diff options
Diffstat (limited to 'meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch')
-rw-r--r-- | meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch new file mode 100644 index 0000000000..80d5edbb0c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch @@ -0,0 +1,65 @@ +CVE: CVE-2019-19924 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001 +From: "D. Richard Hipp" <drh@hwaci.com> +Date: Thu, 19 Dec 2019 20:37:32 +0000 +Subject: [PATCH] When an error occurs while rewriting the parser tree for + window functions in the sqlite3WindowRewrite() routine, make sure that + pParse->nErr is set, and make sure that this shuts down any subsequent code + generation that might depend on the transformations that were implemented. + This fixes a problem discovered by the Yongheng and Rui fuzzer. + +Amalgamation format of backported patch +FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f +--- + sqlite3.c | 16 +++++++++++----- + sqlite3.h | 2 +- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 408ec4c..857c28e 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ + */ + static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ + assert( p->nOp>0 || p->aOp==0 ); +- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); ++ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ++ || p->pParse->nErr>0 ); + if( p->nOp ){ + assert( p->aOp ); + sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); +@@ -97872,6 +97873,7 @@ static int codeCompare( + int addr; + CollSeq *p4; + ++ if( pParse->nErr ) return 0; + p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); + p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); + addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, +@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ + + pTab = sqlite3DbMallocZero(db, sizeof(Table)); + if( pTab==0 ){ +- return SQLITE_NOMEM; ++ return sqlite3ErrorToParser(db, SQLITE_NOMEM); + } + + p->pSrc = 0; +@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ + sqlite3DbFree(db, pTab); + } + ++ if( rc && pParse->nErr==0 ){ ++ assert( pParse->db->mallocFailed ); ++ return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM); ++ } + return rc; + } + +-- +2.24.1 + |