From 2e53f76822f1955b58f8335dd349d622dc5317ea Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:53:57 -0500 Subject: [PATCH] import sqlite-3.26.0-15.el8 --- SOURCES/sqlite-3.26.0-CVE-2019-13750.patch | 158 ++++++++ SOURCES/sqlite-3.26.0-CVE-2019-13751.patch | 22 + SOURCES/sqlite-3.26.0-CVE-2019-19603.patch | 124 ++++++ SOURCES/sqlite-3.26.0-CVE-2019-5827.patch | 442 +++++++++++++++++++++ SOURCES/sqlite-3.26.0-CVE-2020-13435.patch | 144 +++++++ SPECS/sqlite.spec | 35 +- 6 files changed, 924 insertions(+), 1 deletion(-) create mode 100644 SOURCES/sqlite-3.26.0-CVE-2019-13750.patch create mode 100644 SOURCES/sqlite-3.26.0-CVE-2019-13751.patch create mode 100644 SOURCES/sqlite-3.26.0-CVE-2019-19603.patch create mode 100644 SOURCES/sqlite-3.26.0-CVE-2019-5827.patch create mode 100644 SOURCES/sqlite-3.26.0-CVE-2020-13435.patch diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-13750.patch b/SOURCES/sqlite-3.26.0-CVE-2019-13750.patch new file mode 100644 index 0000000..7b2adab --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2019-13750.patch @@ -0,0 +1,158 @@ +Subject: [PATCH] In defensive mode, do not allow shadow tables to be renamed + using ALTER TABLE and do not allow shadow tables to be dropped. + +diff --git a/src/alter.c b/src/alter.c +index 0fa24c0..707472a 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -28,9 +28,16 @@ + ** + ** Or, if zName is not a system table, zero is returned. + */ +-static int isSystemTable(Parse *pParse, const char *zName){ +- if( 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){ +- sqlite3ErrorMsg(pParse, "table %s may not be altered", zName); ++static int isAlterableTable(Parse *pParse, Table *pTab){ ++ if( 0==sqlite3StrNICmp(pTab->zName, "sqlite_", 7) ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ || ( (pTab->tabFlags & TF_Shadow) ++ && (pParse->db->flags & SQLITE_Defensive) ++ && pParse->db->nVdbeExec==0 ++ ) ++#endif ++ ){ ++ sqlite3ErrorMsg(pParse, "table %s may not be altered", pTab->zName); + return 1; + } + return 0; +@@ -129,7 +136,7 @@ void sqlite3AlterRenameTable( + /* Make sure it is not a system table being altered, or a reserved name + ** that the table is being renamed to. + */ +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ){ ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ){ + goto exit_rename_table; + } + if( SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){ goto +@@ -427,7 +434,7 @@ void sqlite3AlterBeginAddColumn(Parse *pParse, SrcList *pSrc){ + sqlite3ErrorMsg(pParse, "Cannot add a column to a view"); + goto exit_begin_add_column; + } +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ){ ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ){ + goto exit_begin_add_column; + } + +@@ -529,7 +536,7 @@ void sqlite3AlterRenameColumn( + if( !pTab ) goto exit_rename_column; + + /* Cannot alter a system table */ +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ) goto exit_rename_column; ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ) goto exit_rename_column; + if( SQLITE_OK!=isRealTable(pParse, pTab) ) goto exit_rename_column; + + /* Which schema holds the table to be altered */ +diff --git a/src/build.c b/src/build.c +index 1dc2614..3412670 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -2661,6 +2661,22 @@ void sqlite3CodeDropTable(Parse *pParse, Table *pTab, int iDb, int isView){ + sqliteViewResetAll(db, iDb); + } + ++/* ++** Return true if it is not allowed to drop the given table ++*/ ++static int tableMayNotBeDropped(Parse *pParse, Table *pTab){ ++ if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 ){ ++ if( sqlite3StrNICmp(pTab->zName+7, "stat", 4)==0 ) return 0; ++ if( sqlite3StrNICmp(pTab->zName+7, "parameters", 10)==0 ) return 0; ++ return 1; ++ } ++ if( pTab->tabFlags & TF_Shadow ){ ++ sqlite3 *db = pParse->db; ++ if( (db->flags & SQLITE_Defensive)!=0 && db->nVdbeExec==0 ) return 1; ++ } ++ return 0; ++} ++ + /* + ** This routine is called to do the work of a DROP TABLE statement. + ** pName is the name of the table to be dropped. +@@ -2730,8 +2746,7 @@ void sqlite3DropTable(Parse *pParse, SrcList *pName, int isView, int noErr){ + } + } + #endif +- if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 +- && sqlite3StrNICmp(pTab->zName, "sqlite_stat", 11)!=0 ){ ++ if( tableMayNotBeDropped(pParse, pTab) ){ + sqlite3ErrorMsg(pParse, "table %s may not be dropped", pTab->zName); + goto exit_drop_table; + } +diff --git a/test/altertab.test b/test/altertab.test +index a364207..891b081 100644 +--- a/test/altertab.test ++++ b/test/altertab.test +@@ -505,5 +505,62 @@ do_execsql_test 15.5 { + SELECT sql FROM sqlite_master WHERE name = 'y'; + } {{CREATE VIEW y AS SELECT f2 AS f1 FROM x}} + ++#------------------------------------------------------------------------- ++# Test that it is not possible to rename a shadow table in DEFENSIVE mode. ++# ++ifcapable fts3 { ++ proc vtab_command {method args} { ++ switch -- $method { ++ xConnect { ++ if {[info exists ::vtab_connect_sql]} { ++ execsql $::vtab_connect_sql ++ } ++ return "CREATE TABLE t1(a, b, c)" ++ } ++ ++ xBestIndex { ++ set clist [lindex $args 0] ++ if {[llength $clist]!=1} { error "unexpected constraint list" } ++ catch { array unset C } ++ array set C [lindex $clist 0] ++ if {$C(usable)} { ++ return "omit 0 cost 0 rows 1 idxnum 555 idxstr eq!" ++ } else { ++ return "cost 1000000 rows 0 idxnum 0 idxstr scan..." ++ } ++ } ++ } ++ ++ return {} ++ } ++ ++ register_tcl_module db ++ ++ sqlite3_db_config db DEFENSIVE 1 ++ ++ do_execsql_test 16.0 { ++ CREATE VIRTUAL TABLE y1 USING fts3; ++ } ++ ++ do_catchsql_test 16.10 { ++ INSERT INTO y1_segments VALUES(1, X'1234567890'); ++ } {1 {table y1_segments may not be modified}} ++ ++ do_catchsql_test 16.20 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {1 {table y1_segments may not be altered}} ++ ++ do_catchsql_test 16.21 { ++ DROP TABLE y1_segments; ++ } {1 {table y1_segments may not be dropped}} ++ ++ do_execsql_test 16.30 { ++ ALTER TABLE y1 RENAME TO z1; ++ } ++ ++ do_execsql_test 16.40 { ++ SELECT * FROM z1_segments; ++ } ++} + + finish_test diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-13751.patch b/SOURCES/sqlite-3.26.0-CVE-2019-13751.patch new file mode 100644 index 0000000..e0e345b --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2019-13751.patch @@ -0,0 +1,22 @@ +Subject: [PATCH] Further improve detection of corrupt records in fts3 + +--- + ext/fts3/fts3_write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index 5330b4c..0647bd7 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -1376,7 +1376,7 @@ static int fts3SegReaderNext( + pNext += fts3GetVarint32(pNext, &nSuffix); + if( nSuffix<=0 + || (&pReader->aNode[pReader->nNode] - pNext)pReader->nTermAlloc ++ || nPrefix>pReader->nTerm + ){ + return FTS_CORRUPT_VTAB; + } +-- +2.30.2 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-19603.patch b/SOURCES/sqlite-3.26.0-CVE-2019-19603.patch new file mode 100644 index 0000000..23402b0 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2019-19603.patch @@ -0,0 +1,124 @@ +Subject: [PATCH] Do not allow CREATE TABLE or CREATE VIEW of an object with a name + that looks like a shadow table name. + +diff --git a/src/build.c b/src/build.c +index 3412670..f273394 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -814,6 +814,22 @@ int sqlite3WritableSchema(sqlite3 *db){ + return (db->flags&(SQLITE_WriteSchema|SQLITE_Defensive))==SQLITE_WriteSchema; + } + ++/* ++** Return TRUE if shadow tables should be read-only in the current ++** context. ++*/ ++int sqlite3ReadOnlyShadowTables(sqlite3 *db){ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ if( (db->flags & SQLITE_Defensive)!=0 ++ && db->pVtabCtx==0 ++ && db->nVdbeExec==0 ++ ){ ++ return 1; ++ } ++#endif ++ return 0; ++} ++ + /* + ** This routine is used to check if the UTF-8 string zName is a legal + ** unqualified name for a new schema object (table, index, view or +@@ -822,9 +838,10 @@ int sqlite3WritableSchema(sqlite3 *db){ + ** is reserved for internal use. + */ + int sqlite3CheckObjectName(Parse *pParse, const char *zName){ +- if( !pParse->db->init.busy && pParse->nested==0 ++ if(( !pParse->db->init.busy && pParse->nested==0 + && sqlite3WritableSchema(pParse->db)==0 +- && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){ ++ && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ) || ++ (sqlite3ReadOnlyShadowTables(pParse->db) && sqlite3ShadowTableName(pParse->db, zName))){ + sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s", zName); + return SQLITE_ERROR; + } +@@ -1929,7 +1946,7 @@ int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ + ** zName is temporarily modified while this routine is running, but is + ** restored to its original value prior to this routine returning. + */ +-static int isShadowTableName(sqlite3 *db, char *zName){ ++int sqlite3ShadowTableName(sqlite3 *db, const char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ + +@@ -1942,8 +1959,6 @@ static int isShadowTableName(sqlite3 *db, char *zName){ + if( !IsVirtual(pTab) ) return 0; + return sqlite3IsShadowTableOf(db, pTab, zName); + } +-#else +-# define isShadowTableName(x,y) 0 + #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ + + /* +@@ -1985,7 +2000,7 @@ void sqlite3EndTable( + p = pParse->pNewTable; + if( p==0 ) return; + +- if( pSelect==0 && isShadowTableName(db, p->zName) ){ ++ if( pSelect==0 && sqlite3ShadowTableName(db, p->zName) ){ + p->tabFlags |= TF_Shadow; + } + +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 60b2ebd..e5ba8a0 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -4408,6 +4408,11 @@ void sqlite3AutoLoadExtensions(sqlite3*); + ); + # define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0) + #endif ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ int sqlite3ShadowTableName(sqlite3 *db, const char *zName); ++#else ++# define sqlite3ShadowTableName(A,B) 0 ++#endif + #ifndef SQLITE_OMIT_VIRTUALTABLE + int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); + #else +diff --git a/test/altertab.test b/test/altertab.test +index 891b081..0705abc 100644 +--- a/test/altertab.test ++++ b/test/altertab.test +@@ -547,13 +547,29 @@ ifcapable fts3 { + } {1 {table y1_segments may not be modified}} + + do_catchsql_test 16.20 { +- ALTER TABLE y1_segments RENAME TO abc; +- } {1 {table y1_segments may not be altered}} +- +- do_catchsql_test 16.21 { + DROP TABLE y1_segments; + } {1 {table y1_segments may not be dropped}} + ++ do_catchsql_test 16.20 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {1 {table y1_segments may not be altered}} ++ sqlite3_db_config db DEFENSIVE 0 ++ do_catchsql_test 16.22 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {0 {}} ++ sqlite3_db_config db DEFENSIVE 1 ++ do_catchsql_test 16.23 { ++ CREATE TABLE y1_segments AS SELECT * FROM abc; ++ } {1 {object name reserved for internal use: y1_segments}} ++ do_catchsql_test 16.24 { ++ CREATE VIEW y1_segments AS SELECT * FROM abc; ++ } {1 {object name reserved for internal use: y1_segments}} ++ sqlite3_db_config db DEFENSIVE 0 ++ do_catchsql_test 16.25 { ++ ALTER TABLE abc RENAME TO y1_segments; ++ } {0 {}} ++ sqlite3_db_config db DEFENSIVE 1 ++ + do_execsql_test 16.30 { + ALTER TABLE y1 RENAME TO z1; + } diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-5827.patch b/SOURCES/sqlite-3.26.0-CVE-2019-5827.patch new file mode 100644 index 0000000..c2a9410 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2019-5827.patch @@ -0,0 +1,442 @@ +Subject: [PATCH] Use the 64-bit memory allocator interfaces in extensions, + whenever possible and Enforce the SQLITE_LIMIT_COLUMN limit on virtual tables + +--- + ext/fts3/fts3_snippet.c | 7 ++++--- + ext/fts3/fts3_test.c | 6 +++--- + ext/fts3/fts3_tokenize_vtab.c | 2 +- + ext/fts3/fts3_tokenizer.c | 4 ++-- + ext/fts3/fts3_write.c | 19 ++++++++++--------- + ext/fts5/fts5_tokenize.c | 2 +- + ext/rtree/geopoly.c | 20 ++++++++++---------- + src/build.c | 8 ++++---- + src/expr.c | 2 +- + src/main.c | 2 +- + src/test_fs.c | 2 +- + src/util.c | 2 +- + src/vdbeaux.c | 8 +++++--- + src/vdbesort.c | 4 ++-- + src/vtab.c | 25 +++++++++++++++---------- + 15 files changed, 61 insertions(+), 52 deletions(-) + +diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c +index 5778620..efffff3 100644 +--- a/ext/fts3/fts3_snippet.c ++++ b/ext/fts3/fts3_snippet.c +@@ -130,10 +130,11 @@ struct StrBuffer { + */ + static MatchinfoBuffer *fts3MIBufferNew(int nElem, const char *zMatchinfo){ + MatchinfoBuffer *pRet; +- int nByte = sizeof(u32) * (2*nElem + 1) + sizeof(MatchinfoBuffer); +- int nStr = (int)strlen(zMatchinfo); ++ sqlite3_int64 nByte = sizeof(u32) * (2*(sqlite3_int64)nElem + 1) ++ + sizeof(MatchinfoBuffer); ++ sqlite3_int64 nStr = strlen(zMatchinfo); + +- pRet = sqlite3_malloc(nByte + nStr+1); ++ pRet = sqlite3_malloc64(nByte + nStr+1); + if( pRet ){ + memset(pRet, 0, nByte); + pRet->aMatchinfo[0] = (u8*)(&pRet->aMatchinfo[1]) - (u8*)pRet; +diff --git a/ext/fts3/fts3_test.c b/ext/fts3/fts3_test.c +index a48a556..0b4edcc 100644 +--- a/ext/fts3/fts3_test.c ++++ b/ext/fts3/fts3_test.c +@@ -448,14 +448,14 @@ static int testTokenizerNext( + }else{ + /* Advance to the end of the token */ + const char *pToken = p; +- int nToken; ++ sqlite3_int64 nToken; + while( ppCsr->nBuffer ){ + sqlite3_free(pCsr->aBuffer); +- pCsr->aBuffer = sqlite3_malloc(nToken); ++ pCsr->aBuffer = sqlite3_malloc64(nToken); + } + if( pCsr->aBuffer==0 ){ + rc = SQLITE_NOMEM; +diff --git a/ext/fts3/fts3_tokenize_vtab.c b/ext/fts3/fts3_tokenize_vtab.c +index a3d24bc..5b4085b 100644 +--- a/ext/fts3/fts3_tokenize_vtab.c ++++ b/ext/fts3/fts3_tokenize_vtab.c +@@ -346,7 +346,7 @@ static int fts3tokFilterMethod( + if( idxNum==1 ){ + const char *zByte = (const char *)sqlite3_value_text(apVal[0]); + int nByte = sqlite3_value_bytes(apVal[0]); +- pCsr->zInput = sqlite3_malloc(nByte+1); ++ pCsr->zInput = sqlite3_malloc64(nByte+1); + if( pCsr->zInput==0 ){ + rc = SQLITE_NOMEM; + }else{ +diff --git a/ext/fts3/fts3_tokenizer.c b/ext/fts3/fts3_tokenizer.c +index bfc36af..fe2003e 100644 +--- a/ext/fts3/fts3_tokenizer.c ++++ b/ext/fts3/fts3_tokenizer.c +@@ -194,8 +194,8 @@ int sqlite3Fts3InitTokenizer( + int iArg = 0; + z = &z[n+1]; + while( z0 ){ +- int nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); +- pReader = (Fts3SegReader *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte; ++ nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); ++ pReader = (Fts3SegReader *)sqlite3_malloc64(nByte); + if( !pReader ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3357,7 +3358,7 @@ static void fts3InsertDocsize( + int rc; /* Result code from subfunctions */ + + if( *pRC ) return; +- pBlob = sqlite3_malloc( 10*p->nColumn ); ++ pBlob = sqlite3_malloc64( 10*(sqlite3_int64)p->nColumn ); + if( pBlob==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3407,7 +3408,7 @@ static void fts3UpdateDocTotals( + const int nStat = p->nColumn+2; + + if( *pRC ) return; +- a = sqlite3_malloc( (sizeof(u32)+10)*nStat ); ++ a = sqlite3_malloc64( (sizeof(u32)+10)*(sqlite3_int64)nStat ); + if( a==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3528,8 +3529,8 @@ static int fts3DoRebuild(Fts3Table *p){ + } + + if( rc==SQLITE_OK ){ +- int nByte = sizeof(u32) * (p->nColumn+1)*3; +- aSz = (u32 *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte = sizeof(u32) * ((sqlite3_int64)p->nColumn+1)*3; ++ aSz = (u32 *)sqlite3_malloc64(nByte); + if( aSz==0 ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3595,12 +3596,12 @@ static int fts3IncrmergeCsr( + ){ + int rc; /* Return Code */ + sqlite3_stmt *pStmt = 0; /* Statement used to read %_segdir entry */ +- int nByte; /* Bytes allocated at pCsr->apSegment[] */ ++ sqlite3_int64 nByte; /* Bytes allocated at pCsr->apSegment[] */ + + /* Allocate space for the Fts3MultiSegReader.aCsr[] array */ + memset(pCsr, 0, sizeof(*pCsr)); + nByte = sizeof(Fts3SegReader *) * nSeg; +- pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc(nByte); ++ pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc64(nByte); + + if( pCsr->apSegment==0 ){ + rc = SQLITE_NOMEM; +@@ -5591,7 +5592,7 @@ int sqlite3Fts3UpdateMethod( + } + + /* Allocate space to hold the change in document sizes */ +- aSzDel = sqlite3_malloc( sizeof(aSzDel[0])*(p->nColumn+1)*2 ); ++ aSzDel = sqlite3_malloc64(sizeof(aSzDel[0])*((sqlite3_int64)p->nColumn+1)*2); + if( aSzDel==0 ){ + rc = SQLITE_NOMEM; + goto update_out; +diff --git a/ext/fts5/fts5_tokenize.c b/ext/fts5/fts5_tokenize.c +index af2bc22..029efc5 100644 +--- a/ext/fts5/fts5_tokenize.c ++++ b/ext/fts5/fts5_tokenize.c +@@ -363,7 +363,7 @@ static int fts5UnicodeCreate( + + p->bRemoveDiacritic = 1; + p->nFold = 64; +- p->aFold = sqlite3_malloc(p->nFold * sizeof(char)); ++ p->aFold = sqlite3_malloc64(p->nFold * sizeof(char)); + if( p->aFold==0 ){ + rc = SQLITE_NOMEM; + } +diff --git a/ext/rtree/geopoly.c b/ext/rtree/geopoly.c +index f6a31f5..7b97f9b 100644 +--- a/ext/rtree/geopoly.c ++++ b/ext/rtree/geopoly.c +@@ -261,7 +261,7 @@ static GeoPoly *geopolyParseJson(const unsigned char *z, int *pRc){ + GeoPoly *pOut; + int x = 1; + s.nVertex--; /* Remove the redundant vertex at the end */ +- pOut = sqlite3_malloc64( GEOPOLY_SZ(s.nVertex) ); ++ pOut = sqlite3_malloc64( GEOPOLY_SZ((sqlite3_int64)s.nVertex) ); + x = 1; + if( pOut==0 ) goto parse_json_err; + pOut->nVertex = s.nVertex; +@@ -644,7 +644,7 @@ static GeoPoly *geopolyBBox( + if( pRc ) *pRc = SQLITE_OK; + if( aCoord==0 ){ + geopolyBboxFill: +- pOut = sqlite3_realloc(p, GEOPOLY_SZ(4)); ++ pOut = sqlite3_realloc64(p, GEOPOLY_SZ(4)); + if( pOut==0 ){ + sqlite3_free(p); + if( context ) sqlite3_result_error_nomem(context); +@@ -1040,9 +1040,9 @@ static GeoSegment *geopolySortSegmentsByYAndC(GeoSegment *pList){ + ** Determine the overlap between two polygons + */ + static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ +- int nVertex = p1->nVertex + p2->nVertex + 2; ++ sqlite3_int64 nVertex = p1->nVertex + p2->nVertex + 2; + GeoOverlap *p; +- int nByte; ++ sqlite3_int64 nByte; + GeoEvent *pThisEvent; + double rX; + int rc = 0; +@@ -1054,7 +1054,7 @@ static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ + nByte = sizeof(GeoEvent)*nVertex*2 + + sizeof(GeoSegment)*nVertex + + sizeof(GeoOverlap); +- p = sqlite3_malloc( nByte ); ++ p = sqlite3_malloc64( nByte ); + if( p==0 ) return -1; + p->aEvent = (GeoEvent*)&p[1]; + p->aSegment = (GeoSegment*)&p->aEvent[nVertex*2]; +@@ -1213,8 +1213,8 @@ static int geopolyInit( + ){ + int rc = SQLITE_OK; + Rtree *pRtree; +- int nDb; /* Length of string argv[1] */ +- int nName; /* Length of string argv[2] */ ++ sqlite3_int64 nDb; /* Length of string argv[1] */ ++ sqlite3_int64 nName; /* Length of string argv[2] */ + sqlite3_str *pSql; + char *zSql; + int ii; +@@ -1222,9 +1222,9 @@ static int geopolyInit( + sqlite3_vtab_config(db, SQLITE_VTAB_CONSTRAINT_SUPPORT, 1); + + /* Allocate the sqlite3_vtab structure */ +- nDb = (int)strlen(argv[1]); +- nName = (int)strlen(argv[2]); +- pRtree = (Rtree *)sqlite3_malloc(sizeof(Rtree)+nDb+nName+2); ++ nDb = strlen(argv[1]); ++ nName = strlen(argv[2]); ++ pRtree = (Rtree *)sqlite3_malloc64(sizeof(Rtree)+nDb+nName+2); + if( !pRtree ){ + return SQLITE_NOMEM; + } +diff --git a/src/build.c b/src/build.c +index afe4171..1dc2614 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -3760,9 +3760,9 @@ void *sqlite3ArrayAllocate( + int *pIdx /* Write the index of a new slot here */ + ){ + char *z; +- int n = *pnEntry; ++ sqlite3_int64 n = *pnEntry; + if( (n & (n-1))==0 ){ +- int sz = (n==0) ? 1 : 2*n; ++ sqlite3_int64 sz = (n==0) ? 1 : 2*n; + void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry); + if( pNew==0 ){ + *pIdx = -1; +@@ -3870,7 +3870,7 @@ SrcList *sqlite3SrcListEnlarge( + /* Allocate additional space if needed */ + if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){ + SrcList *pNew; +- int nAlloc = pSrc->nSrc*2+nExtra; ++ sqlite3_int64 nAlloc = 2*(sqlite3_int64)pSrc->nSrc+nExtra; + int nGot; + pNew = sqlite3DbRealloc(db, pSrc, + sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) ); +@@ -4612,7 +4612,7 @@ With *sqlite3WithAdd( + } + + if( pWith ){ +- int nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); ++ sqlite3_int64 nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); + pNew = sqlite3DbRealloc(db, pWith, nByte); + }else{ + pNew = sqlite3DbMallocZero(db, sizeof(*pWith)); +diff --git a/src/expr.c b/src/expr.c +index 5f98f76..d64b8eb 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -1547,7 +1547,7 @@ ExprList *sqlite3ExprListAppend( + }else if( (pList->nExpr & (pList->nExpr-1))==0 ){ + ExprList *pNew; + pNew = sqlite3DbRealloc(db, pList, +- sizeof(*pList)+(2*pList->nExpr - 1)*sizeof(pList->a[0])); ++ sizeof(*pList)+(2*(sqlite3_int64)pList->nExpr-1)*sizeof(pList->a[0])); + if( pNew==0 ){ + goto no_mem; + } +diff --git a/src/main.c b/src/main.c +index 46c8346..434b898 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -698,7 +698,7 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + pStart = 0; + }else if( pBuf==0 ){ + sqlite3BeginBenignMalloc(); +- pStart = sqlite3Malloc( sz*cnt ); /* IMP: R-61949-35727 */ ++ pStart = sqlite3Malloc( sz*(sqlite3_int64)cnt ); /* IMP: R-61949-35727 */ + sqlite3EndBenignMalloc(); + if( pStart ) cnt = sqlite3MallocSize(pStart)/sz; + }else{ +diff --git a/src/test_fs.c b/src/test_fs.c +index 8192beb..1feea46 100644 +--- a/src/test_fs.c ++++ b/src/test_fs.c +@@ -744,7 +744,7 @@ static int fsColumn(sqlite3_vtab_cursor *cur, sqlite3_context *ctx, int i){ + fstat(fd, &sbuf); + + if( sbuf.st_size>=pCur->nAlloc ){ +- int nNew = sbuf.st_size*2; ++ sqlite3_int64 nNew = sbuf.st_size*2; + char *zNew; + if( nNew<1024 ) nNew = 1024; + +diff --git a/src/util.c b/src/util.c +index 96b0b14..7f2b977 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1572,7 +1572,7 @@ VList *sqlite3VListAdd( + assert( pIn==0 || pIn[0]>=3 ); /* Verify ok to add new elements */ + if( pIn==0 || pIn[1]+nInt > pIn[0] ){ + /* Enlarge the allocation */ +- int nAlloc = (pIn ? pIn[0]*2 : 10) + nInt; ++ sqlite3_int64 nAlloc = (pIn ? 2*(sqlite3_int64)pIn[0] : 10) + nInt; + VList *pOut = sqlite3DbRealloc(db, pIn, nAlloc*sizeof(int)); + if( pOut==0 ) return pIn; + if( pIn==0 ) pOut[1] = 2; +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index b74141b..ffc5d0b 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -125,9 +125,11 @@ static int growOpArray(Vdbe *v, int nOp){ + ** operation (without SQLITE_TEST_REALLOC_STRESS) is to double the current + ** size of the op array or add 1KB of space, whichever is smaller. */ + #ifdef SQLITE_TEST_REALLOC_STRESS +- int nNew = (p->nOpAlloc>=512 ? p->nOpAlloc*2 : p->nOpAlloc+nOp); ++ sqlite3_int64 nNew = (p->nOpAlloc>=512 ? 2*(sqlite3_int64)p->nOpAlloc ++ : (sqlite3_int64)p->nOpAlloc+nOp); + #else +- int nNew = (p->nOpAlloc ? p->nOpAlloc*2 : (int)(1024/sizeof(Op))); ++ sqlite3_int64 nNew = (p->nOpAlloc ? 2*(sqlite3_int64)p->nOpAlloc ++ : (sqlite3_int64)1024/sizeof(Op)); + UNUSED_PARAMETER(nOp); + #endif + +@@ -875,7 +877,7 @@ void sqlite3VdbeScanStatus( + LogEst nEst, /* Estimated number of output rows */ + const char *zName /* Name of table or index being scanned */ + ){ +- int nByte = (p->nScan+1) * sizeof(ScanStatus); ++ sqlite3_int64 nByte = (p->nScan+1) * sizeof(ScanStatus); + ScanStatus *aNew; + aNew = (ScanStatus*)sqlite3DbRealloc(p->db, p->aScan, nByte); + if( aNew ){ +diff --git a/src/vdbesort.c b/src/vdbesort.c +index b30bc4e..d84a411 100644 +--- a/src/vdbesort.c ++++ b/src/vdbesort.c +@@ -537,7 +537,7 @@ static int vdbePmaReadBlob( + /* Extend the p->aAlloc[] allocation if required. */ + if( p->nAllocnAlloc*2); ++ sqlite3_int64 nNew = MAX(128, 2*(sqlite3_int64)p->nAlloc); + while( nByte>nNew ) nNew = nNew*2; + aNew = sqlite3Realloc(p->aAlloc, nNew); + if( !aNew ) return SQLITE_NOMEM_BKPT; +@@ -1829,7 +1829,7 @@ int sqlite3VdbeSorterWrite( + if( nMin>pSorter->nMemory ){ + u8 *aNew; + int iListOff = (u8*)pSorter->list.pList - pSorter->list.aMemory; +- int nNew = pSorter->nMemory * 2; ++ sqlite3_int64 nNew = 2 * (sqlite3_int64)pSorter->nMemory; + while( nNew < nMin ) nNew = nNew*2; + if( nNew > pSorter->mxPmaSize ) nNew = pSorter->mxPmaSize; + if( nNew < nMin ) nNew = nMin; +diff --git a/src/vtab.c b/src/vtab.c +index 1b8d283..41c6093 100644 +--- a/src/vtab.c ++++ b/src/vtab.c +@@ -302,9 +302,13 @@ void sqlite3VtabClear(sqlite3 *db, Table *p){ + ** string will be freed automatically when the table is + ** deleted. + */ +-static void addModuleArgument(sqlite3 *db, Table *pTable, char *zArg){ +- int nBytes = sizeof(char *)*(2+pTable->nModuleArg); ++static void addModuleArgument(Parse *pParse, Table *pTable, char *zArg){ ++ sqlite3_int64 nBytes = sizeof(char *)*(2+pTable->nModuleArg); + char **azModuleArg; ++ sqlite3 *db = pParse->db; ++ if( pTable->nModuleArg+3>=db->aLimit[SQLITE_LIMIT_COLUMN] ){ ++ sqlite3ErrorMsg(pParse, "too many columns on %s", pTable->zName); ++ } + azModuleArg = sqlite3DbRealloc(db, pTable->azModuleArg, nBytes); + if( azModuleArg==0 ){ + sqlite3DbFree(db, zArg); +@@ -339,9 +343,9 @@ void sqlite3VtabBeginParse( + db = pParse->db; + + assert( pTable->nModuleArg==0 ); +- addModuleArgument(db, pTable, sqlite3NameFromToken(db, pModuleName)); +- addModuleArgument(db, pTable, 0); +- addModuleArgument(db, pTable, sqlite3DbStrDup(db, pTable->zName)); ++ addModuleArgument(pParse, pTable, sqlite3NameFromToken(db, pModuleName)); ++ addModuleArgument(pParse, pTable, 0); ++ addModuleArgument(pParse, pTable, sqlite3DbStrDup(db, pTable->zName)); + assert( (pParse->sNameToken.z==pName2->z && pName2->z!=0) + || (pParse->sNameToken.z==pName1->z && pName2->z==0) + ); +@@ -374,7 +378,7 @@ static void addArgumentToVtab(Parse *pParse){ + const char *z = (const char*)pParse->sArg.z; + int n = pParse->sArg.n; + sqlite3 *db = pParse->db; +- addModuleArgument(db, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); ++ addModuleArgument(pParse, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); + } + } + +@@ -663,7 +667,8 @@ static int growVTrans(sqlite3 *db){ + /* Grow the sqlite3.aVTrans array if required */ + if( (db->nVTrans%ARRAY_INCR)==0 ){ + VTable **aVTrans; +- int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR); ++ sqlite3_int64 nBytes = sizeof(sqlite3_vtab*)* ++ ((sqlite3_int64)db->nVTrans + ARRAY_INCR); + aVTrans = sqlite3DbRealloc(db, (void *)db->aVTrans, nBytes); + if( !aVTrans ){ + return SQLITE_NOMEM_BKPT; +@@ -1157,9 +1162,9 @@ int sqlite3VtabEponymousTableInit(Parse *pParse, Module *pMod){ + pTab->pSchema = db->aDb[0].pSchema; + assert( pTab->nModuleArg==0 ); + pTab->iPKey = -1; +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); +- addModuleArgument(db, pTab, 0); +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, 0); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); + rc = vtabCallConstructor(db, pTab, pMod, pModule->xConnect, &zErr); + if( rc ){ + sqlite3ErrorMsg(pParse, "%s", zErr); +-- +2.30.2 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13435.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13435.patch new file mode 100644 index 0000000..8a88771 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13435.patch @@ -0,0 +1,144 @@ +Subject: [PATCH] When rewriting a query for window functions, if the rewrite +changes the depth of TK_AGG_FUNCTION nodes, be sure to adjust the Expr.op2 +field appropriately. + +diff --git a/src/resolve.c b/src/resolve.c +index cdcf4d9..c47f6bb 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -24,6 +24,8 @@ + ** + ** incrAggFunctionDepth(pExpr,n) is the main routine. incrAggDepth(..) + ** is a helper function - a callback for the tree walker. ++** ++** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c + */ + static int incrAggDepth(Walker *pWalker, Expr *pExpr){ + if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n; +diff --git a/src/select.c b/src/select.c +index a6d1757..6f5570c 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -1961,7 +1961,7 @@ int sqlite3ColumnsFromExprList( + assert( pColExpr!=0 ); + } + assert( pColExpr->op!=TK_AGG_COLUMN ); +- if( pColExpr->op==TK_COLUMN ){ ++ if( pColExpr->op==TK_COLUMN && pColExpr->y.pTab ){ + /* For columns use the column name name */ + int iCol = pColExpr->iColumn; + Table *pTab = pColExpr->y.pTab; +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 1cf6937..ea9a7ae 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -3579,6 +3579,8 @@ void sqlite3WindowUpdate(Parse*, Window*, Window*, FuncDef*); + Window *sqlite3WindowDup(sqlite3 *db, Expr *pOwner, Window *p); + Window *sqlite3WindowListDup(sqlite3 *db, Window *p); + void sqlite3WindowFunctions(void); ++int sqlite3WalkerDepthIncrease(Walker*,Select*); ++void sqlite3WalkerDepthDecrease(Walker*,Select*); + #else + # define sqlite3WindowDelete(a,b) + # define sqlite3WindowFunctions() +diff --git a/src/walker.c b/src/walker.c +index c31d94f..8cd3b65 100644 +--- a/src/walker.c ++++ b/src/walker.c +@@ -165,3 +165,16 @@ int sqlite3WalkSelect(Walker *pWalker, Select *p){ + }while( p!=0 ); + return WRC_Continue; + } ++ ++/* Increase the walkerDepth when entering a subquery, and ++** descrease when leaving the subquery. ++*/ ++int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){ ++ UNUSED_PARAMETER(pSelect); ++ pWalker->walkerDepth++; ++ return WRC_Continue; ++} ++void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){ ++ UNUSED_PARAMETER(pSelect); ++ pWalker->walkerDepth--; ++} +\ No newline at end of file +diff --git a/src/window.c b/src/window.c +index c65eadd..48d8090 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -738,6 +738,23 @@ static ExprList *exprListAppendList( + return pList; + } + ++/* ++** When rewriting a query, if the new subquery in the FROM clause ++** contains TK_AGG_FUNCTION nodes that refer to an outer query, ++** then we have to increase the Expr->op2 values of those nodes ++** due to the extra subquery layer that was added. ++** ++** See also the incrAggDepth() routine in resolve.c ++*/ ++static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){ ++ if( pExpr->op==TK_AGG_FUNCTION ++ && pExpr->op2>=pWalker->walkerDepth ++ ){ ++ pExpr->op2++; ++ } ++ return WRC_Continue; ++} ++ + /* + ** If the SELECT statement passed as the second argument does not invoke + ** any SQL window functions, this function is a no-op. Otherwise, it +@@ -827,14 +844,24 @@ int sqlite3WindowRewrite(Parse *pParse, Select *p){ + p->pSrc = sqlite3SrcListAppend(db, 0, 0, 0); + assert( p->pSrc || db->mallocFailed ); + if( p->pSrc ){ ++ Table *pTab2; ++ Walker w; + p->pSrc->a[0].pSelect = pSub; + sqlite3SrcListAssignCursors(pParse, p->pSrc); +- if( sqlite3ExpandSubquery(pParse, &p->pSrc->a[0]) ){ ++ pTab2 = sqlite3ResultSetOfSelect(pParse, pSub); ++ if( pTab2==0 ){ + rc = SQLITE_NOMEM; + }else{ + pSub->selFlags |= SF_Expanded; + p->selFlags &= ~SF_Aggregate; + sqlite3SelectPrep(pParse, pSub, 0); ++ pTab2->tabFlags |= TF_Ephemeral; ++ p->pSrc->a[0].pTab = pTab2; ++ memset(&w, 0, sizeof(w)); ++ w.xExprCallback = sqlite3WindowExtraAggFuncDepth; ++ w.xSelectCallback = sqlite3WalkerDepthIncrease; ++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease; ++ sqlite3WalkSelect(&w, pSub); + } + + sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr); +diff --git a/test/window1.test b/test/window1.test +index a8399a8..13ecc32 100644 +--- a/test/window1.test ++++ b/test/window1.test +@@ -594,4 +594,20 @@ do_execsql_test 13.5 { + } { + } + ++# 2020-05-23 ++# ticket 7a5279a25c57adf1 ++# ++reset_db ++do_execsql_test 53.0 { ++ CREATE TABLE a(c UNIQUE); ++ INSERT INTO a VALUES(4),(0),(9),(-9); ++ SELECT a.c ++ FROM a ++ JOIN a AS b ON a.c=4 ++ JOIN a AS e ON a.c=e.c ++ WHERE a.c=(SELECT (SELECT coalesce(lead(2) OVER(),0) + sum(d.c)) ++ FROM a AS d ++ WHERE a.c); ++} {4 4 4 4} ++ + finish_test diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index 75f8760..a5d61eb 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 13%{?dist} +Release: 15%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -75,6 +75,23 @@ Patch26: sqlite-3.26.0-CVE-2020-13434.patch # Fix for CVE-2020-15358 # upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5 Patch27: sqlite-3.26.0-CVE-2020-15358.patch +# Fix for CVE-2019-5827 +# https://www.sqlite.org/src/info/0b6ae032c28e7fe3 +# https://www.sqlite.org/src/info/07ee06fd390bfebe +Patch28: sqlite-3.26.0-CVE-2019-5827.patch +# Fix for CVE-2019-13750 +# https://github.com/sqlite/sqlite/commit/397a78d4a1864111f488a51d296810e7ef037893 +# https://www.sqlite.org/src/info/70390bbca49e7066 +Patch29: sqlite-3.26.0-CVE-2019-13750.patch +# Fix for CVE-2019-13751 +# https://github.com/sqlite/sqlite/commit/70d1a1a3ed64d7bd82fd90268e4c9cf208ca1be0 +Patch30: sqlite-3.26.0-CVE-2019-13751.patch +# Fix for CVE-2019-19603 +# https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13 +Patch31: sqlite-3.26.0-CVE-2019-19603.patch +# Fix for CVE-2020-13435 +# https://www.sqlite.org/src/info/ad7bb70af9bb68d1 +Patch34: sqlite-3.26.0-CVE-2020-13435.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -199,6 +216,11 @@ This package contains the analysis program for %{name}. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch34 -p1 # Remove backup-file @@ -300,6 +322,17 @@ make test %endif %changelog +* Tue May 18 2021 Petr Kubat - 3.26.0-15 +- Removing fix for CVE-2019-19645 (unaffected) +- Removing fix for CVE-2019-19880 (unaffected) + +* Thu Apr 15 2021 Ondrej Dubaj - 3.26.0-14 +- Fixed CVE-2019-5827 (#1710184) +- Fixed CVE-2019-13750 (#1786510) +- Fixed CVE-2019-13751 (#1786522) +- Fixed CVE-2019-19603 (#1792013) +- Fixed CVE-2020-13435 (#1841233) + * Tue Dec 01 2020 Ondrej Dubaj - 3.26.0-13 - enabled fts3conf.test on s390x and ppc64 architectures