98 lines
3.1 KiB
Diff
98 lines
3.1 KiB
Diff
From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001
|
|
From: guiyao <guiyao@huawei.com>
|
|
Date: Thu, 8 Apr 2021 14:19:51 -0400
|
|
Subject: [PATCH] fix CVE-2020-9327
|
|
|
|
Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on
|
|
commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
|
|
to fit the current version.
|
|
|
|
---
|
|
src/expr.c | 15 +++++++++++----
|
|
src/sqliteInt.h | 3 +++
|
|
src/whereexpr.c | 9 ++++++---
|
|
3 files changed, 20 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/expr.c b/src/expr.c
|
|
index 8fd8af9..73a8187 100644
|
|
--- a/src/expr.c
|
|
+++ b/src/expr.c
|
|
@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
|
|
case TK_LT:
|
|
case TK_LE:
|
|
case TK_GT:
|
|
- case TK_GE:
|
|
+ case TK_GE: {
|
|
+ Expr *pLeft = pExpr->pLeft;
|
|
+ Expr *pRight = pExpr->pRight;
|
|
testcase( pExpr->op==TK_EQ );
|
|
testcase( pExpr->op==TK_NE );
|
|
testcase( pExpr->op==TK_LT );
|
|
testcase( pExpr->op==TK_LE );
|
|
testcase( pExpr->op==TK_GT );
|
|
testcase( pExpr->op==TK_GE );
|
|
- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab))
|
|
- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab))
|
|
+ /* The pTab=0 assignment in wherecode.c always happens after the
|
|
+ ** impliesNotNullRow() test */
|
|
+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0)
|
|
+ && IsVirtual(pLeft->pTab))
|
|
+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0)
|
|
+ && IsVirtual(pRight->pTab))
|
|
){
|
|
- return WRC_Prune;
|
|
+ return WRC_Prune;
|
|
}
|
|
+ }
|
|
default:
|
|
return WRC_Continue;
|
|
}
|
|
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
|
|
index 91fde72..d79ab28 100644
|
|
--- a/src/sqliteInt.h
|
|
+++ b/src/sqliteInt.h
|
|
@@ -1955,8 +1955,11 @@ struct Table {
|
|
*/
|
|
#ifndef SQLITE_OMIT_VIRTUALTABLE
|
|
# define IsVirtual(X) ((X)->nModuleArg)
|
|
+# define ExprIsVtab(X) \
|
|
+ ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg)
|
|
#else
|
|
# define IsVirtual(X) 0
|
|
+# define ExprIsVtab(X) 0
|
|
#endif
|
|
|
|
/*
|
|
diff --git a/src/whereexpr.c b/src/whereexpr.c
|
|
index 2975008..e61dfff 100644
|
|
--- a/src/whereexpr.c
|
|
+++ b/src/whereexpr.c
|
|
@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator(
|
|
return 0;
|
|
}
|
|
pCol = pList->a[1].pExpr;
|
|
- if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){
|
|
+ testcase( pCol->op==TK_COLUMN && pCol->pTab==0 );
|
|
+ if( !ExprIsVtab(pCol) ){
|
|
return 0;
|
|
}
|
|
for(i=0; i<ArraySize(aOp); i++){
|
|
@@ -377,10 +378,12 @@ static int isAuxiliaryVtabOperator(
|
|
int res = 0;
|
|
Expr *pLeft = pExpr->pLeft;
|
|
Expr *pRight = pExpr->pRight;
|
|
- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){
|
|
+ testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 );
|
|
+ if( ExprIsVtab(pLeft) ){
|
|
res++;
|
|
}
|
|
- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){
|
|
+ testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 );
|
|
+ if( pRight && ExprIsVtab(pRight) ){
|
|
res++;
|
|
SWAP(Expr*, pLeft, pRight);
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|