rpms/sqlite
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sqlite-3.26.0-11.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:43:27 -05:00 committed by Andrew Lukoshko
parent 6d172b2394
commit 65da0f44ad
9 changed files with 878 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
SOURCES/sqlite-3.26.0-CVE-2019-16168.patch Normal file
View File

@ -0,0 +1,65 @@
From ab17169870e985b062e520ecf95e6c79ad784f38 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Thu, 23 Apr 2020 11:25:13 +0200
Subject: [PATCH] fixed CVE-2019-16168 (rhbz#1826897)
---
src/analyze.c | 4 +++-
src/where.c | 1 +
test/analyzeC.test | 13 +++++++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/analyze.c b/src/analyze.c
index 5075b57..e47c0f5 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1497,7 +1497,9 @@ static void decodeIntArray(
if( sqlite3_strglob("unordered*", z)==0 ){
pIndex->bUnordered = 1;
}else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
+ int sz = sqlite3Atoi(z+3);
+ if( sz<2 ) sz = 2;
+ pIndex->szIdxRow = sqlite3LogEst(sz);
}else if( sqlite3_strglob("noskipscan*", z)==0 ){
pIndex->noSkipScan = 1;
}
diff --git a/src/where.c b/src/where.c
index 8e01660..1a4fa51 100644
--- a/src/where.c
+++ b/src/where.c
@@ -2655,6 +2655,7 @@ static int whereLoopAddBtreeIndex(
** it to pNew->rRun, which is currently set to the cost of the index
** seek only. Then, if this is a non-covering index, add the cost of
** visiting the rows in the main table. */
+ assert( pSrc->pTab->szTabRow>0 );
rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
diff --git a/test/analyzeC.test b/test/analyzeC.test
index 02faa9c..3595c9d 100644
--- a/test/analyzeC.test
+++ b/test/analyzeC.test
@@ -132,6 +132,19 @@ do_execsql_test 4.3 {
SELECT count(a) FROM t1;
} {/.*INDEX t1ca.*/}
+# 2019-08-15.
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
+# 2 or more to avoid a division by zero in the query planner.
+#
+do_execsql_test 4.4 {
+ DROP TABLE IF EXISTS t44;
+ CREATE TABLE t44(a PRIMARY KEY);
+ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
+ ANALYZE sqlite_master;
+ SELECT 0 FROM t44 WHERE a IN(1,2,3);
+} {}
+
# The sz=NNN parameter works even if there is other extraneous text
# in the sqlite_stat1.stat column.
--
2.24.1

102
SOURCES/sqlite-3.26.0-CVE-2019-20218.patch Normal file
View File

@ -0,0 +1,102 @@
From ff5f246e41239cc4dd33ffa73883fa07f78674e1 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Fri, 7 Aug 2020 07:00:29 +0200
Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
following an error.
---
src/select.c | 5 ++++-
src/util.c | 1 +
test/altertab2.test | 20 ++++++++++++++++++++
test/with3.test | 10 +++++++++-
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/select.c b/src/select.c
index c46f177..a6d1757 100644
--- a/src/select.c
+++ b/src/select.c
@@ -4639,6 +4639,9 @@ static int withExpand(
With *pWith; /* WITH clause that pCte belongs to */
assert( pFrom->pTab==0 );
+ if( pParse->nErr ){
+ return SQLITE_ERROR;
+ }
pCte = searchWith(pParse->pWith, pFrom, &pWith);
if( pCte ){
@@ -4908,7 +4911,7 @@ static int selectExpander(Walker *pWalker, Select *p){
/* Process NATURAL keywords, and ON and USING clauses of joins.
*/
- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
return WRC_Abort;
}
diff --git a/src/util.c b/src/util.c
index 54f9b93..96b0b14 100644
--- a/src/util.c
+++ b/src/util.c
@@ -222,6 +222,7 @@ void sqlite3ErrorMsg(Parse *pParse, const char *zFormat, ...){
sqlite3DbFree(db, pParse->zErrMsg);
pParse->zErrMsg = zMsg;
pParse->rc = SQLITE_ERROR;
+ pParse->pWith = 0;
}
}
diff --git a/test/altertab2.test b/test/altertab2.test
index 2e4212c..2102e02 100644
--- a/test/altertab2.test
+++ b/test/altertab2.test
@@ -85,5 +85,25 @@ do_execsql_test 2.3 {
{CREATE TABLE c3(x, FOREIGN KEY (x) REFERENCES "p3"(a))}
}
+#------------------------------------------------------------------------
+#
+reset_db
+do_execsql_test 3.0 {
+ CREATE TABLE v0 (a);
+ CREATE VIEW v2 (v3) AS
+ WITH x1 AS (SELECT * FROM v2)
+ SELECT v3 AS x, v3 AS y FROM v2;
+}
+
+do_catchsql_test 3.1 {
+ SELECT * FROM v2
+} {1 {view v2 is circularly defined}}
+
+db close
+sqlite3 db test.db
+
+do_catchsql_test 3.2 {
+ ALTER TABLE v0 RENAME TO t3 ;
+} {1 {error in view v2: view v2 is circularly defined}}
finish_test
diff --git a/test/with3.test b/test/with3.test
index de150b1..4a3a5a7 100644
--- a/test/with3.test
+++ b/test/with3.test
@@ -30,7 +30,15 @@ do_catchsql_test 1.0 {
SELECT 5 FROM t0 UNION SELECT 8 FROM m
)
SELECT * FROM i;
-} {1 {no such table: m}}
+} {1 {no such table: t0}}
+
+# 2019-11-09 dbfuzzcheck find
+do_catchsql_test 1.1 {
+ CREATE VIEW v1(x,y) AS
+ WITH t1(a,b) AS (VALUES(1,2))
+ SELECT * FROM nosuchtable JOIN t1;
+ SELECT * FROM v1;
+} {1 {no such table: main.nosuchtable}}
# Additional test cases that came out of the work to
# fix for Kostya's problem.
--
2.26.0

281
SOURCES/sqlite-3.26.0-CVE-2019-5018.patch Normal file
View File

@ -0,0 +1,281 @@
Subject: [PATCH] Prevent aliases of window functions expressions from being
used as arguments to aggregate or other window functions.
---
src/resolve.c | 21 ++++++---
src/sqliteInt.h | 2 +
test/windowerr.tcl | 59 ++++++++++++++++++++++++++
test/windowerr.test | 99 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 176 insertions(+), 5 deletions(-)
create mode 100644 test/windowerr.tcl
create mode 100644 test/windowerr.test
diff --git a/src/resolve.c b/src/resolve.c
index 0c7dfc0..cdcf4d9 100644
--- a/src/resolve.c
+++ b/src/resolve.c
@@ -436,6 +436,10 @@ static int lookupName(
sqlite3ErrorMsg(pParse, "misuse of aliased aggregate %s", zAs);
return WRC_Abort;
}
+ if( (pNC->ncFlags&NC_AllowWin)==0 && ExprHasProperty(pOrig, EP_Win) ){
+ sqlite3ErrorMsg(pParse, "misuse of aliased window function %s",zAs);
+ return WRC_Abort;
+ }
if( sqlite3ExprVectorSize(pOrig)!=1 ){
sqlite3ErrorMsg(pParse, "row value misused");
return WRC_Abort;
@@ -707,6 +711,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
const char *zId; /* The function name. */
FuncDef *pDef; /* Information about the function */
u8 enc = ENC(pParse->db); /* The database encoding */
+ int savedAllowFlags = (pNC->ncFlags & (NC_AllowAgg | NC_AllowWin));
assert( !ExprHasProperty(pExpr, EP_xIsSelect) );
zId = pExpr->u.zToken;
@@ -828,8 +833,11 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
pNC->nErr++;
}
if( is_agg ){
+ /* Window functions may not be arguments of aggregate functions.
+ ** Or arguments of other window functions. But aggregate functions
+ ** may be arguments for window functions. */
#ifndef SQLITE_OMIT_WINDOWFUNC
- pNC->ncFlags &= ~(pExpr->y.pWin ? NC_AllowWin : NC_AllowAgg);
+ pNC->ncFlags &= ~(NC_AllowWin | (!pExpr->y.pWin ? NC_AllowAgg : 0));
#else
pNC->ncFlags &= ~NC_AllowAgg;
#endif
@@ -850,7 +858,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
pExpr->y.pWin->pNextWin = pSel->pWin;
pSel->pWin = pExpr->y.pWin;
}
- pNC->ncFlags |= NC_AllowWin;
+ pNC->ncFlags |= NC_HasWin;
}else
#endif /* SQLITE_OMIT_WINDOWFUNC */
{
@@ -868,8 +876,8 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
pNC2->ncFlags |= NC_HasAgg | (pDef->funcFlags & SQLITE_FUNC_MINMAX);
}
- pNC->ncFlags |= NC_AllowAgg;
}
+ pNC->ncFlags |= savedAllowFlags;
}
/* FIX ME: Compute pExpr->affinity based on the expected return
** type of the function
@@ -1573,8 +1581,8 @@ int sqlite3ResolveExprNames(
Walker w;
if( pExpr==0 ) return SQLITE_OK;
- savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg);
- pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg);
+ savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg|NC_HasWin);
+ pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg|NC_HasWin);
w.pParse = pNC->pParse;
w.xExprCallback = resolveExprStep;
w.xSelectCallback = resolveSelectStep;
@@ -1593,6 +1601,9 @@ int sqlite3ResolveExprNames(
if( pNC->ncFlags & NC_HasAgg ){
ExprSetProperty(pExpr, EP_Agg);
}
+ if( pNC->ncFlags & NC_HasWin ){
+ ExprSetProperty(pExpr, EP_Win);
+ }
pNC->ncFlags |= savedHasAgg;
return pNC->nErr>0 || w.pParse->nErr>0;
}
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 5f5f3cc..b7d3571 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2517,6 +2517,7 @@ struct Expr {
#define EP_Alias 0x400000 /* Is an alias for a result set column */
#define EP_Leaf 0x800000 /* Expr.pLeft, .pRight, .u.pSelect all NULL */
#define EP_WinFunc 0x1000000 /* TK_FUNCTION with Expr.y.pWin set */
+#define EP_Win 0x8000000 /* Contains window functions */
/*
** The EP_Propagate mask is a set of properties that automatically propagate
@@ -2773,6 +2774,7 @@ struct NameContext {
#define NC_MinMaxAgg 0x1000 /* min/max aggregates seen. See note above */
#define NC_Complex 0x2000 /* True if a function or subquery seen */
#define NC_AllowWin 0x4000 /* Window functions are allowed here */
+#define NC_HasWin 0x8000 /* One or more window functions seen */
/*
** An instance of the following object describes a single ON CONFLICT
diff --git a/test/windowerr.tcl b/test/windowerr.tcl
new file mode 100644
index 0000000..80f464d
--- /dev/null
+++ b/test/windowerr.tcl
@@ -0,0 +1,59 @@
+# 2018 May 19
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+
+source [file join [file dirname $argv0] pg_common.tcl]
+
+#=========================================================================
+
+start_test windowerr "2019 March 01"
+ifcapable !windowfunc
+
+execsql_test 1.0 {
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t1(a INTEGER, b INTEGER);
+ INSERT INTO t1 VALUES(1, 1);
+ INSERT INTO t1 VALUES(2, 2);
+ INSERT INTO t1 VALUES(3, 3);
+ INSERT INTO t1 VALUES(4, 4);
+ INSERT INTO t1 VALUES(5, 5);
+}
+
+foreach {tn frame} {
+ 1 "ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING"
+ 2 "ORDER BY a ROWS BETWEEN 1 PRECEDING AND -1 FOLLOWING"
+
+ 3 "ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING"
+ 4 "ORDER BY a RANGE BETWEEN 1 PRECEDING AND -1 FOLLOWING"
+
+ 5 "ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING"
+ 6 "ORDER BY a GROUPS BETWEEN 1 PRECEDING AND -1 FOLLOWING"
+
+ 7 "ORDER BY a,b RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING"
+
+ 8 "PARTITION BY a RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING"
+} {
+ errorsql_test 1.$tn "
+ SELECT a, sum(b) OVER (
+ $frame
+ ) FROM t1 ORDER BY 1
+ "
+}
+errorsql_test 2.1 {
+ SELECT sum( sum(a) OVER () ) FROM t1;
+}
+
+errorsql_test 2.2 {
+ SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz);
+}
+
+
+finish_test
diff --git a/test/windowerr.test b/test/windowerr.test
new file mode 100644
index 0000000..97dae64
--- /dev/null
+++ b/test/windowerr.test
@@ -0,0 +1,99 @@
+# 2019 March 01
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#***********************************************************************
+# This file implements regression tests for SQLite library.
+#
+
+####################################################
+# DO NOT EDIT! THIS FILE IS AUTOMATICALLY GENERATED!
+####################################################
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix windowerr
+
+ifcapable !windowfunc { finish_test ; return }
+do_execsql_test 1.0 {
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t1(a INTEGER, b INTEGER);
+ INSERT INTO t1 VALUES(1, 1);
+ INSERT INTO t1 VALUES(2, 2);
+ INSERT INTO t1 VALUES(3, 3);
+ INSERT INTO t1 VALUES(4, 4);
+ INSERT INTO t1 VALUES(5, 5);
+} {}
+
+# PG says ERROR: frame starting offset must not be negative
+do_test 1.1 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: frame ending offset must not be negative
+do_test 1.2 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a ROWS BETWEEN 1 PRECEDING AND -1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: invalid preceding or following size in window function
+do_test 1.3 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: invalid preceding or following size in window function
+do_test 1.4 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a RANGE BETWEEN 1 PRECEDING AND -1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: frame starting offset must not be negative
+do_test 1.5 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: frame ending offset must not be negative
+do_test 1.6 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a GROUPS BETWEEN 1 PRECEDING AND -1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column
+do_test 1.7 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ ORDER BY a,b RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column
+do_test 1.8 { catch { execsql {
+ SELECT a, sum(b) OVER (
+ PARTITION BY a RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING
+ ) FROM t1 ORDER BY 1
+} } } 1
+
+# PG says ERROR: aggregate function calls cannot contain window function calls
+do_test 2.1 { catch { execsql {
+ SELECT sum( sum(a) OVER () ) FROM t1;
+} } } 1
+
+# PG says ERROR: column "xyz" does not exist
+do_test 2.2 { catch { execsql {
+ SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz);
+} } } 1
+
+finish_test
--
2.24.1

88
SOURCES/sqlite-3.26.0-CVE-2020-13630.patch Normal file
View File

@ -0,0 +1,88 @@
Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function.
---
ext/fts3/fts3.c | 1 +
test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
create mode 100644 test/fts3snippet2.test
diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index 84fc8a5..9ddd201 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow(
fts3EvalNextRow(pCsr, pLeft, pRc);
}
}
+ pRight->bEof = pLeft->bEof = 1;
}
}
break;
diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test
new file mode 100644
index 0000000..607b01e
--- /dev/null
+++ b/test/fts3snippet2.test
@@ -0,0 +1,59 @@
+# 2020-05-14
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#*************************************************************************
+#
+# The tests in this file test the FTS3 auxillary functions offsets(),
+# snippet() and matchinfo() work. At time of writing, running this file
+# provides full coverage of fts3_snippet.c.
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix fts3snippet
+
+# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
+ifcapable !fts3 { finish_test ; return }
+source $testdir/fts3_common.tcl
+
+set sqlite_fts3_enable_parentheses 1
+#-------------------------------------------------------------------------
+# Request a snippet from a query with more than 64 phrases.
+#
+reset_db
+do_execsql_test 1.0 {
+ CREATE VIRTUAL TABLE f USING fts3(b);
+ INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
+}
+
+do_execsql_test 1.1 {
+ SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
+} {1}
+
+reset_db
+do_execsql_test 2.0 {
+ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
+ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
+ SELECT snippet(t0) FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ;
+} {<b>1</b>}
+
+reset_db
+do_execsql_test 2.1 {
+ CREATE VIRTUAL TABLE t0 USING fts3(
+ col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY
+ );
+ INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb');
+}
+do_execsql_test 2.2 {
+ SELECT snippet(t0) FROM t0 WHERE t0 MATCH
+ '(def AND (one NEAR abc)) OR one'
+} {<b>one</b>}
+
+set sqlite_fts3_enable_parentheses 0
+finish_test
--
2.24.1

97
SOURCES/sqlite-3.26.0-CVE-2020-13631.patch Normal file
View File

@ -0,0 +1,97 @@
Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
one of its shadows.
---
src/alter.c | 5 ++++-
src/build.c | 28 ++++++++++++++++++++++------
src/sqliteInt.h | 5 +++++
3 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/src/alter.c b/src/alter.c
index 1280e90..0fa24c0 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -117,7 +117,10 @@ void sqlite3AlterRenameTable(
/* Check that a table or index named 'zName' does not already exist
** in database iDb. If so, this is an error.
*/
- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
+ if( sqlite3FindTable(db, zName, zDb)
+ || sqlite3FindIndex(db, zName, zDb)
+ || sqlite3IsShadowTableOf(db, pTab, zName)
+ ){
sqlite3ErrorMsg(pParse,
"there is already another table or index with this name: %s", zName);
goto exit_rename_table;
diff --git a/src/build.c b/src/build.c
index e0fed8a..426428b 100644
--- a/src/build.c
+++ b/src/build.c
@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
recomputeColumnsNotIndexed(pPk);
}
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/*
+** Return true if pTab is a virtual table and zName is a shadow table name
+** for that virtual table.
+*/
+int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
+ int nName; /* Length of zName */
+
+ if( !IsVirtual(pTab) ) return 0;
+ nName = sqlite3Strlen30(pTab->zName);
+ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
+ if( zName[nName]!='_' ) return 0;
+ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+ if( pMod==0 ) return 0;
+ if( pMod->pModule->iVersion<3 ) return 0;
+ if( pMod->pModule->xShadowName==0 ) return 0;
+ return pMod->pModule->xShadowName(zName+nName+1);
+}
+#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+
#ifndef SQLITE_OMIT_VIRTUALTABLE
/*
** Return true if zName is a shadow table name in the current database
@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
static int isShadowTableName(sqlite3 *db, char *zName){
char *zTail; /* Pointer to the last "_" in zName */
Table *pTab; /* Table that zName is a shadow of */
- Module *pMod; /* Module for the virtual table */
zTail = strrchr(zName, '_');
if( zTail==0 ) return 0;
@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
*zTail = '_';
if( pTab==0 ) return 0;
if( !IsVirtual(pTab) ) return 0;
- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
- if( pMod==0 ) return 0;
- if( pMod->pModule->iVersion<3 ) return 0;
- if( pMod->pModule->xShadowName==0 ) return 0;
- return pMod->pModule->xShadowName(zTail+1);
+ return sqlite3IsShadowTableOf(db, pTab, zName);
}
#else
# define isShadowTableName(x,y) 0
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index b7d3571..76337f7 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -4407,6 +4407,11 @@ void sqlite3AutoLoadExtensions(sqlite3*);
);
# define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
#endif
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+ int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
+#else
+# define sqlite3IsShadowTableOf(A,B,C) 0
+#endif
int sqlite3VtabEponymousTableInit(Parse*,Module*);
void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
void sqlite3VtabMakeWritable(Parse*,Table*);
--
2.24.1

67
SOURCES/sqlite-3.26.0-CVE-2020-13632.patch Normal file
View File

@ -0,0 +1,67 @@
Subject: [PATCH] Fix a null pointer deference that can occur on a strange
matchinfo() query.
---
ext/fts3/fts3_snippet.c | 2 +-
test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 test/fts3matchinfo2.test
diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c
index a0771c0..5778620 100644
--- a/ext/fts3/fts3_snippet.c
+++ b/ext/fts3/fts3_snippet.c
@@ -869,7 +869,7 @@ static void fts3ExprLHits(
iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
}
- while( 1 ){
+ if( pIter ) while( 1 ){
int nHit = fts3ColumnlistCount(&pIter);
if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
if( p->flag==FTS3_MATCHINFO_LHITS ){
diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test
new file mode 100644
index 0000000..d6b3ad0
--- /dev/null
+++ b/test/fts3matchinfo2.test
@@ -0,0 +1,35 @@
+# 2020-05-14
+#
+# The author disclaims copyright to this source code. In place of
+# a legal notice, here is a blessing:
+#
+# May you do good and not evil.
+# May you find forgiveness for yourself and forgive others.
+# May you share freely, never taking more than you give.
+#
+#***********************************************************************
+# This file implements regression tests for the FTS3 module. The focus
+# of this file is tables created with the "matchinfo=fts3" option.
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+
+# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
+ifcapable !fts3 { finish_test ; return }
+
+set sqlite_fts3_enable_parentheses 1
+
+# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to
+# chromium (which is not vulnerable) who kindly referred it to us.
+#
+do_execsql_test 1.0 {
+ CREATE TABLE t_content(col0 INTEGER);
+ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
+ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
+ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
+} {/000000.*0000000/}
+
+
+set sqlite_fts3_enable_parentheses 0
+finish_test
\ No newline at end of file
--
2.24.1

27
SOURCES/sqlite-3.26.0-CVE-2020-6405.patch Normal file
View File

@ -0,0 +1,27 @@
From 1668926bc3c7da0b2870a60382b179a0e3edb5de Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Thu, 26 Mar 2020 08:14:29 +0100
Subject: [PATCH] Do not allow the constant-propagation optimization to apple
to ON/USING clause terms as it does not help and it might cause downstream
problems.
---
src/select.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/select.c b/src/select.c
index bbd13a4..88a43df 100644
--- a/src/select.c
+++ b/src/select.c
@@ -4171,7 +4171,7 @@ static int propagateConstantExprRewrite(Walker *pWalker, Expr *pExpr){
int i;
WhereConst *pConst;
if( pExpr->op!=TK_COLUMN ) return WRC_Continue;
- if( ExprHasProperty(pExpr, EP_FixedCol) ) return WRC_Continue;
+ if( ExprHasProperty(pExpr, EP_FixedCol|EP_FromJoin) ) return WRC_Continue;
pConst = pWalker->u.pConst;
for(i=0; i<pConst->nConst; i++){
Expr *pColumn = pConst->apExpr[i*2];
--
2.24.1

106
SOURCES/sqlite-3.26.0-CVE-2020-9327.patch Normal file
View File

@ -0,0 +1,106 @@
From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Thu, 26 Mar 2020 09:43:43 +0100
Subject: [PATCH] NULL pointer dereference and segmentation fault because of
generated column optimizations
Take care when checking the table of a TK_COLUMN expression node to
see if the table is a virtual table to first ensure that the
Expr.y.pTab pointer is not null due to generated column optimizations.
---
src/expr.c | 13 ++++++++++---
src/sqliteInt.h | 3 +++
src/whereexpr.c | 12 ++++++++----
3 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index b081ca2..5f98f76 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
case TK_LT:
case TK_LE:
case TK_GT:
- case TK_GE:
+ case TK_GE: {
+ Expr *pLeft = pExpr->pLeft;
+ Expr *pRight = pExpr->pRight;
testcase( pExpr->op==TK_EQ );
testcase( pExpr->op==TK_NE );
testcase( pExpr->op==TK_LT );
testcase( pExpr->op==TK_LE );
testcase( pExpr->op==TK_GT );
testcase( pExpr->op==TK_GE );
- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
+ /* The y.pTab=0 assignment in wherecode.c always happens after the
+ ** impliesNotNullRow() test */
+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
+ && IsVirtual(pLeft->y.pTab))
+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
+ && IsVirtual(pRight->y.pTab))
){
return WRC_Prune;
}
+ }
default:
return WRC_Continue;
}
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 051aa40..5f5f3cc 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2014,8 +2014,11 @@ struct Table {
*/
#ifndef SQLITE_OMIT_VIRTUALTABLE
# define IsVirtual(X) ((X)->nModuleArg)
+# define ExprIsVtab(X) \
+ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
#else
# define IsVirtual(X) 0
+# define ExprIsVtab(X) 0
#endif
/*
diff --git a/src/whereexpr.c b/src/whereexpr.c
index dbb7f0d..9d2813a 100644
--- a/src/whereexpr.c
+++ b/src/whereexpr.c
@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator(
** MATCH(expression,vtab_column)
*/
pCol = pList->a[1].pExpr;
- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+ if( ExprIsVtab(pCol) ){
for(i=0; i<ArraySize(aOp); i++){
if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
*peOp2 = aOp[i].eOp2;
@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator(
** with function names in an arbitrary case.
*/
pCol = pList->a[0].pExpr;
- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+ if( ExprIsVtab(pCol) ){
sqlite3_vtab *pVtab;
sqlite3_module *pMod;
void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator(
int res = 0;
Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight;
- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
+ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
+ if( ExprIsVtab(pLeft) ){
res++;
}
- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
+ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
+ if( pRight && ExprIsVtab(pRight) ){
res++;
SWAP(Expr*, pLeft, pRight);
}
--
2.24.1

47
SPECS/sqlite.spec
View File

@ -10,7 +10,7 @@
Summary: Library that implements an embeddable SQL database engine
Name: sqlite
Version: %{rpmver}
Release: 6%{?dist}
Release: 11%{?dist}
License: Public Domain
Group: Applications/Databases
URL: http://www.sqlite.org/
@ -51,8 +51,24 @@ Patch14: sqlite-3.26.0-CVE-2019-19923.patch
Patch15: sqlite-3.26.0-CVE-2019-19925.patch
# Fix for CVE-2019-19959
Patch16: sqlite-3.26.0-CVE-2019-19959.patch
# Fix fr issues found by covscan
# Fix for issues found by covscan
Patch17: sqlite-3.26.0-zPath-covscan.patch
# Fix for CVE-2019-20218
Patch18: sqlite-3.26.0-CVE-2019-20218.patch
# Fix for CVE-2020-6405
Patch19: sqlite-3.26.0-CVE-2020-6405.patch
# Fix for CVE-2020-9327
Patch20: sqlite-3.26.0-CVE-2020-9327.patch
# Fix for CVE-2019-16168
Patch21: sqlite-3.26.0-CVE-2019-16168.patch
# Fix for CVE-2019-5018
Patch22: sqlite-3.26.0-CVE-2019-5018.patch
# Fix for CVE-2020-13632
Patch23: sqlite-3.26.0-CVE-2020-13632.patch
# Fix for CVE-2020-13631
Patch24: sqlite-3.26.0-CVE-2020-13631.patch
# Fix for CVE-2020-13630
Patch25: sqlite-3.26.0-CVE-2020-13630.patch
BuildRequires: ncurses-devel readline-devel glibc-devel
BuildRequires: autoconf
@ -167,6 +183,14 @@ This package contains the analysis program for %{name}.
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
# Remove backup-file
rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@ -271,6 +295,25 @@ make test
%endif
%changelog
* Fri Aug 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-11
- Fixed bug in CVE-2019-20218 (#1791592)
* Wed Jun 10 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-10
- Fixed CVE-2020-13632 (#1845572)
- Fixed CVE-2020-13631 (#1845474)
- Fixed CVE-2020-13630 (#1845153)
* Tue Jun 02 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-9
- Fixed CVE-2019-5018 (#1721509)
* Thu Apr 23 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-8
- Fixed CVE-2019-16168 (#1826897)
* Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-7
- Fixed CVE-2019-20218 (#1791592)
- Fixed CVE-2020-6405 (#1804823)
- Fixed CVE-2020-0327 (#1816572)
* Thu Jan 23 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-6
- Fixed issues found by covscan