFFFFF07FF55 66740302020003046E646F6E03030200') ++ WHERE blockid=2; ++} {} ++do_catchsql_test 2.3.2 { ++ INSERT INTO ft(ft) VALUES('merge=1,4'); ++} {1 {database disk image is malformed}} ++ ++do_execsql_test 2.4.1 { ++ UPDATE ft_segments SET block = ++ blob('00056162633130031F0200 02FFFFFFFF07 66740302020003046E646F6E03030200') ++ WHERE blockid=2; ++} {} ++do_catchsql_test 2.4.2 { ++ INSERT INTO ft(ft) VALUES('merge=1,4'); ++} {1 {database disk image is malformed}} ++ ++do_execsql_test 2.5.1 { ++ UPDATE ft_segments SET block = ++ blob('00056162633130031F0200 0202 6674 FFFFFF070302020003046E646F6E030200') ++ WHERE blockid=2; ++} {} ++do_catchsql_test 2.5.2 { ++ INSERT INTO ft(ft) VALUES('merge=1,4'); ++} {1 {database disk image is malformed}} ++ ++#------------------------------------------------------------------------- ++reset_db ++do_execsql_test 3.0.0 { ++ CREATE VIRTUAL TABLE ft USING fts3; ++ INSERT INTO ft(ft) VALUES('nodesize=32'); ++} ++do_test 3.0.1 { ++ execsql BEGIN ++ for {set i 0} {$i < 20} {incr i} { ++ execsql { INSERT INTO ft VALUES('abc' || $i) } ++ } ++ execsql { ++ COMMIT; ++ SELECT count(*) FROM ft_segdir; ++ SELECT count(*) FROM ft_segments; ++ } ++} {1 5} ++ ++do_execsql_test 3.1 { ++ SELECT quote(root) FROM ft_segdir ++} {X'0101056162633132040136030132030136'} ++ ++db func blob blob ++do_execsql_test 3.2 { ++ UPDATE ft_segdir ++ SET root = blob('0101056162633132FFFFFFFF070236030132030136'); ++} ++ ++do_catchsql_test 3.1 { ++ SELECT * FROM ft WHERE ft MATCH 'abc20' ++} {1 {database disk image is malformed}} ++ ++finish_test ++ ++ + +Index: test/permutations.test +================================================================== +--- test/permutations.test ++++ test/permutations.test +@@ -253,10 +253,11 @@ + fts3ae.test fts3af.test fts3ag.test fts3ah.test + fts3ai.test fts3aj.test fts3ak.test fts3al.test + fts3am.test fts3an.test fts3ao.test fts3atoken.test + fts3auto.test fts3aux1.test fts3aux2.test fts3b.test + fts3comp1.test fts3conf.test fts3corrupt2.test fts3corrupt.test ++ fts3corrupt4.test + fts3cov.test fts3c.test fts3defer2.test fts3defer3.test + fts3defer.test fts3drop.test fts3d.test fts3e.test + fts3expr2.test fts3expr3.test fts3expr4.test fts3expr5.test + fts3expr.test fts3fault2.test fts3fault.test fts3first.test + fts3join.test fts3malloc.test fts3matchinfo.test fts3near.test + diff --git a/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch b/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch new file mode 100644 index 0000000..b74c6ea --- /dev/null +++ b/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch @@ -0,0 +1,46 @@ +From 8b729f3011e608c73624ce823a3f8d811f4684cb Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Wed, 6 Jun 2018 18:50:50 +0000 +Subject: [PATCH 0037/1009] Fix the sqlite3BeginTrans() calls within the + snapshot extension. + +From https://github.com/mackyle/sqlite/commit/8b729f3011e608c73624ce823a3f8d811f4684cb + +--- + src/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/main.c b/src/main.c +index 8e89cc5..a2b994f 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -4115,7 +4115,7 @@ int sqlite3_snapshot_get( + if( iDb==0 || iDb>1 ){ + Btree *pBt = db->aDb[iDb].pBt; + if( 0==sqlite3BtreeIsInTrans(pBt) ){ +- rc = sqlite3BtreeBeginTrans(pBt, 0); ++ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); + if( rc==SQLITE_OK ){ + rc = sqlite3PagerSnapshotGet(sqlite3BtreePager(pBt), ppSnapshot); + } +@@ -4153,7 +4153,7 @@ int sqlite3_snapshot_open( + if( 0==sqlite3BtreeIsInReadTrans(pBt) ){ + rc = sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), pSnapshot); + if( rc==SQLITE_OK ){ +- rc = sqlite3BtreeBeginTrans(pBt, 0); ++ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); + sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), 0); + } + } +@@ -4185,7 +4185,7 @@ int sqlite3_snapshot_recover(sqlite3 *db, const char *zDb){ + if( iDb==0 || iDb>1 ){ + Btree *pBt = db->aDb[iDb].pBt; + if( 0==sqlite3BtreeIsInReadTrans(pBt) ){ +- rc = sqlite3BtreeBeginTrans(pBt, 0); ++ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); + if( rc==SQLITE_OK ){ + rc = sqlite3PagerSnapshotRecover(sqlite3BtreePager(pBt)); + sqlite3BtreeCommit(pBt); +-- +1.8.3.1 + diff --git a/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch b/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch new file mode 100644 index 0000000..b848e55 --- /dev/null +++ b/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch @@ -0,0 +1,28 @@ +From 06a87a928ee3f272e1a25f15a8a55ad55da636f3 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Wed, 6 Jun 2018 23:31:26 +0000 +Subject: [PATCH 0042/1009] Change a comma into a logically equivalent but + semantically clearer semicolon. + +From https://github.com/mackyle/sqlite/commit/06a87a928ee3f272e1a25f15a8a55ad55da636f3 + +--- + src/alter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/alter.c b/src/alter.c +index 51d4a40..f338e8b 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -142,7 +142,7 @@ static void renameParentFunc( + } + } + +- zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput), ++ zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput); + sqlite3_result_text(context, zResult, -1, SQLITE_DYNAMIC); + sqlite3DbFree(db, zOutput); + } +-- +1.8.3.1 + diff --git a/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch b/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch new file mode 100644 index 0000000..341dc22 --- /dev/null +++ b/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch @@ -0,0 +1,27 @@ +From 41e8f704c9afd4b9601ac3da2c5c1d6387346806 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Sat, 9 Jun 2018 20:52:45 +0000 +Subject: [PATCH 0064/1009] Fix a typo in the amalgamation autoconf file. + +From https://github.com/mackyle/sqlite/commit/41e8f704c9afd4b9601ac3da2c5c1d6387346806 + +--- + autoconf/configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/autoconf/configure.ac b/autoconf/configure.ac +index 8ba2218..76579c0 100644 +--- a/autoconf/configure.ac ++++ b/autoconf/configure.ac +@@ -153,7 +153,7 @@ AC_SUBST(SESSION_FLAGS) + # + AC_ARG_ENABLE(debug, [AS_HELP_STRING( + [--enable-debug], [build with debugging features enabled [default=no]])], +- [], [enable_session=no]) ++ [], [enable_debug=no]) + if test x"$enable_debug" = "xyes"; then + DEBUG_FLAGS="-DSQLITE_DEBUG -DSQLITE_ENABLE_SELECTTRACE -DSQLITE_ENABLE_WHERETRACE" + fi +-- +1.8.3.1 + diff --git a/6003-Fix-typo-in-the-normalize-extension.patch b/6003-Fix-typo-in-the-normalize-extension.patch new file mode 100644 index 0000000..64bc19e --- /dev/null +++ b/6003-Fix-typo-in-the-normalize-extension.patch @@ -0,0 +1,27 @@ +From c0506beeac8e92586d1dcdaa0aceeed366c8b62d Mon Sep 17 00:00:00 2001 +From: Joe Mistachkin +Date: Mon, 18 Jun 2018 19:09:30 +0000 +Subject: [PATCH 0096/1009] Fix typo in the 'normalize' extension. + +From https://github.com/mackyle/sqlite/commit/c0506beeac8e92586d1dcdaa0aceeed366c8b62d + +--- + ext/misc/normalize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/misc/normalize.c b/ext/misc/normalize.c +index fd656f1..5997ec1 100644 +--- a/ext/misc/normalize.c ++++ b/ext/misc/normalize.c +@@ -593,7 +593,7 @@ char *sqlite3_normalize(const char *zSql){ + } + } + while( j>0 && z[j-1]==' ' ){ j--; } +- if( i>0 && z[j-1]!=';' ){ z[j++] = ';'; } ++ if( j>0 && z[j-1]!=';' ){ z[j++] = ';'; } + z[j] = 0; + + /* Make a second pass converting "in(...)" where the "..." is not a +-- +1.8.3.1 + diff --git a/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch b/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch new file mode 100644 index 0000000..433368f --- /dev/null +++ b/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch @@ -0,0 +1,67 @@ +From 9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Sat, 30 Jun 2018 20:00:35 +0000 +Subject: [PATCH 0121/1009] Fix a minor problem in the code for determining + whether or not an SQL statement is SQLITE_TOOBIG. + +From https://github.com/mackyle/sqlite/commit/9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2 + +--- + src/alter.c | 4 ++-- + src/tokenize.c | 7 ++++++- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/alter.c b/src/alter.c +index f338e8b..2d7a5d6 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -74,7 +74,7 @@ static void renameTableFunc( + zCsr += len; + len = sqlite3GetToken(zCsr, &token); + } while( token==TK_SPACE ); +- assert( len>0 ); ++ assert( len>0 || !*zCsr ); + } while( token!=TK_LP && token!=TK_USING ); + + zRet = sqlite3MPrintf(db, "%.*s\"%w\"%s", (int)(((u8*)tname.z) - zSql), +@@ -198,7 +198,7 @@ static void renameTriggerFunc( + zCsr += len; + len = sqlite3GetToken(zCsr, &token); + }while( token==TK_SPACE ); +- assert( len>0 ); ++ assert( len>0 || !*zCsr ); + + /* Variable 'dist' stores the number of tokens read since the most + ** recent TK_DOT or TK_ON. This means that when a WHEN, FOR or BEGIN +diff --git a/src/tokenize.c b/src/tokenize.c +index 15678ed..fc5989c 100644 +--- a/src/tokenize.c ++++ b/src/tokenize.c +@@ -54,11 +54,12 @@ + #define CC_TILDA 25 /* '~' */ + #define CC_DOT 26 /* '.' */ + #define CC_ILLEGAL 27 /* Illegal character */ ++#define CC_NUL 28 /* 0x00 */ + + static const unsigned char aiClass[] = { + #ifdef SQLITE_ASCII + /* x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xa xb xc xd xe xf */ +-/* 0x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27, ++/* 0x */ 28, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27, + /* 1x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, + /* 2x */ 7, 15, 8, 5, 4, 22, 24, 8, 17, 18, 21, 20, 23, 11, 26, 16, + /* 3x */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 19, 12, 14, 13, 6, +@@ -532,6 +533,10 @@ int sqlite3GetToken(const unsigned char *z, int *tokenType){ + i = 1; + break; + } ++ case CC_NUL: { ++ *tokenType = TK_ILLEGAL; ++ return 0; ++ } + default: { + *tokenType = TK_ILLEGAL; + return 1; +-- +1.8.3.1 + diff --git a/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch b/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch new file mode 100644 index 0000000..779378f --- /dev/null +++ b/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch @@ -0,0 +1,29 @@ +From 7173baee93fed1c0a20bb02350c22ab219e4654b Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Sun, 1 Jul 2018 16:05:40 +0000 +Subject: [PATCH 0123/1009] Quick patch to the Lemon parser template to avoid + an array overread reported by OSSFuzz. A proper fix involves enhancements to + the table generators in Lemon to make the overread impossible. That fix will + take longer to implement. The current check-in is a stop-gap. + +From https://github.com/mackyle/sqlite/commit/7173baee93fed1c0a20bb02350c22ab219e4654b + +--- + tool/lempar.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tool/lempar.c b/tool/lempar.c +index 450dcde..e19aba4 100644 +--- a/tool/lempar.c ++++ b/tool/lempar.c +@@ -550,6 +550,7 @@ static YYACTIONTYPE yy_find_shift_action( + #if YY_SHIFT_MAX+YYWILDCARD>=YY_ACTTAB_COUNT + j0 + ){ + #ifndef NDEBUG +-- +1.8.3.1 + diff --git a/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch b/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch new file mode 100644 index 0000000..0fe6742 --- /dev/null +++ b/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch @@ -0,0 +1,28 @@ +From 8a6d814cd2574e878ab45c8bbf209212bd705e47 Mon Sep 17 00:00:00 2001 +From: Joe Mistachkin +Date: Sat, 8 Sep 2018 16:53:47 +0000 +Subject: [PATCH 0352/1009] Fix typo in the Win32-specific code for the fileio + extension. + +https://github.com/mackyle/sqlite/commit/8a6d814cd2574e878ab45c8bbf209212bd705e47 + +--- + ext/misc/fileio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/misc/fileio.c b/ext/misc/fileio.c +index b734ca0..816a353 100644 +--- a/ext/misc/fileio.c ++++ b/ext/misc/fileio.c +@@ -204,7 +204,7 @@ static void statTimesToUtc( + extern LPWSTR sqlite3_win32_utf8_to_unicode(const char*); + zUnicodeName = sqlite3_win32_utf8_to_unicode(zPath); + if( zUnicodeName ){ +- memset(&fd, 0, sizeof(WIN32_FIND_DATA)); ++ memset(&fd, 0, sizeof(WIN32_FIND_DATAW)); + hFindFile = FindFirstFileW(zUnicodeName, &fd); + if( hFindFile!=NULL ){ + pStatBuf->st_ctime = (time_t)fileTimeToUnixTime(&fd.ftCreationTime); +-- +1.8.3.1 + diff --git a/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch b/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch new file mode 100644 index 0000000..fdbc4e2 --- /dev/null +++ b/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch @@ -0,0 +1,55 @@ +From 8bc9e8b38de805a0c02db12c6afe796a47b22747 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 11 Sep 2018 13:38:35 +0000 +Subject: [PATCH 0363/1009] Fix a problem causing ENABLE_CURSOR_HINTS builds to + segfault. + +https://github.com/mackyle/sqlite/commit/8bc9e8b38de805a0c02db12c6afe796a47b22747 + +--- + src/wherecode.c | 4 +--- + test/cursorhint2.test | 15 +++++++++++++++ + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/src/wherecode.c b/src/wherecode.c +index 8251923..07de2c6 100644 +--- a/src/wherecode.c ++++ b/src/wherecode.c +@@ -886,9 +886,7 @@ static int codeCursorHintFixExpr(Walker *pWalker, Expr *pExpr){ + if( pExpr->iTable!=pHint->iTabCur ){ + Vdbe *v = pWalker->pParse->pVdbe; + int reg = ++pWalker->pParse->nMem; /* Register for column value */ +- sqlite3ExprCodeGetColumnOfTable( +- v, pExpr->pTab, pExpr->iTable, pExpr->iColumn, reg +- ); ++ sqlite3ExprCode(pWalker->pParse, pExpr, reg); + pExpr->op = TK_REGISTER; + pExpr->iTable = reg; + }else if( pHint->pIdx!=0 ){ +diff --git a/test/cursorhint2.test b/test/cursorhint2.test +index 0175568..a78d151 100644 +--- a/test/cursorhint2.test ++++ b/test/cursorhint2.test +@@ -186,4 +186,19 @@ do_extract_hints_test 2.12 { + x2 {EQ(c0,r[2])} + } + ++reset_db ++do_execsql_test 3.0 { ++ CREATE TABLE t1 (i1 TEXT); ++ CREATE TABLE t2 (i2 TEXT UNIQUE); ++ INSERT INTO t1 VALUES('0'); ++ INSERT INTO t2 VALUES('0'); ++} ++ ++do_extract_hints_test 3.1 { ++ SELECT * FROM t1 CROSS JOIN t2 WHERE (t1.i1 = t2.i2) AND t2.i2 = 1; ++} { ++ t1 {EQ(c0,r[1])} t2 EQ(c0,1) ++} ++ ++ + finish_test +-- +1.8.3.1 + diff --git a/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch b/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch new file mode 100644 index 0000000..be0ced2 --- /dev/null +++ b/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch @@ -0,0 +1,33 @@ +From 2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Mon, 1 Oct 2018 13:54:30 +0000 +Subject: [PATCH 0435/1009] Fix a potential crash that can occur while reading + an index from a corrupt database file. The corruption is a + record-header-size that is larger than 0x7fffffff. Problem detected by + OSSFuzz against GDAL and reported to us (with a suggested fix) by Even + Rouault. The test case is in TH3. + +https://github.com/mackyle/sqlite/commit/2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 + +--- + src/vdbeaux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index 5ec3d13..99df435 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){ + (void)getVarint32((u8*)m.z, szHdr); + testcase( szHdr==3 ); + testcase( szHdr==m.n ); +- if( unlikely(szHdr<3 || (int)szHdr>m.n) ){ ++ testcase( szHdr>0x7fffffff ); ++ assert( m.n>=0 ); ++ if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){ + goto idx_rowid_corruption; + } + +-- +1.8.3.1 + diff --git a/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch b/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch new file mode 100644 index 0000000..b8dc403 --- /dev/null +++ b/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch @@ -0,0 +1,34 @@ +From c0ead185cc44359ecb406e9f7e21b964393f96d8 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Thu, 11 Oct 2018 10:37:24 +0000 +Subject: [PATCH 0453/1009] In the CLI, fix a file descriptor leak following + OOM and a missing va_end() call. + +--- + src/shell.c.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/shell.c.in b/src/shell.c.in +index a5ab143..c1db72c 100644 +--- a/src/shell.c.in ++++ b/src/shell.c.in +@@ -3592,7 +3592,7 @@ static char *readFile(const char *zName, int *pnByte){ + nIn = ftell(in); + rewind(in); + pBuf = sqlite3_malloc64( nIn+1 ); +- if( pBuf==0 ) return 0; ++ if( pBuf==0 ){ fclose(in); return 0; } + nRead = fread(pBuf, nIn, 1, in); + fclose(in); + if( nRead!=1 ){ +@@ -4976,6 +4976,7 @@ static void shellPreparePrintf( + char *z; + va_start(ap, zFmt); + z = sqlite3_vmprintf(zFmt, ap); ++ va_end(ap); + if( z==0 ){ + *pRc = SQLITE_NOMEM; + }else{ +-- +1.8.3.1 + diff --git a/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch b/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch new file mode 100644 index 0000000..62331c2 --- /dev/null +++ b/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch @@ -0,0 +1,35 @@ +From 8dba5edb332d9bdf8b856c26404c8043bdfd4192 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 18 Oct 2018 15:17:18 +0000 +Subject: [PATCH 0460/1009] Take steps to avoid a potential integer overflow in + sessionBufferGrow(). + +https://github.com/mackyle/sqlite/commit/8dba5edb332d9bdf8b856c26404c8043bdfd4192 + +--- + ext/session/sqlite3session.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c +index 20810ee..a1ca9a7 100644 +--- a/ext/session/sqlite3session.c ++++ b/ext/session/sqlite3session.c +@@ -1794,12 +1794,12 @@ int sqlite3session_attach( + static int sessionBufferGrow(SessionBuffer *p, int nByte, int *pRc){ + if( *pRc==SQLITE_OK && p->nAlloc-p->nBufnAlloc ? p->nAlloc : 128; ++ i64 nNew = p->nAlloc ? p->nAlloc : 128; + do { + nNew = nNew*2; +- }while( nNew<(p->nBuf+nByte) ); ++ }while( (nNew-p->nBuf)aBuf, nNew); ++ aNew = (u8 *)sqlite3_realloc64(p->aBuf, nNew); + if( 0==aNew ){ + *pRc = SQLITE_NOMEM; + }else{ +-- +1.8.3.1 + diff --git a/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch b/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch new file mode 100644 index 0000000..72d760d --- /dev/null +++ b/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch @@ -0,0 +1,40 @@ +From 259c8907624a568bd0faa10687f659c9321f9a05 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Mon, 29 Oct 2018 18:33:42 +0000 +Subject: [PATCH 0473/1009] Fix minor memory leak in the dbstat extension that + can occur following an attempt to analyze a corrupt database file. + +From https://github.com/mackyle/sqlite/commit/259c8907624a568bd0faa10687f659c9321f9a05 + +--- + src/dbstat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dbstat.c b/src/dbstat.c +index 432cfae..b746fa0 100644 +--- a/src/dbstat.c ++++ b/src/dbstat.c +@@ -254,7 +254,7 @@ static int statOpen(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor){ + return SQLITE_OK; + } + +-static void statClearPage(StatPage *p){ ++static void statClearCells(StatPage *p){ + int i; + if( p->aCell ){ + for(i=0; inCell; i++){ +@@ -262,6 +262,11 @@ static void statClearPage(StatPage *p){ + } + sqlite3_free(p->aCell); + } ++ p->nCell = 0; ++ p->aCell = 0; ++} ++static void statClearPage(StatPage *p){ ++ statClearCells(p); + sqlite3PagerUnref(p->pPg); + sqlite3_free(p->zPath); + memset(p, 0, sizeof(StatPage)); +-- +1.8.3.1 + diff --git a/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch b/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch new file mode 100644 index 0000000..abd469b --- /dev/null +++ b/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch @@ -0,0 +1,85 @@ +From 54e058c2c503364cd316bf9c73e253dffa5285a4 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 27 Nov 2018 19:47:55 +0000 +Subject: [PATCH 0548/1009] Fix a failing assert() in + sqlite3ResetAllSchemasOfConnection(). + +https://github.com/mackyle/sqlite/commit/54e058c2c503364cd316bf9c73e253dffa5285a4 + +--- + src/build.c | 11 ++++++++--- + test/vtab_err.test | 23 ++++++++++++++++++++++- + 2 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/src/build.c b/src/build.c +index fca5a92..bed8295 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -544,17 +544,22 @@ void sqlite3ResetOneSchema(sqlite3 *db, int iDb){ + void sqlite3ResetAllSchemasOfConnection(sqlite3 *db){ + int i; + sqlite3BtreeEnterAll(db); +- assert( db->nSchemaLock==0 ); + for(i=0; inDb; i++){ + Db *pDb = &db->aDb[i]; + if( pDb->pSchema ){ +- sqlite3SchemaClear(pDb->pSchema); ++ if( db->nSchemaLock==0 ){ ++ sqlite3SchemaClear(pDb->pSchema); ++ }else{ ++ DbSetProperty(db, i, DB_ResetWanted); ++ } + } + } + db->mDbFlags &= ~(DBFLAG_SchemaChange|DBFLAG_SchemaKnownOk); + sqlite3VtabUnlockList(db); + sqlite3BtreeLeaveAll(db); +- sqlite3CollapseDatabaseArray(db); ++ if( db->nSchemaLock==0 ){ ++ sqlite3CollapseDatabaseArray(db); ++ } + } + + /* +diff --git a/test/vtab_err.test b/test/vtab_err.test +index cb40acd..cfc5fc3 100644 +--- a/test/vtab_err.test ++++ b/test/vtab_err.test +@@ -20,7 +20,6 @@ ifcapable !vtab { + } + + +- + unset -nocomplain echo_module_begin_fail + do_ioerr_test vtab_err-1 -tclprep { + register_echo_module [sqlite3_connection_pointer db] +@@ -63,4 +62,26 @@ do_malloc_test vtab_err-2 -tclprep { + + sqlite3_memdebug_fail -1 + ++reset_db ++register_echo_module [sqlite3_connection_pointer db] ++do_execsql_test vtab_err-3.0 { ++ CREATE TABLE r(a PRIMARY KEY, b, c); ++ CREATE VIRTUAL TABLE e USING echo(r); ++} ++faultsim_save_and_close ++ ++do_faultsim_test vtab_err-3 -faults oom-t* -prep { ++ faultsim_restore_and_reopen ++ register_echo_module [sqlite3_connection_pointer db] ++} -body { ++ execsql { ++ BEGIN; ++ CREATE TABLE xyz(x); ++ SELECT a FROM e; ++ COMMIT; ++ } ++} -test { ++ faultsim_test_result {0 {}} ++} ++ + finish_test +-- +1.8.3.1 + diff --git a/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch b/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch new file mode 100644 index 0000000..db380a2 --- /dev/null +++ b/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch @@ -0,0 +1,32 @@ +From f75ff65c0027041b95647acdb86abf0dc1158f55 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Mon, 3 Dec 2018 01:47:41 +0000 +Subject: [PATCH 0562/1009] Fix a parser bug in the use of parentheses around + table-valued functions. + +https://github.com/mackyle/sqlite/commit/f75ff65c0027041b95647acdb86abf0dc1158f55 + +--- + src/parse.y | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletion(-) + +diff --git a/src/parse.y b/src/parse.y +index b150c73..3bb28ab 100644 +--- a/src/parse.y ++++ b/src/parse.y +@@ -664,6 +664,12 @@ seltablist(A) ::= stl_prefix(A) nm(Y) dbnm(D) LP exprlist(E) RP as(Z) + pNew->zName = pOld->zName; + pNew->zDatabase = pOld->zDatabase; + pNew->pSelect = pOld->pSelect; ++ if( pOld->fg.isTabFunc ){ ++ pNew->u1.pFuncArg = pOld->u1.pFuncArg; ++ pOld->u1.pFuncArg = 0; ++ pOld->fg.isTabFunc = 0; ++ pNew->fg.isTabFunc = 1; ++ } + pOld->zName = pOld->zDatabase = 0; + pOld->pSelect = 0; + } +-- +1.8.3.1 + diff --git a/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch b/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch new file mode 100644 index 0000000..1376701 --- /dev/null +++ b/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch @@ -0,0 +1,41 @@ +From 3bb789ba44d04e5c7d02abdfce6ff2e51f566db2 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Fri, 14 Dec 2018 17:57:01 +0000 +Subject: [PATCH 0626/1009] Fix possible integer overflow while running PRAGMA + integrity_check on a database file with a badly corrupted freelist. + +https://github.com/mackyle/sqlite/commit/3bb789ba44d04e5c7d02abdfce6ff2e51f566db2 + +--- + src/btree.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/btree.c b/src/btree.c +index 8b3375e..24a274c 100644 +--- a/src/btree.c ++++ b/src/btree.c +@@ -9414,18 +9414,18 @@ static void checkList( + } + pOvflData = (unsigned char *)sqlite3PagerGetData(pOvflPage); + if( isFreeList ){ +- int n = get4byte(&pOvflData[4]); ++ u32 n = (u32)get4byte(&pOvflData[4]); + #ifndef SQLITE_OMIT_AUTOVACUUM + if( pCheck->pBt->autoVacuum ){ + checkPtrmap(pCheck, iPage, PTRMAP_FREEPAGE, 0); + } + #endif +- if( n>(int)pCheck->pBt->usableSize/4-2 ){ ++ if( n>pCheck->pBt->usableSize/4-2 ){ + checkAppendMsg(pCheck, + "freelist leaf count too big on page %d", iPage); + N--; + }else{ +- for(i=0; ipBt->autoVacuum ){ +-- +1.8.3.1 + diff --git a/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch b/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch new file mode 100644 index 0000000..992ac56 --- /dev/null +++ b/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch @@ -0,0 +1,54 @@ +From af72ceaf22e73fd78e32ef439c1869292b94aaa1 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 20 Dec 2018 15:04:38 +0000 +Subject: [PATCH 0631/1009] Fix a segfault caused by using the RAISE function + incorrectly (library now returns an error instead of crashing). + +https://github.com/mackyle/sqlite/commit/af72ceaf22e73fd78e32ef439c1869292b94aaa1 + +--- + src/expr.c | 2 +- + test/triggerC.test | 16 ++++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/expr.c b/src/expr.c +index 5d36502..b1a06bd 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -4745,7 +4745,7 @@ int sqlite3ExprCompare(Parse *pParse, Expr *pA, Expr *pB, int iTab){ + } + return 2; + } +- if( pA->op!=pB->op ){ ++ if( pA->op!=pB->op || pA->op==TK_RAISE ){ + if( pA->op==TK_COLLATE && sqlite3ExprCompare(pParse, pA->pLeft,pB,iTab)<2 ){ + return 1; + } +diff --git a/test/triggerC.test b/test/triggerC.test +index 3e47521..49d4eca 100644 +--- a/test/triggerC.test ++++ b/test/triggerC.test +@@ -1042,4 +1042,20 @@ do_execsql_test 15.2.1 { + do_execsql_test 15.2.2 { SELECT * FROM x2; } {1 2 3 4} + do_execsql_test 15.2.3 { SELECT * FROM """x2"""; } {3 11 x y} + ++#------------------------------------------------------------------------- ++# At one point queries such as the following were causing segfaults. ++# ++do_catchsql_test 16.1 { ++ SELECT raise(ABORT, 'msg') FROM sqlite_master ++ UNION SELECT 1 ++ ORDER BY raise(IGNORE); ++} {1 {1st ORDER BY term does not match any column in the result set}} ++ ++do_catchsql_test 16.2 { ++ SELECT count(*) FROM sqlite_master ++ GROUP BY raise(IGNORE) ++ HAVING raise(ABORT, 'msg'); ++} {1 {RAISE() may only be used within a trigger-program}} ++ + finish_test ++ +-- +1.8.3.1 + diff --git a/6016-Fix-another-problem-with-corrupt-database-handling-i.patch b/6016-Fix-another-problem-with-corrupt-database-handling-i.patch new file mode 100644 index 0000000..5fc3fce --- /dev/null +++ b/6016-Fix-another-problem-with-corrupt-database-handling-i.patch @@ -0,0 +1,34 @@ +From 16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 27 Dec 2018 20:12:02 +0000 +Subject: [PATCH 0684/1009] Fix another problem with corrupt database handling + in fts5. + +https://github.com/mackyle/sqlite/commit/16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e + +--- + ext/fts5/fts5_index.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index acf2db2..c5fe01b 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -1649,12 +1649,13 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ + int nNew; /* Bytes of new data */ + + iOff += fts5GetVarint32(&a[iOff], nNew); +- if( iOff+nNew>pIter->pLeaf->nn ){ ++ if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){ + p->rc = FTS5_CORRUPT; + return; + } + pIter->term.n = nKeep; + fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]); ++ assert( pIter->term.n<=pIter->term.nSpace ); + iOff += nNew; + pIter->iTermLeafOffset = iOff; + pIter->iTermLeafPgno = pIter->iLeafPgno; +-- +1.8.3.1 + diff --git a/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch b/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch new file mode 100644 index 0000000..5f9711a --- /dev/null +++ b/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch @@ -0,0 +1,43 @@ +From 1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Fri, 28 Dec 2018 13:57:30 +0000 +Subject: [PATCH 0686/1009] Fix a buffer overwrite in fts5 triggered by a + corrupt database. + +https://github.com/mackyle/sqlite/commit/1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 + +--- + ext/fts5/fts5_index.c | 5 +- + 1 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 6bd18c5..3361b19 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -3902,6 +3902,7 @@ static void fts5WriteAppendTerm( + int nPrefix; /* Bytes of prefix compression for term */ + Fts5PageWriter *pPage = &pWriter->writer; + Fts5Buffer *pPgidx = &pWriter->writer.pgidx; ++ int nMin = MIN(pPage->term.n, nTerm); + + assert( p->rc==SQLITE_OK ); + assert( pPage->buf.n>=4 ); +@@ -3943,13 +3944,13 @@ static void fts5WriteAppendTerm( + ** inefficient, but still correct. */ + int n = nTerm; + if( pPage->term.n ){ +- n = 1 + fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm); ++ n = 1 + fts5PrefixCompress(nMin, pPage->term.p, pTerm); + } + fts5WriteBtreeTerm(p, pWriter, n, pTerm); + pPage = &pWriter->writer; + } + }else{ +- nPrefix = fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm); ++ nPrefix = fts5PrefixCompress(nMin, pPage->term.p, pTerm); + fts5BufferAppendVarint(&p->rc, &pPage->buf, nPrefix); + } + +-- +1.8.3.1 + diff --git a/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch b/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch new file mode 100644 index 0000000..512afea --- /dev/null +++ b/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch @@ -0,0 +1,40 @@ +From 3af43610d9406dfc859f7aca5a3c6441c852911b Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 1 Jan 2019 13:59:34 +0000 +Subject: [PATCH 0698/1009] Fix another case in fts5 where a corrupt database + could cause a buffer overread. + +https://github.com/mackyle/sqlite/commit/3af43610d9406dfc859f7aca5a3c6441c852911b + +--- + ext/fts5/fts5_index.c | 6 +- + 1 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index f786e8d..6ce9844 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -2311,6 +2311,7 @@ static void fts5LeafSeek( + iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff); + if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){ + p->rc = FTS5_CORRUPT; ++ return; + }else{ + nKeep = 0; + iTermOff = iOff; +@@ -2323,8 +2324,11 @@ static void fts5LeafSeek( + } + + search_success: +- + pIter->iLeafOffset = iOff + nNew; ++ if( pIter->iLeafOffset>n ){ ++ p->rc = FTS5_CORRUPT; ++ return; ++ } + pIter->iTermLeafOffset = pIter->iLeafOffset; + pIter->iTermLeafPgno = pIter->iLeafPgno; + +-- +1.8.3.1 + diff --git a/6019-Fix-another-potential-buffer-overread-in-fts5.patch b/6019-Fix-another-potential-buffer-overread-in-fts5.patch new file mode 100644 index 0000000..14dc128 --- /dev/null +++ b/6019-Fix-another-potential-buffer-overread-in-fts5.patch @@ -0,0 +1,28 @@ +From 3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Mon, 7 Jan 2019 16:52:00 +0000 +Subject: [PATCH 0721/1009] Fix another potential buffer overread in fts5. + +https://github.com/mackyle/sqlite/commit/3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f + +--- + ext/fts5/fts5_hash.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c +index 1757061..7e404a8 100644 +--- a/ext/fts5/fts5_hash.c ++++ b/ext/fts5/fts5_hash.c +@@ -483,7 +483,8 @@ int sqlite3Fts5HashQuery( + + for(p=pHash->aSlot[iHash]; p; p=p->pHashNext){ + zKey = fts5EntryKey(p); +- if( memcmp(zKey, pTerm, nTerm)==0 && zKey[nTerm]==0 ) break; ++ assert( p->nKey+1==(int)strlen(zKey) ); ++ if( nTerm==p->nKey+1 && memcmp(zKey, pTerm, nTerm)==0 ) break; + } + + if( p ){ +-- +1.8.3.1 + diff --git a/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch b/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch new file mode 100644 index 0000000..fb5f19f --- /dev/null +++ b/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch @@ -0,0 +1,35 @@ +From dc9d6ce103251a827eacde12399418b8dd55ca47 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Tue, 8 Jan 2019 14:28:02 +0000 +Subject: [PATCH 0723/1009] Fix a possible memory leak when trying to UPDATE a + corrupt RTREE index. + +https://github.com/mackyle/sqlite/commit/dc9d6ce103251a827eacde12399418b8dd55ca47 + +--- + ext/rtree/rtree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c +index ea44ffe..83d1b82 100644 +--- a/ext/rtree/rtree.c ++++ b/ext/rtree/rtree.c +@@ -717,7 +717,6 @@ static int nodeAcquire( + pNode->pNext = 0; + rc = sqlite3_blob_read(pRtree->pNodeBlob, pNode->zData, + pRtree->iNodeSize, 0); +- nodeReference(pParent); + } + } + +@@ -748,6 +747,7 @@ static int nodeAcquire( + + if( rc==SQLITE_OK ){ + if( pNode!=0 ){ ++ nodeReference(pParent); + nodeHashInsert(pRtree, pNode); + }else{ + rc = SQLITE_CORRUPT_VTAB; +-- +1.8.3.1 + diff --git a/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch b/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch new file mode 100644 index 0000000..1fa115c --- /dev/null +++ b/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch @@ -0,0 +1,39 @@ +From 525fdb146b15ef6c42886fccf1b892388c2011d6 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Wed, 9 Jan 2019 21:12:23 +0000 +Subject: [PATCH 0730/1009] Fix an out-of-bounds read in SQL function + fts5_decode() that could occur if it was passed a corrupt record. + +https://github.com/mackyle/sqlite/commit/525fdb146b15ef6c42886fccf1b892388c2011d6 + +--- + ext/fts5/fts5_index.c | 6 +- + 1 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 268af5e..90dc0a5 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -6409,7 +6409,7 @@ static void fts5DecodeFunction( + nDoclist = (iTermOff ? iTermOff : szLeaf) - iOff; + fts5DecodeDoclist(&rc, &s, &a[iOff], nDoclist); + +- while( iPgidxOffterm.n ){ ++ rc = FTS5_CORRUPT; ++ goto decode_out; ++ } + term.n = nByte; + } + iOff += fts5GetVarint32(&a[iOff], nByte); +-- +1.8.3.1 + diff --git a/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch b/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch new file mode 100644 index 0000000..cd4fade --- /dev/null +++ b/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch @@ -0,0 +1,28 @@ +From 2fbabe31a19e10c68357884846454753ee2b4cc3 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Fri, 11 Jan 2019 21:34:25 +0000 +Subject: [PATCH 0748/1009] Fix a segfault in fts3 prompted by a corrupted + database. + +https://github.com/mackyle/sqlite/commit/2fbabe31a19e10c68357884846454753ee2b4cc3 + +--- + ext/fts3/fts3.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index e168fae..5266749 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -2899,7 +2899,7 @@ static int fts3SegReaderCursor( + + /* If zTerm is not NULL, and this segment is not stored entirely on its + ** root node, the range of leaves scanned can be reduced. Do this. */ +- if( iStartBlock && zTerm ){ ++ if( iStartBlock && zTerm && zRoot ){ + sqlite3_int64 *pi = (isPrefix ? &iLeavesEndBlock : 0); + rc = fts3SelectLeaf(p, zTerm, nTerm, zRoot, nRoot, &iStartBlock, pi); + if( rc!=SQLITE_OK ) goto finished; +-- +1.8.3.1 + diff --git a/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch b/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch new file mode 100644 index 0000000..4aa1b52 --- /dev/null +++ b/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch @@ -0,0 +1,31 @@ +From 95a3db8dcf8622a8db12059abe1befca418d9440 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Sat, 12 Jan 2019 21:30:26 +0000 +Subject: [PATCH 0756/1009] Prevent unsigned 32-bit integer overflow from + leading to a buffer overread inside of an assert(). The problem fixed here + is no reachable in production code. + +https://github.com/mackyle/sqlite/commit/95a3db8dcf8622a8db12059abe1befca418d9440 + +--- + src/vdbeaux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index 1125cfd..1af8a6f 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -3883,8 +3883,8 @@ static int vdbeRecordCompareDebug( + ** Use that approximation to avoid the more expensive call to + ** sqlite3VdbeSerialTypeLen() in the common case. + */ +- if( d1+serial_type1+2>(u32)nKey1 +- && d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1 ++ if( d1+(u64)serial_type1+2>(u64)nKey1 ++ && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1 + ){ + break; + } +-- +1.8.3.1 + diff --git a/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch b/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch new file mode 100644 index 0000000..d07898f --- /dev/null +++ b/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch @@ -0,0 +1,39 @@ +From 5b01e4f591862a943728f1abe1cf44ac0844dbf1 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Mon, 14 Jan 2019 15:35:15 +0000 +Subject: [PATCH 0765/1009] Fix a problem causing a crash if an fts5vocab table + was created to query an fts3/4 FTS index. + +https://github.com/mackyle/sqlite/commit/5b01e4f591862a943728f1abe1cf44ac0844dbf1 + +--- + ext/fts5/fts5_main.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c +index 6fc5a90..07934eb 100644 +--- a/ext/fts5/fts5_main.c ++++ b/ext/fts5/fts5_main.c +@@ -2244,13 +2244,13 @@ Fts5Index *sqlite3Fts5IndexFromCsrid( + Fts5Config **ppConfig /* OUT: Configuration object */ + ){ + Fts5Cursor *pCsr; +- Fts5Table *pTab; +- + pCsr = fts5CursorFromCsrid(pGlobal, iCsrId); +- pTab = (Fts5Table*)pCsr->base.pVtab; +- *ppConfig = pTab->pConfig; +- +- return pTab->pIndex; ++ if( pCsr ){ ++ Fts5Table *pTab = (Fts5Table*)pCsr->base.pVtab; ++ *ppConfig = pTab->pConfig; ++ return pTab->pIndex; ++ } ++ return 0; + } + + /* +-- +1.8.3.1 + diff --git a/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch b/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch new file mode 100644 index 0000000..14fb5c5 --- /dev/null +++ b/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch @@ -0,0 +1,27 @@ +From 5dfe84921758b84e698b4f3429e56f3f292f8de5 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Tue, 15 Jan 2019 14:44:23 +0000 +Subject: [PATCH 0770/1009] Fix a harmless memory leak in the Lemon parser + generator utility program. + +https://github.com/mackyle/sqlite/commit/5dfe84921758b84e698b4f3429e56f3f292f8de5 + +--- + tool/lemon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tool/lemon.c b/tool/lemon.c +index 7f0e557..7ef99fd 100644 +--- a/tool/lemon.c ++++ b/tool/lemon.c +@@ -4674,6 +4674,7 @@ void ReportTable( + /* Append any addition code the user desires */ + tplt_print(out,lemp,lemp->extracode,&lineno); + ++ acttab_free(pActtab); + fclose(in); + fclose(out); + return; +-- +1.8.3.1 + diff --git a/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch b/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch new file mode 100644 index 0000000..4e87b02 --- /dev/null +++ b/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch @@ -0,0 +1,48 @@ +From 88ea6ea1ee2b7c93120857c65c882144c9f4ce71 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 15 Jan 2019 18:14:27 +0000 +Subject: [PATCH 0773/1009] Handle SQL NULL values without crashing in the fts5 + snippet() and highlight() functions. + +https://github.com/mackyle/sqlite/commit/88ea6ea1ee2b7c93120857c65c882144c9f4ce71 + +--- + ext/fts5/fts5_aux.c | 2 +- + ext/fts5/test/fts5ak.test | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_aux.c b/ext/fts5/fts5_aux.c +index f884ddb..7d4f3e6 100644 +--- a/ext/fts5/fts5_aux.c ++++ b/ext/fts5/fts5_aux.c +@@ -136,7 +136,7 @@ static void fts5HighlightAppend( + HighlightContext *p, + const char *z, int n + ){ +- if( *pRc==SQLITE_OK ){ ++ if( *pRc==SQLITE_OK && z ){ + if( n<0 ) n = (int)strlen(z); + p->zOut = sqlite3_mprintf("%z%.*s", p->zOut, n, z); + if( p->zOut==0 ) *pRc = SQLITE_NOMEM; +diff --git a/ext/fts5/test/fts5ak.test b/ext/fts5/test/fts5ak.test +index cab0ae2..0a3cd6a78 100644 +--- a/ext/fts5/test/fts5ak.test ++++ b/ext/fts5/test/fts5ak.test +@@ -144,6 +144,14 @@ do_execsql_test 3.1 { + {[a b c d e]} + } + ++do_execsql_test 3.2 { ++ SELECT highlight(ft, 0, NULL, NULL) FROM ft WHERE ft MATCH 'a+b+c AND c+d+e'; ++} { ++ {a b c x c d e} ++ {a b c c d e} ++ {a b c d e} ++} ++ + } + + finish_test +-- +1.8.3.1 + diff --git a/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch b/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch new file mode 100644 index 0000000..2b959a3 --- /dev/null +++ b/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch @@ -0,0 +1,27 @@ +From 5dc52d357ad41bcbd945f360df2d49a7701f8776 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Wed, 16 Jan 2019 11:38:06 +0000 +Subject: [PATCH 0775/1009] Fix a memory leak that could occur in fts3 when + handling a corrupt database. + +https://github.com/mackyle/sqlite/commit/5dc52d357ad41bcbd945f360df2d49a7701f8776 + +--- + ext/fts3/fts3_write.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index 0baf82b..096eafc 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -1606,6 +1606,7 @@ int sqlite3Fts3SegReaderNew( + + assert( iStartLeaf<=iEndLeaf ); + if( iStartLeaf==0 ){ ++ if( iEndLeaf!=0 ) return FTS_CORRUPT_VTAB; + nExtra = nRoot + FTS3_NODE_PADDING; + } + +-- +1.8.3.1 + diff --git a/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch b/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch new file mode 100644 index 0000000..6be027c --- /dev/null +++ b/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch @@ -0,0 +1,47 @@ +From 1634068a27a93898908802f514ae41c1a3aa3bf9 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 17 Jan 2019 19:11:10 +0000 +Subject: [PATCH 0787/1009] Fix a buffer overwrite that could occur when + running an fts5 prefix query against a corrupt database. + +https://github.com/mackyle/sqlite/commit/1634068a27a93898908802f514ae41c1a3aa3bf9 + +--- + ext/fts5/fts5_index.c | 11 +- + 1 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 426cf61..259ae35 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -4959,6 +4959,8 @@ static void fts5MergePrefixLists( + int iOff2 = 0; + u8 *a1 = &i1.aPoslist[i1.nSize]; + u8 *a2 = &i2.aPoslist[i2.nSize]; ++ int nCopy; ++ u8 *aCopy; + + i64 iPrev = 0; + Fts5PoslistWriter writer; +@@ -5002,11 +5004,16 @@ static void fts5MergePrefixLists( + if( iPos1!=iPrev ){ + sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos1); + } +- fts5BufferSafeAppendBlob(&tmp, &a1[iOff1], i1.nPoslist-iOff1); ++ aCopy = &a1[iOff1]; ++ nCopy = i1.nPoslist - iOff1; + }else{ + assert( iPos2>=0 && iPos2!=iPrev ); + sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos2); +- fts5BufferSafeAppendBlob(&tmp, &a2[iOff2], i2.nPoslist-iOff2); ++ aCopy = &a2[iOff2]; ++ nCopy = i2.nPoslist - iOff2; ++ } ++ if( nCopy>0 ){ ++ fts5BufferSafeAppendBlob(&tmp, aCopy, nCopy); + } + + /* WRITEPOSLISTSIZE */ +-- +1.8.3.1 + diff --git a/6029-Fix-another-corruption-related-crash-in-fts5.patch b/6029-Fix-another-corruption-related-crash-in-fts5.patch new file mode 100644 index 0000000..d989145 --- /dev/null +++ b/6029-Fix-another-corruption-related-crash-in-fts5.patch @@ -0,0 +1,27 @@ +From 80b709ea4c758f5f8fcb125082a17ceb5b9f5c76 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 17 Jan 2019 20:06:56 +0000 +Subject: [PATCH 0789/1009] Fix another corruption related crash in fts5. + +https://github.com/mackyle/sqlite/commit/80b709ea4c758f5f8fcb125082a17ceb5b9f5c76 + +--- + ext/fts5/fts5_index.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 259ae35..66ab9be 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ + int nNew; /* Bytes of new data */ + + iOff += fts5GetVarint32(&a[iOff], nNew); +- if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){ ++ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){ + p->rc = FTS5_CORRUPT; + return; + } +-- +1.8.3.1 + diff --git a/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch b/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch new file mode 100644 index 0000000..a8412a5 --- /dev/null +++ b/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch @@ -0,0 +1,36 @@ +From a47d7130bcbf6dbf2c3d0cb33555a68e288cc407 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Fri, 18 Jan 2019 18:52:17 +0000 +Subject: [PATCH 0794/1009] Avoid integer overflow when computing the array of + a bounding box with the rtree_i32 virtual table. + +https://github.com/mackyle/sqlite/commit/a47d7130bcbf6dbf2c3d0cb33555a68e288cc407 + +--- + ext/rtree/rtree.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c +index c998d95..73d0661 100644 +--- a/ext/rtree/rtree.c ++++ b/ext/rtree/rtree.c +@@ -1999,11 +1999,11 @@ static RtreeDValue cellArea(Rtree *pRtree, RtreeCell *p){ + #endif + { + switch( pRtree->nDim ){ +- case 5: area = p->aCoord[9].i - p->aCoord[8].i; +- case 4: area *= p->aCoord[7].i - p->aCoord[6].i; +- case 3: area *= p->aCoord[5].i - p->aCoord[4].i; +- case 2: area *= p->aCoord[3].i - p->aCoord[2].i; +- default: area *= p->aCoord[1].i - p->aCoord[0].i; ++ case 5: area = (i64)p->aCoord[9].i - (i64)p->aCoord[8].i; ++ case 4: area *= (i64)p->aCoord[7].i - (i64)p->aCoord[6].i; ++ case 3: area *= (i64)p->aCoord[5].i - (i64)p->aCoord[4].i; ++ case 2: area *= (i64)p->aCoord[3].i - (i64)p->aCoord[2].i; ++ default: area *= (i64)p->aCoord[1].i - (i64)p->aCoord[0].i; + } + } + return area; +-- +1.8.3.1 + diff --git a/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch b/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch new file mode 100644 index 0000000..6f6d8f9 --- /dev/null +++ b/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch @@ -0,0 +1,31 @@ +From 7c66bd37c346c0bbf92502edec140b488e4af6e2 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 22 Jan 2019 12:21:28 +0000 +Subject: [PATCH 0813/1009] Fix another segfault caused by a corrupt fts3 + database. + +https://github.com/mackyle/sqlite/commit/7c66bd37c346c0bbf92502edec140b488e4af6e2 + +--- + ext/fts3/fts3_write.c | 5 ++ + 1 files changed, 5 insertions(+), 0 deletion(-) + +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index df3c07e..3e195c3 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -2255,6 +2255,11 @@ static int fts3SegWriterAdd( + nPrefix = fts3PrefixCompress(pWriter->zTerm, pWriter->nTerm, zTerm, nTerm); + nSuffix = nTerm-nPrefix; + ++ /* If nSuffix is zero or less, then zTerm/nTerm must be a prefix of ++ ** pWriter->zTerm/pWriter->nTerm. i.e. must be equal to or less than when ++ ** compared with BINARY collation. This indicates corruption. */ ++ if( nSuffix<=0 ) return FTS_CORRUPT_VTAB; ++ + /* Figure out how many bytes are required by this new entry */ + nReq = sqlite3Fts3VarintLen(nPrefix) + /* varint containing prefix size */ + sqlite3Fts3VarintLen(nSuffix) + /* varint containing suffix size */ +-- +1.8.3.1 + diff --git a/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch b/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch new file mode 100644 index 0000000..c6307c8 --- /dev/null +++ b/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch @@ -0,0 +1,87 @@ +From ec2409b34e42389034ecf6ae616a85de97c0fd8c Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 22 Jan 2019 21:17:40 +0000 +Subject: [PATCH 0820/1009] Fix a buffer overrun that could occur in fts5 if a + prefix query is made on a corrupt database. + +https://github.com/mackyle/sqlite/commit/ec2409b34e42389034ecf6ae616a85de97c0fd8c + +--- + ext/fts5/fts5.h | 8 +- + ext/fts5/fts5Int.h | 2 +- + ext/fts5/fts5_index.c | 2 +- + ext/fts5/fts5_main.c | 5 + + ext/fts5/test/fts5corrupt3.test | 217 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 226 insertions(+), 8 deletions(-) + +diff --git a/ext/fts5/fts5.h b/ext/fts5/fts5.h +index 8273785..f0b7d55 100644 +--- a/ext/fts5/fts5.h ++++ b/ext/fts5/fts5.h +@@ -120,12 +120,8 @@ struct Fts5PhraseIter { + ** + ** Usually, output parameter *piPhrase is set to the phrase number, *piCol + ** to the column in which it occurs and *piOff the token offset of the +-** first token of the phrase. The exception is if the table was created +-** with the offsets=0 option specified. In this case *piOff is always +-** set to -1. +-** +-** Returns SQLITE_OK if successful, or an error code (i.e. SQLITE_NOMEM) +-** if an error occurs. ++** first token of the phrase. Returns SQLITE_OK if successful, or an error ++** code (i.e. SQLITE_NOMEM) if an error occurs. + ** + ** This API can be quite slow if used with an FTS5 table created with the + ** "detail=none" or "detail=column" option. +diff --git a/ext/fts5/fts5Int.h b/ext/fts5/fts5Int.h +index 4855abe..629bcf0 100644 +--- a/ext/fts5/fts5Int.h ++++ b/ext/fts5/fts5Int.h +@@ -274,7 +274,7 @@ void sqlite3Fts5Put32(u8*, int); + int sqlite3Fts5Get32(const u8*); + + #define FTS5_POS2COLUMN(iPos) (int)(iPos >> 32) +-#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0xFFFFFFFF) ++#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0x7FFFFFFF) + + typedef struct Fts5PoslistReader Fts5PoslistReader; + struct Fts5PoslistReader { +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 66ab9be..165d094 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -5122,7 +5122,7 @@ static void fts5SetupPrefixIter( + } + fts5MultiIterFree(p1); + +- pData = fts5IdxMalloc(p, sizeof(Fts5Data) + doclist.n); ++ pData = fts5IdxMalloc(p, sizeof(Fts5Data)+doclist.n+FTS5_DATA_ZERO_PADDING); + if( pData ){ + pData->p = (u8*)&pData[1]; + pData->nn = pData->szLeaf = doclist.n; +diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c +index bb34234..c98df4f 100644 +--- a/ext/fts5/fts5_main.c ++++ b/ext/fts5/fts5_main.c +@@ -1777,6 +1777,7 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){ + int rc = SQLITE_OK; + Fts5PoslistReader *aIter; /* One iterator for each phrase */ + int nIter; /* Number of iterators/phrases */ ++ int nCol = ((Fts5Table*)pCsr->base.pVtab)->pConfig->nCol; + + nIter = sqlite3Fts5ExprPhraseCount(pCsr->pExpr); + if( pCsr->aInstIter==0 ){ +@@ -1830,6 +1831,10 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){ + aInst[0] = iBest; + aInst[1] = FTS5_POS2COLUMN(aIter[iBest].iPos); + aInst[2] = FTS5_POS2OFFSET(aIter[iBest].iPos); ++ if( aInst[1]<0 || aInst[1]>=nCol ){ ++ rc = FTS5_CORRUPT; ++ break; ++ } + sqlite3Fts5PoslistReaderNext(&aIter[iBest]); + } + } +-- +1.8.3.1 + diff --git a/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch b/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch new file mode 100644 index 0000000..752d2ba --- /dev/null +++ b/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch @@ -0,0 +1,94 @@ +From 64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Wed, 23 Jan 2019 19:17:05 +0000 +Subject: [PATCH 0823/1009] Fix another fts5 crash that can occur if the + database is corrupted. + +https://github.com/mackyle/sqlite/commit/64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd + +--- + ext/fts5/fts5_index.c | 58 ++++++----- + 1 files changed, 23 insertions(+), 25 deletions(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 57fce0a..eced245 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -4127,7 +4127,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ + int i; + Fts5Buffer buf; + memset(&buf, 0, sizeof(Fts5Buffer)); +- for(i=0; inSeg; i++){ ++ for(i=0; inSeg && p->rc==SQLITE_OK; i++){ + Fts5SegIter *pSeg = &pIter->aSeg[i]; + if( pSeg->pSeg==0 ){ + /* no-op */ +@@ -4147,33 +4147,41 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ + iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno); + pData = fts5DataRead(p, iLeafRowid); + if( pData ){ +- fts5BufferZero(&buf); +- fts5BufferGrow(&p->rc, &buf, pData->nn); +- fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr); +- fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n); +- fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p); +- fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff, &pData->p[iOff]); +- if( p->rc==SQLITE_OK ){ +- /* Set the szLeaf field */ +- fts5PutU16(&buf.p[2], (u16)buf.n); +- } ++ if( iOff>pData->szLeaf ){ ++ /* This can occur if the pages that the segments occupy overlap - if ++ ** a single page has been assigned to more than one segment. In ++ ** this case a prior iteration of this loop may have corrupted the ++ ** segment currently being trimmed. */ ++ p->rc = FTS5_CORRUPT; ++ }else{ ++ fts5BufferZero(&buf); ++ fts5BufferGrow(&p->rc, &buf, pData->nn); ++ fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr); ++ fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n); ++ fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p); ++ fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff,&pData->p[iOff]); ++ if( p->rc==SQLITE_OK ){ ++ /* Set the szLeaf field */ ++ fts5PutU16(&buf.p[2], (u16)buf.n); ++ } + +- /* Set up the new page-index array */ +- fts5BufferAppendVarint(&p->rc, &buf, 4); +- if( pSeg->iLeafPgno==pSeg->iTermLeafPgno +- && pSeg->iEndofDoclistszLeaf +- ){ +- int nDiff = pData->szLeaf - pSeg->iEndofDoclist; +- fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); +- fts5BufferAppendBlob(&p->rc, &buf, +- pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] +- ); +- } ++ /* Set up the new page-index array */ ++ fts5BufferAppendVarint(&p->rc, &buf, 4); ++ if( pSeg->iLeafPgno==pSeg->iTermLeafPgno ++ && pSeg->iEndofDoclistszLeaf ++ ){ ++ int nDiff = pData->szLeaf - pSeg->iEndofDoclist; ++ fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); ++ fts5BufferAppendBlob(&p->rc, &buf, ++ pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] ++ ); ++ } + ++ pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; ++ fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid); ++ fts5DataWrite(p, iLeafRowid, buf.p, buf.n); ++ } + fts5DataRelease(pData); +- pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; +- fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid); +- fts5DataWrite(p, iLeafRowid, buf.p, buf.n); + } + } + } +-- +1.8.3.1 + diff --git a/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch b/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch new file mode 100644 index 0000000..cebdcf7 --- /dev/null +++ b/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch @@ -0,0 +1,28 @@ +From ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Wed, 23 Jan 2019 20:31:56 +0000 +Subject: [PATCH 0826/1009] Fix an assert() in vdbemem.c that could fire if the + database was corrupt. + +https://github.com/mackyle/sqlite/commit/ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6 + +--- + src/vdbemem.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/src/vdbemem.c b/src/vdbemem.c +index db8fedd..8493df7 100644 +--- a/src/vdbemem.c ++++ b/src/vdbemem.c +@@ -243,7 +243,7 @@ SQLITE_NOINLINE int sqlite3VdbeMemGrow(Mem *pMem, int n, int bPreserve){ + ** if unable to complete the resizing. + */ + int sqlite3VdbeMemClearAndResize(Mem *pMem, int szNew){ +- assert( szNew>0 ); ++ assert( CORRUPT_DB || szNew>0 ); + assert( (pMem->flags & MEM_Dyn)==0 || pMem->szMalloc==0 ); + if( pMem->szMalloc +Date: Thu, 24 Jan 2019 15:16:17 +0000 +Subject: [PATCH 0830/1009] Fix a potential problem with "INSERT INTO ... + SELECT * FROM" (or VACUUM) statements on a corrupted database. + +https://github.com/mackyle/sqlite/commit/b9338e8475463b29b7f05fb28c78c3f35a7ce814 + +--- + src/btree.c | 7 +-- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/btree.c b/src/btree.c +index b68bca1..401f02e 100644 +--- a/src/btree.c ++++ b/src/btree.c +@@ -804,11 +804,12 @@ static int btreeMoveto( + UnpackedRecord *pIdxKey; /* Unpacked index key */ + + if( pKey ){ ++ KeyInfo *pKeyInfo = pCur->pKeyInfo; + assert( nKey==(i64)(int)nKey ); +- pIdxKey = sqlite3VdbeAllocUnpackedRecord(pCur->pKeyInfo); ++ pIdxKey = sqlite3VdbeAllocUnpackedRecord(pKeyInfo); + if( pIdxKey==0 ) return SQLITE_NOMEM_BKPT; +- sqlite3VdbeRecordUnpack(pCur->pKeyInfo, (int)nKey, pKey, pIdxKey); +- if( pIdxKey->nField==0 ){ ++ sqlite3VdbeRecordUnpack(pKeyInfo, (int)nKey, pKey, pIdxKey); ++ if( pIdxKey->nField==0 || pIdxKey->nField>pKeyInfo->nAllField ){ + rc = SQLITE_CORRUPT_BKPT; + goto moveto_done; + } +-- +1.8.3.1 + diff --git a/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch b/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch new file mode 100644 index 0000000..e315cad --- /dev/null +++ b/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch @@ -0,0 +1,79 @@ +From 2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Fri, 25 Jan 2019 17:26:59 +0000 +Subject: [PATCH 0842/1009] Fix a segfault that could follow an OOM when + querying a table that has one or more columns with default values "true" or + "false". + +https://github.com/mackyle/sqlite/commit/2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1 + +--- + src/vdbemem.c | 8 +++++--- + test/insertfault.test | 36 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 3 deletions(-) + create mode 100644 test/insertfault.test + +diff --git a/src/vdbemem.c b/src/vdbemem.c +index 8493df7..8d9e44b 100644 +--- a/src/vdbemem.c ++++ b/src/vdbemem.c +@@ -1530,9 +1530,11 @@ static int valueFromExpr( + } + #endif + else if( op==TK_TRUEFALSE ){ +- pVal = valueNew(db, pCtx); +- pVal->flags = MEM_Int; +- pVal->u.i = pExpr->u.zToken[4]==0; ++ pVal = valueNew(db, pCtx); ++ if( pVal ){ ++ pVal->flags = MEM_Int; ++ pVal->u.i = pExpr->u.zToken[4]==0; ++ } + } + + *ppVal = pVal; +diff --git a/test/insertfault.test b/test/insertfault.test +new file mode 100644 +index 0000000..53849a1 +--- /dev/null ++++ b/test/insertfault.test +@@ -0,0 +1,36 @@ ++# 2019-01-26 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# ++# Test cases for INSERT ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++set testprefix insertfault ++ ++do_execsql_test 1.0 { ++ CREATE TABLE t1(a INTEGER PRIMARY KEY, b, c, d DEFAULT true); ++ INSERT INTO t1 DEFAULT VALUES; ++ SELECT * FROM t1; ++} {1 {} {} 1} ++faultsim_save_and_close ++ ++breakpoint ++do_faultsim_test 1 -faults oom* -prep { ++ faultsim_restore_and_reopen ++ db eval { SELECT * FROM sqlite_master } ++} -body { ++ execsql { SELECT * FROM t1 } ++} -test { ++ faultsim_test_result {0 {1 {} {} 1}} ++} ++ ++ ++finish_test +-- +1.8.3.1 + diff --git a/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch b/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch new file mode 100644 index 0000000..ad2915f --- /dev/null +++ b/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch @@ -0,0 +1,27 @@ +From 896da092c4debe2e865ccfbc94939aae2feda5fc Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Mon, 28 Jan 2019 16:50:42 +0000 +Subject: [PATCH 0858/1009] Fix a buffer overread in fts3 that could occur when + accessing a corrupt database. + +https://github.com/mackyle/sqlite/commit/896da092c4debe2e865ccfbc94939aae2feda5fc + +--- + ext/fts3/fts3.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index 36e41d2..bd0003d 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -2810,6 +2810,7 @@ static int fts3TermSelectMerge( + pTS->anOutput[0] = nDoclist; + if( pTS->aaOutput[0] ){ + memcpy(pTS->aaOutput[0], aDoclist, nDoclist); ++ memset(&pTS->aaOutput[0][nDoclist], 0, FTS3_VARINT_MAX); + }else{ + return SQLITE_NOMEM; + } +-- +1.8.3.1 + diff --git a/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch b/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch new file mode 100644 index 0000000..e6a0c4f --- /dev/null +++ b/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch @@ -0,0 +1,28 @@ +From 850b66a5848d73428951382ca909c3663b905a9e Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Tue, 29 Jan 2019 11:42:43 +0000 +Subject: [PATCH 0862/1009] Fix a buffer overrun triggered by a merge operation + on a corrupt fts5 database. + +https://github.com/mackyle/sqlite/commit/850b66a5848d73428951382ca909c3663b905a9e + +--- + ext/fts5/fts5_index.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index cec4415..e1bb8d4 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -4145,7 +4145,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ + u8 aHdr[4] = {0x00, 0x00, 0x00, 0x00}; + + iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno); +- pData = fts5DataRead(p, iLeafRowid); ++ pData = fts5LeafRead(p, iLeafRowid); + if( pData ){ + if( iOff>pData->szLeaf ){ + /* This can occur if the pages that the segments occupy overlap - if +-- +1.8.3.1 + diff --git a/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch b/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch new file mode 100644 index 0000000..def467b --- /dev/null +++ b/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch @@ -0,0 +1,29 @@ +From 06895c18a8afdfd7b46c09bb5623f1d68e82a955 Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Wed, 30 Jan 2019 12:15:27 +0000 +Subject: [PATCH 0868/1009] Fix another buffer overread in fts5 that may occur + when accessing a corrupt database. + +https://github.com/mackyle/sqlite/commit/06895c18a8afdfd7b46c09bb5623f1d68e82a955 + +--- + ext/fts5/fts5_index.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index e1bb8d4..32732b9 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -3104,7 +3104,8 @@ static void fts5SegiterPoslist( + Fts5Colset *pColset, + Fts5Buffer *pBuf + ){ +- if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos) ){ ++ if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos+FTS5_DATA_ZERO_PADDING) ){ ++ memset(&pBuf->p[pBuf->n+pSeg->nPos], 0, FTS5_DATA_ZERO_PADDING); + if( pColset==0 ){ + fts5ChunkIterate(p, pSeg, (void*)pBuf, fts5PoslistCallback); + }else{ +-- +1.8.3.1 + diff --git a/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch b/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch new file mode 100644 index 0000000..75bb5ac --- /dev/null +++ b/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch @@ -0,0 +1,41 @@ +From 536bdac3ff692d5ebf13d6b7ff129721444f281b Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Thu, 31 Jan 2019 14:37:18 +0000 +Subject: [PATCH 0878/1009] Fix another buffer overrun that could occur when + quering a corrupt database using an fts5vocab table. + +https://github.com/mackyle/sqlite/commit/536bdac3ff692d5ebf13d6b7ff129721444f281b + +--- + ext/fts5/fts5_index.c | 2 +- + ext/fts5/fts5_vocab.c | 1 + + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 32732b9..bb87714 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ + int nNew; /* Bytes of new data */ + + iOff += fts5GetVarint32(&a[iOff], nNew); +- if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){ ++ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n || nNew==0 ){ + p->rc = FTS5_CORRUPT; + return; + } +diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c +index bfb6821..2550c9d 100644 +--- a/ext/fts5/fts5_vocab.c ++++ b/ext/fts5/fts5_vocab.c +@@ -484,6 +484,7 @@ static int fts5VocabNextMethod(sqlite3_vtab_cursor *pCursor){ + int nTerm; + + zTerm = sqlite3Fts5IterTerm(pCsr->pIter, &nTerm); ++ assert( nTerm>=0 ); + if( pCsr->nLeTerm>=0 ){ + int nCmp = MIN(nTerm, pCsr->nLeTerm); + int bCmp = memcmp(pCsr->zLeTerm, zTerm, nCmp); +-- +1.8.3.1 + diff --git a/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch b/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch new file mode 100644 index 0000000..57d3eb9 --- /dev/null +++ b/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch @@ -0,0 +1,37 @@ +From 032f34b06b09b35542a7dd6242e2032cbed59b6e Mon Sep 17 00:00:00 2001 +From: Dan Kennedy +Date: Mon, 11 Feb 2019 16:12:09 +0000 +Subject: [PATCH 0939/1009] Fix another segfault that could occur in fts5 with + a corrupted database. + +https://github.com/mackyle/sqlite/commit/032f34b06b09b35542a7dd6242e2032cbed59b6e + +--- + ext/fts5/fts5_index.c | 7 +- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 5ce75bd..741e579 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -4169,13 +4169,14 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ + /* Set up the new page-index array */ + fts5BufferAppendVarint(&p->rc, &buf, 4); + if( pSeg->iLeafPgno==pSeg->iTermLeafPgno +- && pSeg->iEndofDoclistszLeaf +- ){ ++ && pSeg->iEndofDoclistszLeaf ++ && pSeg->iPgidxOff<=pData->nn ++ ){ + int nDiff = pData->szLeaf - pSeg->iEndofDoclist; + fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); + fts5BufferAppendBlob(&p->rc, &buf, + pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] +- ); ++ ); + } + + pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; +-- +1.8.3.1 + diff --git a/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch b/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch new file mode 100644 index 0000000..c52ec72 --- /dev/null +++ b/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch @@ -0,0 +1,28 @@ +From d651ad3b3d42dfe3fc26023ae2c61d04802cd721 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Tue, 19 Feb 2019 17:45:31 +0000 +Subject: [PATCH 0956/1009] Fix a potential memory leak in RBU if the + rbu_fossil_delta() SQL function is misused. Misuse never happens in a + working RBU system, so this is not a particularly important fix. + +https://github.com/mackyle/sqlite/commit/d651ad3b3d42dfe3fc26023ae2c61d04802cd721 + +--- + ext/rbu/sqlite3rbu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ext/rbu/sqlite3rbu.c b/ext/rbu/sqlite3rbu.c +index e86606b..1a78adc 100644 +--- a/ext/rbu/sqlite3rbu.c ++++ b/ext/rbu/sqlite3rbu.c +@@ -684,6 +684,7 @@ static void rbuFossilDeltaFunc( + }else{ + nOut2 = rbuDeltaApply(aOrig, nOrig, aDelta, nDelta, aOut); + if( nOut2!=nOut ){ ++ sqlite3_free(aOut); + sqlite3_result_error(context, "corrupt fossil delta", -1); + }else{ + sqlite3_result_blob(context, aOut, nOut, sqlite3_free); +-- +1.8.3.1 + diff --git a/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch b/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch new file mode 100644 index 0000000..9ce2fc1 --- /dev/null +++ b/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch @@ -0,0 +1,29 @@ +From 7003b1922263ee4b6131fd458537808ccae22f41 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" +Date: Tue, 5 Mar 2019 23:49:17 +0000 +Subject: [PATCH 1002/1009] Fix a potential 32-bit integer overflow in the + "showdb" utility program when it is trying to interpret a corrupt database + file. + +https://github.com/mackyle/sqlite/commit/7003b1922263ee4b6131fd458537808ccae22f41 + +--- + tool/showdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tool/showdb.c b/tool/showdb.c +index ba7a362..cb6ddab 100644 +--- a/tool/showdb.c ++++ b/tool/showdb.c +@@ -828,7 +828,7 @@ static void page_usage_cell( + while( ovfl && (cnt++)*2 coordinates. + */ + static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){ +- char *zText = 0; + RtreeNode node; + Rtree tree; + int ii; ++ int nData; ++ int errCode; ++ sqlite3_str *pOut; + + UNUSED_PARAMETER(nArg); + memset(&node, 0, sizeof(RtreeNode)); + memset(&tree, 0, sizeof(Rtree)); + tree.nDim = (u8)sqlite3_value_int(apArg[0]); ++ if( tree.nDim<1 || tree.nDim>5 ) return; + tree.nDim2 = tree.nDim*2; + tree.nBytesPerCell = 8 + 8 * tree.nDim; + node.zData = (u8 *)sqlite3_value_blob(apArg[1]); ++ nData = sqlite3_value_bytes(apArg[1]); ++ if( nData<4 ) return; ++ if( nData0 ) sqlite3_str_append(pOut, " ", 1); ++ sqlite3_str_appendf(pOut, "{%lld", cell.iRowid); + for(jj=0; jj - 3.24.0-4 +- Type:enhancemnet +- ID:NA +- SUG:NA +- DESC:remove debuginfo + +* Wed Aug 28 2019 openEuler Buildteam - 3.24.0-3 +- Type:enhancemnet +- ID:NA +- SUG:restart +- DESC:openEuler Debranding + +* Tue Aug 20 2019 wubo - 3.24.0-2.h4 +- Type: +- ID: +- SUG:NA +- DESC:rename patch + +* Thu Aug 15 2019 wubo - 3.24.0-2.h3 +- Type:bugfix +- ID:CVE-2019-8457 +- SUG:NA +- DESC:heap out-of-bound read in function rtreenode() + +* Sat Mar 23 2019 Xiaoqi Guo - 3.24.0-2.h2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport patch from community + +* Sat Mar 23 2019 luochunsheng - 3.24.0-2.h1 +- Type:cves +- ID:CVE-2018-20346 +- SUG:NA +- DESC:CVE-2018-20346 +- Package init