!14 修复cve

Merge pull request !14 from steven/master

6055-Fix-CVE-2018-20505.patch

@@ -0,0 +1,41 @@
+Index: src/wherecode.c
+==================================================================
+--- a/src/wherecode.c
++++ b/src/wherecode.c
+@@ -424,11 +424,11 @@
+     Select *pSelect;            /* Pointer to the SELECT on the RHS */
+ 
+     for(i=iEq; i<pLoop->nLTerm; i++){
+       if( pLoop->aLTerm[i]->pExpr==pX ){
+         int iField = pLoop->aLTerm[i]->iField - 1;
+-        assert( pOrigRhs->a[iField].pExpr!=0 );
++        if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
+         pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
+         pOrigRhs->a[iField].pExpr = 0;
+         assert( pOrigLhs->a[iField].pExpr!=0 );
+         pLhs = sqlite3ExprListAppend(pParse, pLhs, pOrigLhs->a[iField].pExpr);
+         pOrigLhs->a[iField].pExpr = 0;
+
+Index: test/rowvalue.test
+==================================================================
+--- a/test/rowvalue.test
++++ b/test/rowvalue.test
+@@ -543,7 +543,18 @@
+ # 2018-02-18: Memory leak nexted row-value.  Detected by OSSFuzz.
+ #
+ do_catchsql_test 20.1 {
+   SELECT 1 WHERE (2,(2,0)) IS (2,(2,0));
+ } {0 1}
++
++# 2018-11-03: Ticket https://www.sqlite.org/src/info/1a84668dcfdebaf1
++# Assertion fault when doing row-value operations on a primary key
++# containing duplicate columns.
++#
++do_execsql_test 21.0 {
++  DROP TABLE IF EXISTS t1;
++  CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
++  INSERT INTO t1 VALUES(1,2),(3,4),(5,6);
++  SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));
++} {1 2}
+ 
+ finish_test

6056-Fix-CVE-2020-9327.patch

@@ -0,0 +1,97 @@
+From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001
+From: guiyao <guiyao@huawei.com>
+Date: Thu, 8 Apr 2021 14:19:51 -0400
+Subject: [PATCH] fix CVE-2020-9327
+
+Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on
+ commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
+ to fit the current version.
+
+---
+ src/expr.c      | 15 +++++++++++----
+ src/sqliteInt.h |  3 +++
+ src/whereexpr.c |  9 ++++++---
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index 8fd8af9..73a8187 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
+     case TK_LT:
+     case TK_LE:
+     case TK_GT:
+-    case TK_GE:
++    case TK_GE: {
++      Expr *pLeft = pExpr->pLeft;
++      Expr *pRight = pExpr->pRight;
+       testcase( pExpr->op==TK_EQ );
+       testcase( pExpr->op==TK_NE );
+       testcase( pExpr->op==TK_LT );
+       testcase( pExpr->op==TK_LE );
+       testcase( pExpr->op==TK_GT );
+       testcase( pExpr->op==TK_GE );
+-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab))
+-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab))
++      /* The pTab=0 assignment in wherecode.c always happens after the
++      ** impliesNotNullRow() test */
++      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0)
++                               && IsVirtual(pLeft->pTab))
++       || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0)
++                               && IsVirtual(pRight->pTab))
+       ){
+-       return WRC_Prune;
++        return WRC_Prune;
+       }
++    }
+     default:
+       return WRC_Continue;
+   }
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 91fde72..d79ab28 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -1955,8 +1955,11 @@ struct Table {
+ */
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ #  define IsVirtual(X)      ((X)->nModuleArg)
++#  define ExprIsVtab(X)  \
++              ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg)
+ #else
+ #  define IsVirtual(X)      0
++#  define ExprIsVtab(X)     0
+ #endif
+ 
+ /*
+diff --git a/src/whereexpr.c b/src/whereexpr.c
+index 2975008..e61dfff 100644
+--- a/src/whereexpr.c
++++ b/src/whereexpr.c
+@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator(
+       return 0;
+     }
+     pCol = pList->a[1].pExpr;
+-    if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->pTab==0 );
++    if( !ExprIsVtab(pCol) ){
+       return 0;
+     }
+     for(i=0; i<ArraySize(aOp); i++){
+@@ -377,10 +378,12 @@ static int isAuxiliaryVtabOperator(
+     int res = 0;
+     Expr *pLeft = pExpr->pLeft;
+     Expr *pRight = pExpr->pRight;
+-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){
++    testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 );
++    if( ExprIsVtab(pLeft) ){
+       res++;
+     }
+-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){
++    testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 );
++    if( pRight && ExprIsVtab(pRight) ){
+       res++;
+       SWAP(Expr*, pLeft, pRight);
+     }
+-- 
+1.8.3.1
+

sqlite.spec

@@ -6,7 +6,7 @@
 
 Name:    sqlite
 Version: 3.24.0
-Release: 8
+Release: 9
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -74,6 +74,8 @@ Patch6051: 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-work
 Patch6052: 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch
 Patch6053: 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch
 Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch
+Patch6055: 6055-Fix-CVE-2018-20505.patch
+Patch6056: 6056-Fix-CVE-2020-9327.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -174,6 +176,8 @@ This contains man files and HTML files for the using of sqlite.
 %patch6052 -p1
 %patch6053 -p1
 %patch6054 -p1
+%patch6055 -p1
+%patch6056 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -244,6 +248,12 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Tue Mar 10 2020 steven <steven_ygui@163.com> - 3.24.0-9
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:CVE-2018-20505, CVE-2020-9327 fixed
+
 * Wed Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-8
 - Type:enhancement
 - ID:NA