meta/recipes-support/sqlite/sqlite3/CVE-2019-9936.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Running fts5 prefix queries inside a transaction could trigger a heap-based
buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an
information leak.

CVE: CVE-2019-9936
Upstream-Status: Backport [https://sqlite.org/src/vpatch?from=45c73deb440496e8&to=b3fa58dd7403dbd4]
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 sqlite3.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sqlite3.c b/sqlite3.c
index 4729f45..65527d8 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -207759,7 +207759,9 @@ static int fts5HashEntrySort(
   for(iSlot=0; iSlot<pHash->nSlot; iSlot++){
     Fts5HashEntry *pIter;
     for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){
-      if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){
+      if( pTerm==0
+       || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm))
+      ){
         Fts5HashEntry *pEntry = pIter;
         pEntry->pScanNext = 0;
         for(i=0; ap[i]; i++){
-- 
2.20.1