51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001
|
|
From: drh <drh@noemail.net>
|
|
Date: Thu, 19 Dec 2019 20:37:32 +0000
|
|
Subject: [PATCH] Fix CVE-2019-19924
|
|
When an error occurs while rewriting the parser tree for
|
|
window functions in the sqlite3WindowRewrite() routine, make sure that
|
|
pParse->nErr is set, and make sure that this shuts down any subsequent code
|
|
generation that might depend on the transformations that were implemented.
|
|
This fixes a problem discovered by the Yongheng and Rui fuzzer.
|
|
|
|
FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
|
|
|
|
Change by Weifeng <suweifeng1@huawei.com>:
|
|
Fit for version 3.24.0
|
|
---
|
|
src/expr.c | 2 ++
|
|
src/vdbeaux.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/expr.c b/src/expr.c
|
|
index 36ca515..8fd8af9 100644
|
|
--- a/src/expr.c
|
|
+++ b/src/expr.c
|
|
@@ -344,6 +344,8 @@ static int codeCompare(
|
|
int addr;
|
|
CollSeq *p4;
|
|
|
|
+ if( pParse->nErr ) return 0;
|
|
+
|
|
p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
|
|
p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
|
|
addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
|
|
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
|
|
index ba2396c..df8bcc2 100644
|
|
--- a/src/vdbeaux.c
|
|
+++ b/src/vdbeaux.c
|
|
@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
|
|
*/
|
|
static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
|
|
assert( p->nOp>0 || p->aOp==0 );
|
|
- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
|
|
+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
|
|
+ || p->pParse->nErr>0 );
|
|
if( p->nOp ){
|
|
assert( p->aOp );
|
|
sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
|
|
--
|
|
2.19.1
|
|
|
|
|