fix the infinite loop in the trim function while the pattern is well formed.

Signed-off-by: wbq_sky <wangbingquan@huawei.com>
2021-09-03 16:16:38 +08:00 · 2021-09-03 16:16:38 +08:00 · d81186e427
commit d81186e427
parent d0aa7d2f6e
2 changed files with 94 additions and 1 deletions
--- a/0003-infinite-loop-in-trim-function.patch
+++ b/0003-infinite-loop-in-trim-function.patch
@ -0,0 +1,88 @@
+diff -ruN origin_src/src/func.c sqlite-src-3340000/src/func.c
+--- origin_src/src/func.c	2021-09-03 10:46:50.253089516 +0800
+++ sqlite-src-3340000/src/func.c	2021-09-03 10:59:23.151415929 +0800
+@@ -1315,10 +1315,10 @@
+ ){
+   const unsigned char *zIn;         /* Input string */
+   const unsigned char *zCharSet;    /* Set of characters to trim */
+-  int nIn;                          /* Number of bytes in input */
+  unsigned int nIn;                 /* Number of bytes in input */
+   int flags;                        /* 1: trimleft  2: trimright  3: trim */
+   int i;                            /* Loop counter */
+-  unsigned char *aLen = 0;          /* Length of each character in zCharSet */
+  unsigned int *aLen = 0;           /* Length of each character in zCharSet */
+   unsigned char **azChar = 0;       /* Individual characters in zCharSet */
+   int nChar;                        /* Number of characters in zCharSet */
+ 
+@@ -1327,13 +1327,13 @@
+   }
+   zIn = sqlite3_value_text(argv[0]);
+   if( zIn==0 ) return;
+-  nIn = sqlite3_value_bytes(argv[0]);
+  nIn = (unsigned)sqlite3_value_bytes(argv[0]);
+   assert( zIn==sqlite3_value_text(argv[0]) );
+   if( argc==1 ){
+-    static const unsigned char lenOne[] = { 1 };
+    static const unsigned lenOne[] = { 1 };
+     static unsigned char * const azOne[] = { (u8*)" " };
+     nChar = 1;
+-    aLen = (u8*)lenOne;
+    aLen = (unsigned*)lenOne;
+     azChar = (unsigned char **)azOne;
+     zCharSet = 0;
+   }else if( (zCharSet = sqlite3_value_text(argv[1]))==0 ){
+@@ -1344,15 +1344,16 @@
+       SQLITE_SKIP_UTF8(z);
+     }
+     if( nChar>0 ){
+-      azChar = contextMalloc(context, ((i64)nChar)*(sizeof(char*)+1));
+      azChar = contextMalloc(context, 
+                     ((i64)nChar)*(sizeof(char*)+sizeof(unsigned)));
+       if( azChar==0 ){
+         return;
+       }
+-      aLen = (unsigned char*)&azChar[nChar];
+      aLen = (unsigned*)&azChar[nChar];
+       for(z=zCharSet, nChar=0; *z; nChar++){
+         azChar[nChar] = (unsigned char *)z;
+         SQLITE_SKIP_UTF8(z);
+-        aLen[nChar] = (u8)(z - azChar[nChar]);
+        aLen[nChar] = (unsigned)(z - azChar[nChar]);
+       }
+     }
+   }
+@@ -1360,7 +1361,7 @@
+     flags = SQLITE_PTR_TO_INT(sqlite3_user_data(context));
+     if( flags & 1 ){
+       while( nIn>0 ){
+-        int len = 0;
+        unsigned int len = 0;
+         for(i=0; i<nChar; i++){
+           len = aLen[i];
+           if( len<=nIn && memcmp(zIn, azChar[i], len)==0 ) break;
+@@ -1372,7 +1373,7 @@
+     }
+     if( flags & 2 ){
+       while( nIn>0 ){
+-        int len = 0;
+        unsigned int len = 0;
+         for(i=0; i<nChar; i++){
+           len = aLen[i];
+           if( len<=nIn && memcmp(&zIn[nIn-len],azChar[i],len)==0 ) break;
+diff -ruN origin_src/test/func.test sqlite-src-3340000/test/func.test
+--- origin_src/test/func.test	2021-09-03 10:46:50.201088526 +0800
+++ sqlite-src-3340000/test/func.test	2021-09-03 10:59:42.751788869 +0800
+@@ -1111,6 +1111,13 @@
+   execsql {SELECT typeof(trim('hello',NULL));}
+ } {null}
+ 
+# 2021-06-15 - infinite loop due to unsigned character counter
+# overflow, reported by Zimuzo Ezeozue
+#
+do_execsql_test func-22.23 {
+  SELECT trim('xyzzy',x'c0808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080');
+} {xyzzy}
+
+ # This is to test the deprecated sqlite3_aggregate_count() API.
+ #
+ ifcapable deprecated {
--- a/sqlite.spec
+++ b/sqlite.spec
@ -6,7 +6,7 @@

 Name:    sqlite
 Version: 3.34.0
-Release: 1
+Release: 2
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@ -17,6 +17,7 @@ Source2: https://www.sqlite.org/2020/sqlite-autoconf-%{extver}.tar.gz

 Patch1: 0001-sqlite-no-malloc-usable-size.patch
 Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
+Patch3: 0003-infinite-loop-in-trim-function.patch

 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@ -61,6 +62,7 @@ This contains man files and HTML files for the using of sqlite.
 %setup -q -a1 -n %{name}-src-%{extver}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 rm -f %{name}-doc-%{extver}/sqlite.css~ || :

@ -131,6 +133,9 @@ make test
 %{_mandir}/man*/*

 %changelog
+* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-2
+- fix the infinite loop problem in the trim function while the pattern is well formed.
+
 * Thu Jan 14 2021 yanglongkang <yanglongkang@huawei.com> - 3.34.0-1
 - update package to 3.34.0