sqlite/SOURCES/sqlite-3.26.0-CVE-2019-19959.patch

64 lines
1.8 KiB
Diff
Raw Normal View History

2020-04-28 09:34:15 +00:00
From 16c5290d72cb8059e9dfe545613183b850fc44e4 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Mon, 20 Jan 2020 10:26:35 +0100
Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
it is able to
deal with goofy filenames that contain embedded zeros.
---
ext/misc/zipfile.c | 4 ++--
test/zipfile.test | 13 +++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index 6f48d0f..e6141ef 100644
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -1632,7 +1632,7 @@ static int zipfileUpdate(
zFree = sqlite3_mprintf("%s/", zPath);
if( zFree==0 ){ rc = SQLITE_NOMEM; }
zPath = (const char*)zFree;
- nPath++;
+ nPath = (int)strlen(zPath);
}
}
@@ -2033,11 +2033,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
}else{
if( zName[nName-1]!='/' ){
zName = zFree = sqlite3_mprintf("%s/", zName);
- nName++;
if( zName==0 ){
rc = SQLITE_NOMEM;
goto zipfile_step_out;
}
+ nName = (int)strlen(zName);
}else{
while( nName>1 && zName[nName-2]=='/' ) nName--;
}
diff --git a/test/zipfile.test b/test/zipfile.test
index 5bca10b..e4b8088 100644
--- a/test/zipfile.test
+++ b/test/zipfile.test
@@ -808,4 +808,17 @@ do_execsql_test 13.10 {
quote(data),quote(method) FROM t1;
} {'' 10 10 2 X'3130' X'3130' 0}
+# 2019-12-23 Yongheng and Rui fuzzer
+# Run using valgrind to see the problem.
+#
+do_execsql_test 14.10 {
+ DROP TABLE t1;
+ CREATE TABLE t1(x char);
+ INSERT INTO t1(x) VALUES('1');
+ INSERT INTO t1(x) SELECT zipfile(x, 'xyz') FROM t1;
+ INSERT INTO t1(x) SELECT zipfile(x, 'uvw') FROM t1;
+ SELECT count(*) FROM t1;
+ PRAGMA integrity_check;
+} {3 ok}
+
finish_test
--
2.19.1