diff --git a/0001-sqlite-CVE-2018-20346.patch b/0001-sqlite-CVE-2018-20346.patch deleted file mode 100644 index 1fdbecccac3d5e5967b67dd218027ddea588a0bf..0000000000000000000000000000000000000000 --- a/0001-sqlite-CVE-2018-20346.patch +++ /dev/null @@ -1,291 +0,0 @@ -Index: ext/fts3/fts3.c -================================================================== ---- ext/fts3/fts3.c -+++ ext/fts3/fts3.c -@@ -1819,11 +1819,11 @@ - ){ - int rc = SQLITE_OK; /* Return code */ - const char *zCsr = zNode; /* Cursor to iterate through node */ - const char *zEnd = &zCsr[nNode];/* End of interior node buffer */ - char *zBuffer = 0; /* Buffer to load terms into */ -- int nAlloc = 0; /* Size of allocated buffer */ -+ i64 nAlloc = 0; /* Size of allocated buffer */ - int isFirstTerm = 1; /* True when processing first term on page */ - sqlite3_int64 iChild; /* Block id of child node to descend to */ - - /* Skip over the 'height' varint that occurs at the start of every - ** interior node. Then load the blockid of the left-child of the b-tree -@@ -1857,18 +1857,18 @@ - } - isFirstTerm = 0; - zCsr += fts3GetVarint32(zCsr, &nSuffix); - - assert( nPrefix>=0 && nSuffix>=0 ); -- if( &zCsr[nSuffix]>zEnd ){ -+ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){ - rc = FTS_CORRUPT_VTAB; - goto finish_scan; - } -- if( nPrefix+nSuffix>nAlloc ){ -+ if( (i64)nPrefix+nSuffix>nAlloc ){ - char *zNew; -- nAlloc = (nPrefix+nSuffix) * 2; -- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc); -+ nAlloc = ((i64)nPrefix+nSuffix) * 2; -+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc); - if( !zNew ){ - rc = SQLITE_NOMEM; - goto finish_scan; - } - zBuffer = zNew; - -Index: ext/fts3/fts3_write.c -================================================================== ---- ext/fts3/fts3_write.c -+++ ext/fts3/fts3_write.c -@@ -1372,19 +1372,23 @@ - - /* Because of the FTS3_NODE_PADDING bytes of padding, the following is - ** safe (no risk of overread) even if the node data is corrupted. */ - pNext += fts3GetVarint32(pNext, &nPrefix); - pNext += fts3GetVarint32(pNext, &nSuffix); -- if( nPrefix<0 || nSuffix<=0 -- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] -+ if( nSuffix<=0 -+ || (&pReader->aNode[pReader->nNode] - pNext)pReader->nTermAlloc - ){ - return FTS_CORRUPT_VTAB; - } - -- if( nPrefix+nSuffix>pReader->nTermAlloc ){ -- int nNew = (nPrefix+nSuffix)*2; -- char *zNew = sqlite3_realloc(pReader->zTerm, nNew); -+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are -+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer -+ ** overflow - hence the (i64) casts. */ -+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){ -+ i64 nNew = ((i64)nPrefix+nSuffix)*2; -+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew); - if( !zNew ){ - return SQLITE_NOMEM; - } - pReader->zTerm = zNew; - pReader->nTermAlloc = nNew; -@@ -1402,11 +1406,11 @@ - - /* Check that the doclist does not appear to extend past the end of the - ** b-tree node. And that the final byte of the doclist is 0x00. If either - ** of these statements is untrue, then the data structure is corrupt. - */ -- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] -+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)nDoclist - || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1]) - ){ - return FTS_CORRUPT_VTAB; - } - return SQLITE_OK; -@@ -3728,25 +3732,30 @@ - if( bFirst==0 ){ - p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix); - } - p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix); - -+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){ -+ return SQLITE_CORRUPT_VTAB; -+ } - blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc); - if( rc==SQLITE_OK ){ - memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix); - p->term.n = nPrefix+nSuffix; - p->iOff += nSuffix; - if( p->iChild==0 ){ - p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist); -+ if( (p->nNode-p->iOff)nDoclist ){ -+ return SQLITE_CORRUPT_VTAB; -+ } - p->aDoclist = &p->aNode[p->iOff]; - p->iOff += p->nDoclist; - } - } - } - - assert( p->iOff<=p->nNode ); -- - return rc; - } - - /* - ** Release all dynamic resources held by node-reader object *p. - -ADDED test/fts3corrupt4.test -Index: test/fts3corrupt4.test -================================================================== ---- test/fts3corrupt4.test -+++ test/fts3corrupt4.test -@@ -0,0 +1,147 @@ -+# 2006 September 9 -+# -+# The author disclaims copyright to this source code. In place of -+# a legal notice, here is a blessing: -+# -+# May you do good and not evil. -+# May you find forgiveness for yourself and forgive others. -+# May you share freely, never taking more than you give. -+# -+#************************************************************************* -+# This file implements regression tests for SQLite library. The -+# focus of this script is testing the FTS3 module. -+# -+# $Id: fts3aa.test,v 1.1 2007/08/20 17:38:42 shess Exp $ -+# -+ -+set testdir [file dirname $argv0] -+source $testdir/tester.tcl -+set testprefix fts3corrupt4 -+ -+# If SQLITE_ENABLE_FTS3 is defined, omit this file. -+ifcapable !fts3 { -+ finish_test -+ return -+} -+ -+do_execsql_test 1.0 { -+ BEGIN; -+ CREATE VIRTUAL TABLE ft USING fts3; -+ INSERT INTO ft VALUES('aback'); -+ INSERT INTO ft VALUES('abaft'); -+ INSERT INTO ft VALUES('abandon'); -+ COMMIT; -+} -+ -+proc blob {a} { binary decode hex $a } -+db func blob blob -+ -+do_execsql_test 1.1 { -+ SELECT quote(root) FROM ft_segdir; -+} {X'0005616261636B03010200030266740302020003046E646F6E03030200'} -+ -+do_execsql_test 1.2 { -+ UPDATE ft_segdir SET root = blob( -+ '0005616261636B03010200 FFFFFFFF0702 66740302020003046E646F6E03030200' -+ ); -+} -+ -+do_catchsql_test 1.3 { -+ SELECT * FROM ft WHERE ft MATCH 'abandon'; -+} {1 {database disk image is malformed}} -+ -+#------------------------------------------------------------------------- -+reset_db -+do_execsql_test 2.0.0 { -+ CREATE VIRTUAL TABLE ft USING fts3; -+ INSERT INTO ft(ft) VALUES('nodesize=32'); -+} -+do_test 2.0.1 { -+ for {set i 0} {$i < 12} {incr i} { -+ execsql { -+ BEGIN; -+ INSERT INTO ft VALUES('abc' || $i); -+ INSERT INTO ft VALUES('abc' || $i || 'x' ); -+ INSERT INTO ft VALUES('abc' || $i || 'xx' ); -+ COMMIT -+ } -+ } -+ execsql { -+ SELECT count(*) FROM ft_segdir; -+ SELECT count(*) FROM ft_segments; -+ } -+} {12 0} -+ -+do_execsql_test 2.1 { -+ INSERT INTO ft(ft) VALUES('merge=1,4'); -+ SELECT count(*) FROM ft_segdir; -+ SELECT count(*) FROM ft_segments; -+} {12 3} -+ -+do_execsql_test 2.2 { -+ SELECT quote(block) FROM ft_segments WHERE blockid=2 -+} {X'00056162633130031F0200'} -+ -+db func blob blob -+do_execsql_test 2.3.1 { -+ UPDATE ft_segments SET block = -+ blob('00056162633130031F0200 FFFFFFFF07FF55 66740302020003046E646F6E03030200') -+ WHERE blockid=2; -+} {} -+do_catchsql_test 2.3.2 { -+ INSERT INTO ft(ft) VALUES('merge=1,4'); -+} {1 {database disk image is malformed}} -+ -+do_execsql_test 2.4.1 { -+ UPDATE ft_segments SET block = -+ blob('00056162633130031F0200 02FFFFFFFF07 66740302020003046E646F6E03030200') -+ WHERE blockid=2; -+} {} -+do_catchsql_test 2.4.2 { -+ INSERT INTO ft(ft) VALUES('merge=1,4'); -+} {1 {database disk image is malformed}} -+ -+do_execsql_test 2.5.1 { -+ UPDATE ft_segments SET block = -+ blob('00056162633130031F0200 0202 6674 FFFFFF070302020003046E646F6E030200') -+ WHERE blockid=2; -+} {} -+do_catchsql_test 2.5.2 { -+ INSERT INTO ft(ft) VALUES('merge=1,4'); -+} {1 {database disk image is malformed}} -+ -+#------------------------------------------------------------------------- -+reset_db -+do_execsql_test 3.0.0 { -+ CREATE VIRTUAL TABLE ft USING fts3; -+ INSERT INTO ft(ft) VALUES('nodesize=32'); -+} -+do_test 3.0.1 { -+ execsql BEGIN -+ for {set i 0} {$i < 20} {incr i} { -+ execsql { INSERT INTO ft VALUES('abc' || $i) } -+ } -+ execsql { -+ COMMIT; -+ SELECT count(*) FROM ft_segdir; -+ SELECT count(*) FROM ft_segments; -+ } -+} {1 5} -+ -+do_execsql_test 3.1 { -+ SELECT quote(root) FROM ft_segdir -+} {X'0101056162633132040136030132030136'} -+ -+db func blob blob -+do_execsql_test 3.2 { -+ UPDATE ft_segdir -+ SET root = blob('0101056162633132FFFFFFFF070236030132030136'); -+} -+ -+do_catchsql_test 3.1 { -+ SELECT * FROM ft WHERE ft MATCH 'abc20' -+} {1 {database disk image is malformed}} -+ -+finish_test -+ -+ - -Index: test/permutations.test -================================================================== ---- test/permutations.test -+++ test/permutations.test -@@ -253,10 +253,11 @@ - fts3ae.test fts3af.test fts3ag.test fts3ah.test - fts3ai.test fts3aj.test fts3ak.test fts3al.test - fts3am.test fts3an.test fts3ao.test fts3atoken.test - fts3auto.test fts3aux1.test fts3aux2.test fts3b.test - fts3comp1.test fts3conf.test fts3corrupt2.test fts3corrupt.test -+ fts3corrupt4.test - fts3cov.test fts3c.test fts3defer2.test fts3defer3.test - fts3defer.test fts3drop.test fts3d.test fts3e.test - fts3expr2.test fts3expr3.test fts3expr4.test fts3expr5.test - fts3expr.test fts3fault2.test fts3fault.test fts3first.test - fts3join.test fts3malloc.test fts3matchinfo.test fts3near.test - diff --git a/0002-remove-fail-testcase-in-no-free-fd-situation.patch b/0002-remove-fail-testcase-in-no-free-fd-situation.patch deleted file mode 100644 index 5bd8ed25e11249f277eedb665fa9ff935570e20b..0000000000000000000000000000000000000000 --- a/0002-remove-fail-testcase-in-no-free-fd-situation.patch +++ /dev/null @@ -1,52 +0,0 @@ -From defded46ea50037500590122d847ba6a7cb96110 Mon Sep 17 00:00:00 2001 -From: eulerstorage -Date: Sat, 11 Jan 2020 11:33:54 +0800 -Subject: [PATCH] remove fail testcase in no free fd situation - -Remove testcase 1.1.1, 1.1.2 and 1.1.3, since it can not success in -some situation if there is no enough fd resource. ---- - test/oserror.test | 27 --------------------------- - 1 file changed, 27 deletions(-) - -diff --git a/test/oserror.test b/test/oserror.test -index 271163a..d46218f 100644 ---- a/test/oserror.test -+++ b/test/oserror.test -@@ -40,33 +40,6 @@ proc do_re_test {tn script expression} { - - } - --#-------------------------------------------------------------------------- --# Tests oserror-1.* test failures in the open() system call. --# -- --# Test a failure in open() due to too many files. --# --# The xOpen() method of the unix VFS calls getcwd() as well as open(). --# Although this does not appear to be documented in the man page, on OSX --# a call to getcwd() may fail if there are no free file descriptors. So --# an error may be reported for either open() or getcwd() here. --# --if {![clang_sanitize_address]} { -- do_test 1.1.1 { -- set ::log [list] -- list [catch { -- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } -- } msg] $msg -- } {1 {unable to open database file}} -- do_test 1.1.2 { -- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } -- } {1} -- do_re_test 1.1.3 { -- lindex $::log 0 -- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } --} -- -- - # Test a failure in open() due to the path being a directory. - # - do_test 1.2.1 { --- -1.8.3.1 - diff --git a/6000-0001-Fix-CVE-2020-9327.patch b/6000-0001-Fix-CVE-2020-9327.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f2ff69c27bb336691f2c95c17916e997a4dee0b --- /dev/null +++ b/6000-0001-Fix-CVE-2020-9327.patch @@ -0,0 +1,105 @@ +Index: src/expr.c +================================================================== +--- src/expr.c ++++ src/expr.c +@@ -2241,10 +2241,19 @@ + } + default: break; + } + return rc; + } ++ ++/* ++** Return true if p is a Column node that references a virtual table. ++*/ ++int sqlite3ExprIsVtabRef(Expr *p){ ++ if( p->op!=TK_COLUMN ) return 0; ++ if( p->y.pTab==0 ) return 0; ++ return IsVirtual(p->y.pTab); ++} + + /* + ** Return FALSE if there is no chance that the expression can be NULL. + ** + ** If the expression might be NULL or if the expression is too complex +@@ -5477,12 +5486,12 @@ + testcase( pExpr->op==TK_NE ); + testcase( pExpr->op==TK_LT ); + testcase( pExpr->op==TK_LE ); + testcase( pExpr->op==TK_GT ); + testcase( pExpr->op==TK_GE ); +- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) +- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) ++ if( sqlite3ExprIsVtabRef(pExpr->pLeft) ++ || sqlite3ExprIsVtabRef(pExpr->pRight) + ){ + return WRC_Prune; + } + + default: + +Index: src/sqliteInt.h +================================================================== +--- src/sqliteInt.h ++++ src/sqliteInt.h +@@ -4276,10 +4276,11 @@ + int sqlite3ExprIsTableConstant(Expr*,int); + #ifdef SQLITE_ENABLE_CURSOR_HINTS + int sqlite3ExprContainsSubquery(Expr*); + #endif + int sqlite3ExprIsInteger(Expr*, int*); ++int sqlite3ExprIsVtabRef(Expr*); + int sqlite3ExprCanBeNull(const Expr*); + int sqlite3ExprNeedsNoAffinityChange(const Expr*, char); + int sqlite3IsRowid(const char*); + void sqlite3GenerateRowDelete( + Parse*,Table*,Trigger*,int,int,int,i16,u8,u8,u8,int); + +Index: src/whereexpr.c +================================================================== +--- src/whereexpr.c ++++ src/whereexpr.c +@@ -375,11 +375,11 @@ + ** + ** vtab_column MATCH expression + ** MATCH(expression,vtab_column) + */ + pCol = pList->a[1].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ if( sqlite3ExprIsVtabRef(pCol) ){ + for(i=0; iu.zToken, aOp[i].zOp)==0 ){ + *peOp2 = aOp[i].eOp2; + *ppRight = pList->a[0].pExpr; + *ppLeft = pCol; +@@ -397,11 +397,11 @@ + ** Historically, xFindFunction expected to see lower-case function + ** names. But for this use case, xFindFunction is expected to deal + ** with function names in an arbitrary case. + */ + pCol = pList->a[0].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ if( sqlite3ExprIsVtabRef(pCol) ){ + sqlite3_vtab *pVtab; + sqlite3_module *pMod; + void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); + void *pNotUsed; + pVtab = sqlite3GetVTable(db, pCol->y.pTab)->pVtab; +@@ -420,14 +420,14 @@ + } + }else if( pExpr->op==TK_NE || pExpr->op==TK_ISNOT || pExpr->op==TK_NOTNULL ){ + int res = 0; + Expr *pLeft = pExpr->pLeft; + Expr *pRight = pExpr->pRight; +- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ ++ if( sqlite3ExprIsVtabRef(pLeft) ){ + res++; + } +- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ ++ if( pRight && sqlite3ExprIsVtabRef(pRight) ){ + res++; + SWAP(Expr*, pLeft, pRight); + } + *ppLeft = pLeft; + *ppRight = pRight; + diff --git a/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch b/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch deleted file mode 100644 index b74c6ea9cf2b26a9e3881f32b63d1484d178741f..0000000000000000000000000000000000000000 --- a/6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8b729f3011e608c73624ce823a3f8d811f4684cb Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Wed, 6 Jun 2018 18:50:50 +0000 -Subject: [PATCH 0037/1009] Fix the sqlite3BeginTrans() calls within the - snapshot extension. - -From https://github.com/mackyle/sqlite/commit/8b729f3011e608c73624ce823a3f8d811f4684cb - ---- - src/main.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/main.c b/src/main.c -index 8e89cc5..a2b994f 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -4115,7 +4115,7 @@ int sqlite3_snapshot_get( - if( iDb==0 || iDb>1 ){ - Btree *pBt = db->aDb[iDb].pBt; - if( 0==sqlite3BtreeIsInTrans(pBt) ){ -- rc = sqlite3BtreeBeginTrans(pBt, 0); -+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); - if( rc==SQLITE_OK ){ - rc = sqlite3PagerSnapshotGet(sqlite3BtreePager(pBt), ppSnapshot); - } -@@ -4153,7 +4153,7 @@ int sqlite3_snapshot_open( - if( 0==sqlite3BtreeIsInReadTrans(pBt) ){ - rc = sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), pSnapshot); - if( rc==SQLITE_OK ){ -- rc = sqlite3BtreeBeginTrans(pBt, 0); -+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); - sqlite3PagerSnapshotOpen(sqlite3BtreePager(pBt), 0); - } - } -@@ -4185,7 +4185,7 @@ int sqlite3_snapshot_recover(sqlite3 *db, const char *zDb){ - if( iDb==0 || iDb>1 ){ - Btree *pBt = db->aDb[iDb].pBt; - if( 0==sqlite3BtreeIsInReadTrans(pBt) ){ -- rc = sqlite3BtreeBeginTrans(pBt, 0); -+ rc = sqlite3BtreeBeginTrans(pBt, 0, 0); - if( rc==SQLITE_OK ){ - rc = sqlite3PagerSnapshotRecover(sqlite3BtreePager(pBt)); - sqlite3BtreeCommit(pBt); --- -1.8.3.1 - diff --git a/6001-0002-Fix-CVE-2020-9327.patch b/6001-0002-Fix-CVE-2020-9327.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ed78f7c89bbcb1926b86aec454679f40e17d25d --- /dev/null +++ b/6001-0002-Fix-CVE-2020-9327.patch @@ -0,0 +1,145 @@ +Index: src/expr.c +================================================================== +--- src/expr.c ++++ src/expr.c +@@ -2242,19 +2242,10 @@ + default: break; + } + return rc; + } + +-/* +-** Return true if p is a Column node that references a virtual table. +-*/ +-int sqlite3ExprIsVtabRef(Expr *p){ +- if( p->op!=TK_COLUMN ) return 0; +- if( p->y.pTab==0 ) return 0; +- return IsVirtual(p->y.pTab); +-} +- + /* + ** Return FALSE if there is no chance that the expression can be NULL. + ** + ** If the expression might be NULL or if the expression is too complex + ** to tell return TRUE. +@@ -5479,23 +5470,29 @@ + case TK_EQ: + case TK_NE: + case TK_LT: + case TK_LE: + case TK_GT: +- case TK_GE: ++ case TK_GE: { ++ Expr *pLeft = pExpr->pLeft; ++ Expr *pRight = pExpr->pRight; + testcase( pExpr->op==TK_EQ ); + testcase( pExpr->op==TK_NE ); + testcase( pExpr->op==TK_LT ); + testcase( pExpr->op==TK_LE ); + testcase( pExpr->op==TK_GT ); + testcase( pExpr->op==TK_GE ); +- if( sqlite3ExprIsVtabRef(pExpr->pLeft) +- || sqlite3ExprIsVtabRef(pExpr->pRight) ++ /* The y.pTab=0 assignment in wherecode.c always happens after the ++ ** impliesNotNullRow() test */ ++ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0) ++ && IsVirtual(pLeft->y.pTab)) ++ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0) ++ && IsVirtual(pRight->y.pTab)) + ){ +- return WRC_Prune; ++ return WRC_Prune; + } +- ++ } + default: + return WRC_Continue; + } + } + + +Index: src/sqliteInt.h +================================================================== +--- src/sqliteInt.h ++++ src/sqliteInt.h +@@ -2151,12 +2151,15 @@ + ** done as a macro so that it will be optimized out when virtual + ** table support is omitted from the build. + */ + #ifndef SQLITE_OMIT_VIRTUALTABLE + # define IsVirtual(X) ((X)->nModuleArg) ++# define ExprIsVtab(X) \ ++ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg) + #else + # define IsVirtual(X) 0 ++# define ExprIsVtab(X) 0 + #endif + + /* + ** Macros to determine if a column is hidden. IsOrdinaryHiddenColumn() + ** only works for non-virtual tables (ordinary tables and views) and is +@@ -4276,11 +4279,10 @@ + int sqlite3ExprIsTableConstant(Expr*,int); + #ifdef SQLITE_ENABLE_CURSOR_HINTS + int sqlite3ExprContainsSubquery(Expr*); + #endif + int sqlite3ExprIsInteger(Expr*, int*); +-int sqlite3ExprIsVtabRef(Expr*); + int sqlite3ExprCanBeNull(const Expr*); + int sqlite3ExprNeedsNoAffinityChange(const Expr*, char); + int sqlite3IsRowid(const char*); + void sqlite3GenerateRowDelete( + Parse*,Table*,Trigger*,int,int,int,i16,u8,u8,u8,int); + +Index: src/whereexpr.c +================================================================== +--- src/whereexpr.c ++++ src/whereexpr.c +@@ -375,11 +375,12 @@ + ** + ** vtab_column MATCH expression + ** MATCH(expression,vtab_column) + */ + pCol = pList->a[1].pExpr; +- if( sqlite3ExprIsVtabRef(pCol) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + for(i=0; iu.zToken, aOp[i].zOp)==0 ){ + *peOp2 = aOp[i].eOp2; + *ppRight = pList->a[0].pExpr; + *ppLeft = pCol; +@@ -397,11 +398,12 @@ + ** Historically, xFindFunction expected to see lower-case function + ** names. But for this use case, xFindFunction is expected to deal + ** with function names in an arbitrary case. + */ + pCol = pList->a[0].pExpr; +- if( sqlite3ExprIsVtabRef(pCol) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + sqlite3_vtab *pVtab; + sqlite3_module *pMod; + void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); + void *pNotUsed; + pVtab = sqlite3GetVTable(db, pCol->y.pTab)->pVtab; +@@ -420,14 +422,16 @@ + } + }else if( pExpr->op==TK_NE || pExpr->op==TK_ISNOT || pExpr->op==TK_NOTNULL ){ + int res = 0; + Expr *pLeft = pExpr->pLeft; + Expr *pRight = pExpr->pRight; +- if( sqlite3ExprIsVtabRef(pLeft) ){ ++ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 ); ++ if( ExprIsVtab(pLeft) ){ + res++; + } +- if( pRight && sqlite3ExprIsVtabRef(pRight) ){ ++ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 ); ++ if( pRight && ExprIsVtab(pRight) ){ + res++; + SWAP(Expr*, pLeft, pRight); + } + *ppLeft = pLeft; + *ppRight = pRight; + diff --git a/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch b/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch deleted file mode 100644 index b848e55e35430833327928a08210c010f82b836f..0000000000000000000000000000000000000000 --- a/6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 06a87a928ee3f272e1a25f15a8a55ad55da636f3 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Wed, 6 Jun 2018 23:31:26 +0000 -Subject: [PATCH 0042/1009] Change a comma into a logically equivalent but - semantically clearer semicolon. - -From https://github.com/mackyle/sqlite/commit/06a87a928ee3f272e1a25f15a8a55ad55da636f3 - ---- - src/alter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/alter.c b/src/alter.c -index 51d4a40..f338e8b 100644 ---- a/src/alter.c -+++ b/src/alter.c -@@ -142,7 +142,7 @@ static void renameParentFunc( - } - } - -- zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput), -+ zResult = sqlite3MPrintf(db, "%s%s", (zOutput?zOutput:""), zInput); - sqlite3_result_text(context, zResult, -1, SQLITE_DYNAMIC); - sqlite3DbFree(db, zOutput); - } --- -1.8.3.1 - diff --git a/6002-Fix-CVE-2020-11655.patch b/6002-Fix-CVE-2020-11655.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c236b1f44121d342316df57b99c1d677645700d --- /dev/null +++ b/6002-Fix-CVE-2020-11655.patch @@ -0,0 +1,50 @@ +From 156cc9423d4c4bade28468b2232226e2cd61aa6c Mon Sep 17 00:00:00 2001 +From: shenkai8 +Date: Thu, 16 Apr 2020 17:04:17 +0000 +Subject: [PATCH] backport-Fix-CVE-2020-11655 + +In the event of a semantic error in an aggregate query, +early-out the resetAccumulator() function to prevent +problems due to incomplete or incorrect initialization +of the AggInfo object. Fix for ticket [af4556bb5c285c08]. + +Signed-off-by: drh +--- + src/select.c | 1 + + test/window1.test | 9 +++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/select.c b/src/select.c +index 595b6eb..b5e5a75 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -5352,6 +5352,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ + struct AggInfo_func *pFunc; + int nReg = pAggInfo->nFunc + pAggInfo->nColumn; + if( nReg==0 ) return; ++ if( pParse->nErr ) return; + #ifdef SQLITE_DEBUG + /* Verify that all AggInfo registers are within the range specified by + ** AggInfo.mnReg..AggInfo.mxReg */ +diff --git a/test/window1.test b/test/window1.test +index 833e211..18b9bdc 100644 +--- a/test/window1.test ++++ b/test/window1.test +@@ -1593,5 +1593,14 @@ do_execsql_test 48.1 { + FROM (SELECT (SELECT sum(a) FROM t1 GROUP BY a) AS x FROM t1); + } {2 2 2} + ++# 2020-04-03 ticket af4556bb5c285c08 ++# ++reset_db ++do_catchsql_test 51.1 { ++ CREATE TABLE a(b, c); ++ SELECT c FROM a GROUP BY c ++ HAVING(SELECT(sum(b) OVER(ORDER BY b), ++ sum(b) OVER(PARTITION BY min(DISTINCT c), c ORDER BY b))); ++} {1 {row value misused}} + + finish_test +-- +1.8.3.1 + diff --git a/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch b/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch deleted file mode 100644 index 341dc22494a8cbcb1c3bfc76612366d817d70f76..0000000000000000000000000000000000000000 --- a/6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 41e8f704c9afd4b9601ac3da2c5c1d6387346806 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Sat, 9 Jun 2018 20:52:45 +0000 -Subject: [PATCH 0064/1009] Fix a typo in the amalgamation autoconf file. - -From https://github.com/mackyle/sqlite/commit/41e8f704c9afd4b9601ac3da2c5c1d6387346806 - ---- - autoconf/configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/autoconf/configure.ac b/autoconf/configure.ac -index 8ba2218..76579c0 100644 ---- a/autoconf/configure.ac -+++ b/autoconf/configure.ac -@@ -153,7 +153,7 @@ AC_SUBST(SESSION_FLAGS) - # - AC_ARG_ENABLE(debug, [AS_HELP_STRING( - [--enable-debug], [build with debugging features enabled [default=no]])], -- [], [enable_session=no]) -+ [], [enable_debug=no]) - if test x"$enable_debug" = "xyes"; then - DEBUG_FLAGS="-DSQLITE_DEBUG -DSQLITE_ENABLE_SELECTTRACE -DSQLITE_ENABLE_WHERETRACE" - fi --- -1.8.3.1 - diff --git a/6003-Fix-CVE-2020-11656.patch b/6003-Fix-CVE-2020-11656.patch new file mode 100644 index 0000000000000000000000000000000000000000..2d1edecdaf797486c07dc25bf85231d66bd64160 --- /dev/null +++ b/6003-Fix-CVE-2020-11656.patch @@ -0,0 +1,118 @@ +From 9b063329ebbd9aafdad82ebf0b9103ce2dd1af18 Mon Sep 17 00:00:00 2001 +From: shenkai8 +Date: Thu, 16 Apr 2020 17:22:49 +0000 +Subject: [PATCH] backport Fix CVE-2020-11656 + +Fix a case when a pointer might be used after being freed in +the ALTER TABLE code. Fix for [4722bdab08cb1]. +(check-in: d09f8c36 user: dan tags: trunk) + +Do not suppress errors when resolving references in an ORDER BY + clause belonging to a compound SELECT within a view or trigger + within ALTER TABLE. Fix for ticket [a10a14e9b4ba2]. +(check-in: 68429388 user: dan tags: trunk) + +Signed-off-by: dan <> +--- + src/alter.c | 16 ++++++++++++++++ + src/resolve.c | 2 +- + test/altertab.test | 31 ++++++++++++++++++++++++++++++- + 3 files changed, 47 insertions(+), 2 deletions(-) + +diff --git a/src/alter.c b/src/alter.c +index ee193d1..918df77 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -756,6 +756,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){ + } + + /* ++** Unmap all tokens in the IdList object passed as the second argument. ++*/ ++static void unmapColumnIdlistNames( ++ Parse *pParse, ++ IdList *pIdList ++){ ++ if( pIdList ){ ++ int ii; ++ for(ii=0; iinId; ii++){ ++ sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName); ++ } ++ } ++} ++ ++/* + ** Walker callback used by sqlite3RenameExprUnmap(). + */ + static int renameUnmapSelectCb(Walker *pWalker, Select *p){ +@@ -776,6 +791,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){ + for(i=0; inSrc; i++){ + sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName); + if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort; ++ unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing); + } + } + +diff --git a/src/resolve.c b/src/resolve.c +index 119a07f..894958c 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -1177,7 +1177,7 @@ static int resolveOrderByTermToExprList( + nc.nErr = 0; + db = pParse->db; + savedSuppErr = db->suppressErr; +- db->suppressErr = 1; ++ if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1; + rc = sqlite3ResolveExprNames(&nc, pE); + db->suppressErr = savedSuppErr; + if( rc ) return 0; +diff --git a/test/altertab.test b/test/altertab.test +index 7dcf8a5..01dd61a 100644 +--- a/test/altertab.test ++++ b/test/altertab.test +@@ -594,7 +594,6 @@ reset_db + do_execsql_test 18.1.0 { + CREATE TABLE t0 (c0 INTEGER, PRIMARY KEY(c0)) WITHOUT ROWID; + } +-breakpoint + do_execsql_test 18.1.1 { + ALTER TABLE t0 RENAME COLUMN c0 TO c1; + } +@@ -613,4 +612,34 @@ do_execsql_test 18.2.2 { + SELECT sql FROM sqlite_master; + } {{CREATE TABLE t0 (c1 INTEGER, PRIMARY KEY(c1))}} + ++# Ticket 4722bdab08cb14 ++reset_db ++do_execsql_test 20.0 { ++ CREATE TABLE a(a); ++ CREATE VIEW b AS SELECT(SELECT *FROM c JOIN a USING(d, a, a, a) JOIN a) IN(); ++} ++ ++do_execsql_test 20.1 { ++ ALTER TABLE a RENAME a TO e; ++} {} ++ ++reset_db ++do_execsql_test 21.0 { ++ CREATE TABLE a(b); ++ CREATE VIEW c AS ++ SELECT NULL INTERSECT ++ SELECT NULL ORDER BY ++ likelihood(NULL, (d, (SELECT c))); ++} {} ++do_catchsql_test 21.1 { ++ SELECT likelihood(NULL, (d, (SELECT c))); ++} {1 {second argument to likelihood() must be a constant between 0.0 and 1.0}} ++do_catchsql_test 21.2 { ++ SELECT * FROM c; ++} {1 {1st ORDER BY term does not match any column in the result set}} ++ ++do_catchsql_test 21.3 { ++ ALTER TABLE a RENAME TO e; ++} {1 {error in view c: 1st ORDER BY term does not match any column in the result set}} ++ + finish_test +-- +1.8.3.1 + diff --git a/6003-Fix-typo-in-the-normalize-extension.patch b/6003-Fix-typo-in-the-normalize-extension.patch deleted file mode 100644 index 64bc19ea230cc3206b10d0dbbcfab4ff5562b56f..0000000000000000000000000000000000000000 --- a/6003-Fix-typo-in-the-normalize-extension.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c0506beeac8e92586d1dcdaa0aceeed366c8b62d Mon Sep 17 00:00:00 2001 -From: Joe Mistachkin -Date: Mon, 18 Jun 2018 19:09:30 +0000 -Subject: [PATCH 0096/1009] Fix typo in the 'normalize' extension. - -From https://github.com/mackyle/sqlite/commit/c0506beeac8e92586d1dcdaa0aceeed366c8b62d - ---- - ext/misc/normalize.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/misc/normalize.c b/ext/misc/normalize.c -index fd656f1..5997ec1 100644 ---- a/ext/misc/normalize.c -+++ b/ext/misc/normalize.c -@@ -593,7 +593,7 @@ char *sqlite3_normalize(const char *zSql){ - } - } - while( j>0 && z[j-1]==' ' ){ j--; } -- if( i>0 && z[j-1]!=';' ){ z[j++] = ';'; } -+ if( j>0 && z[j-1]!=';' ){ z[j++] = ';'; } - z[j] = 0; - - /* Make a second pass converting "in(...)" where the "..." is not a --- -1.8.3.1 - diff --git a/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch b/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch deleted file mode 100644 index 433368fb0b413ad4dd83239bb5d9ce61ad5887cf..0000000000000000000000000000000000000000 --- a/6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Sat, 30 Jun 2018 20:00:35 +0000 -Subject: [PATCH 0121/1009] Fix a minor problem in the code for determining - whether or not an SQL statement is SQLITE_TOOBIG. - -From https://github.com/mackyle/sqlite/commit/9627c47a03bfa5aa59fa59b1ef37d8fa524fd9f2 - ---- - src/alter.c | 4 ++-- - src/tokenize.c | 7 ++++++- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/alter.c b/src/alter.c -index f338e8b..2d7a5d6 100644 ---- a/src/alter.c -+++ b/src/alter.c -@@ -74,7 +74,7 @@ static void renameTableFunc( - zCsr += len; - len = sqlite3GetToken(zCsr, &token); - } while( token==TK_SPACE ); -- assert( len>0 ); -+ assert( len>0 || !*zCsr ); - } while( token!=TK_LP && token!=TK_USING ); - - zRet = sqlite3MPrintf(db, "%.*s\"%w\"%s", (int)(((u8*)tname.z) - zSql), -@@ -198,7 +198,7 @@ static void renameTriggerFunc( - zCsr += len; - len = sqlite3GetToken(zCsr, &token); - }while( token==TK_SPACE ); -- assert( len>0 ); -+ assert( len>0 || !*zCsr ); - - /* Variable 'dist' stores the number of tokens read since the most - ** recent TK_DOT or TK_ON. This means that when a WHEN, FOR or BEGIN -diff --git a/src/tokenize.c b/src/tokenize.c -index 15678ed..fc5989c 100644 ---- a/src/tokenize.c -+++ b/src/tokenize.c -@@ -54,11 +54,12 @@ - #define CC_TILDA 25 /* '~' */ - #define CC_DOT 26 /* '.' */ - #define CC_ILLEGAL 27 /* Illegal character */ -+#define CC_NUL 28 /* 0x00 */ - - static const unsigned char aiClass[] = { - #ifdef SQLITE_ASCII - /* x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xa xb xc xd xe xf */ --/* 0x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27, -+/* 0x */ 28, 27, 27, 27, 27, 27, 27, 27, 27, 7, 7, 27, 7, 7, 27, 27, - /* 1x */ 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, - /* 2x */ 7, 15, 8, 5, 4, 22, 24, 8, 17, 18, 21, 20, 23, 11, 26, 16, - /* 3x */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 19, 12, 14, 13, 6, -@@ -532,6 +533,10 @@ int sqlite3GetToken(const unsigned char *z, int *tokenType){ - i = 1; - break; - } -+ case CC_NUL: { -+ *tokenType = TK_ILLEGAL; -+ return 0; -+ } - default: { - *tokenType = TK_ILLEGAL; - return 1; --- -1.8.3.1 - diff --git a/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch b/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch deleted file mode 100644 index 779378f7484065b4a70fb99c7ae390bb67800991..0000000000000000000000000000000000000000 --- a/6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7173baee93fed1c0a20bb02350c22ab219e4654b Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Sun, 1 Jul 2018 16:05:40 +0000 -Subject: [PATCH 0123/1009] Quick patch to the Lemon parser template to avoid - an array overread reported by OSSFuzz. A proper fix involves enhancements to - the table generators in Lemon to make the overread impossible. That fix will - take longer to implement. The current check-in is a stop-gap. - -From https://github.com/mackyle/sqlite/commit/7173baee93fed1c0a20bb02350c22ab219e4654b - ---- - tool/lempar.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tool/lempar.c b/tool/lempar.c -index 450dcde..e19aba4 100644 ---- a/tool/lempar.c -+++ b/tool/lempar.c -@@ -550,6 +550,7 @@ static YYACTIONTYPE yy_find_shift_action( - #if YY_SHIFT_MAX+YYWILDCARD>=YY_ACTTAB_COUNT - j0 - ){ - #ifndef NDEBUG --- -1.8.3.1 - diff --git a/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch b/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch deleted file mode 100644 index 0fe67429870de4e387cdbc25708af291fb3e11df..0000000000000000000000000000000000000000 --- a/6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 8a6d814cd2574e878ab45c8bbf209212bd705e47 Mon Sep 17 00:00:00 2001 -From: Joe Mistachkin -Date: Sat, 8 Sep 2018 16:53:47 +0000 -Subject: [PATCH 0352/1009] Fix typo in the Win32-specific code for the fileio - extension. - -https://github.com/mackyle/sqlite/commit/8a6d814cd2574e878ab45c8bbf209212bd705e47 - ---- - ext/misc/fileio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/misc/fileio.c b/ext/misc/fileio.c -index b734ca0..816a353 100644 ---- a/ext/misc/fileio.c -+++ b/ext/misc/fileio.c -@@ -204,7 +204,7 @@ static void statTimesToUtc( - extern LPWSTR sqlite3_win32_utf8_to_unicode(const char*); - zUnicodeName = sqlite3_win32_utf8_to_unicode(zPath); - if( zUnicodeName ){ -- memset(&fd, 0, sizeof(WIN32_FIND_DATA)); -+ memset(&fd, 0, sizeof(WIN32_FIND_DATAW)); - hFindFile = FindFirstFileW(zUnicodeName, &fd); - if( hFindFile!=NULL ){ - pStatBuf->st_ctime = (time_t)fileTimeToUnixTime(&fd.ftCreationTime); --- -1.8.3.1 - diff --git a/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch b/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch deleted file mode 100644 index fdbc4e26e60b5d4e0999f21981cecc14812b42c0..0000000000000000000000000000000000000000 --- a/6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 8bc9e8b38de805a0c02db12c6afe796a47b22747 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 11 Sep 2018 13:38:35 +0000 -Subject: [PATCH 0363/1009] Fix a problem causing ENABLE_CURSOR_HINTS builds to - segfault. - -https://github.com/mackyle/sqlite/commit/8bc9e8b38de805a0c02db12c6afe796a47b22747 - ---- - src/wherecode.c | 4 +--- - test/cursorhint2.test | 15 +++++++++++++++ - 2 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/src/wherecode.c b/src/wherecode.c -index 8251923..07de2c6 100644 ---- a/src/wherecode.c -+++ b/src/wherecode.c -@@ -886,9 +886,7 @@ static int codeCursorHintFixExpr(Walker *pWalker, Expr *pExpr){ - if( pExpr->iTable!=pHint->iTabCur ){ - Vdbe *v = pWalker->pParse->pVdbe; - int reg = ++pWalker->pParse->nMem; /* Register for column value */ -- sqlite3ExprCodeGetColumnOfTable( -- v, pExpr->pTab, pExpr->iTable, pExpr->iColumn, reg -- ); -+ sqlite3ExprCode(pWalker->pParse, pExpr, reg); - pExpr->op = TK_REGISTER; - pExpr->iTable = reg; - }else if( pHint->pIdx!=0 ){ -diff --git a/test/cursorhint2.test b/test/cursorhint2.test -index 0175568..a78d151 100644 ---- a/test/cursorhint2.test -+++ b/test/cursorhint2.test -@@ -186,4 +186,19 @@ do_extract_hints_test 2.12 { - x2 {EQ(c0,r[2])} - } - -+reset_db -+do_execsql_test 3.0 { -+ CREATE TABLE t1 (i1 TEXT); -+ CREATE TABLE t2 (i2 TEXT UNIQUE); -+ INSERT INTO t1 VALUES('0'); -+ INSERT INTO t2 VALUES('0'); -+} -+ -+do_extract_hints_test 3.1 { -+ SELECT * FROM t1 CROSS JOIN t2 WHERE (t1.i1 = t2.i2) AND t2.i2 = 1; -+} { -+ t1 {EQ(c0,r[1])} t2 EQ(c0,1) -+} -+ -+ - finish_test --- -1.8.3.1 - diff --git a/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch b/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch deleted file mode 100644 index be0ced2d396f5f2fbcf83bbdfe3b1b3f7576eae1..0000000000000000000000000000000000000000 --- a/6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Mon, 1 Oct 2018 13:54:30 +0000 -Subject: [PATCH 0435/1009] Fix a potential crash that can occur while reading - an index from a corrupt database file. The corruption is a - record-header-size that is larger than 0x7fffffff. Problem detected by - OSSFuzz against GDAL and reported to us (with a suggested fix) by Even - Rouault. The test case is in TH3. - -https://github.com/mackyle/sqlite/commit/2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 - ---- - src/vdbeaux.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/vdbeaux.c b/src/vdbeaux.c -index 5ec3d13..99df435 100644 ---- a/src/vdbeaux.c -+++ b/src/vdbeaux.c -@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){ - (void)getVarint32((u8*)m.z, szHdr); - testcase( szHdr==3 ); - testcase( szHdr==m.n ); -- if( unlikely(szHdr<3 || (int)szHdr>m.n) ){ -+ testcase( szHdr>0x7fffffff ); -+ assert( m.n>=0 ); -+ if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){ - goto idx_rowid_corruption; - } - --- -1.8.3.1 - diff --git a/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch b/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch deleted file mode 100644 index b8dc4033b6a3e34d4c51421c029a15a272647f6f..0000000000000000000000000000000000000000 --- a/6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c0ead185cc44359ecb406e9f7e21b964393f96d8 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Thu, 11 Oct 2018 10:37:24 +0000 -Subject: [PATCH 0453/1009] In the CLI, fix a file descriptor leak following - OOM and a missing va_end() call. - ---- - src/shell.c.in | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/shell.c.in b/src/shell.c.in -index a5ab143..c1db72c 100644 ---- a/src/shell.c.in -+++ b/src/shell.c.in -@@ -3592,7 +3592,7 @@ static char *readFile(const char *zName, int *pnByte){ - nIn = ftell(in); - rewind(in); - pBuf = sqlite3_malloc64( nIn+1 ); -- if( pBuf==0 ) return 0; -+ if( pBuf==0 ){ fclose(in); return 0; } - nRead = fread(pBuf, nIn, 1, in); - fclose(in); - if( nRead!=1 ){ -@@ -4976,6 +4976,7 @@ static void shellPreparePrintf( - char *z; - va_start(ap, zFmt); - z = sqlite3_vmprintf(zFmt, ap); -+ va_end(ap); - if( z==0 ){ - *pRc = SQLITE_NOMEM; - }else{ --- -1.8.3.1 - diff --git a/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch b/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch deleted file mode 100644 index 62331c25fa51b3739d3cee9808b9dc0441103e8b..0000000000000000000000000000000000000000 --- a/6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8dba5edb332d9bdf8b856c26404c8043bdfd4192 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 18 Oct 2018 15:17:18 +0000 -Subject: [PATCH 0460/1009] Take steps to avoid a potential integer overflow in - sessionBufferGrow(). - -https://github.com/mackyle/sqlite/commit/8dba5edb332d9bdf8b856c26404c8043bdfd4192 - ---- - ext/session/sqlite3session.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c -index 20810ee..a1ca9a7 100644 ---- a/ext/session/sqlite3session.c -+++ b/ext/session/sqlite3session.c -@@ -1794,12 +1794,12 @@ int sqlite3session_attach( - static int sessionBufferGrow(SessionBuffer *p, int nByte, int *pRc){ - if( *pRc==SQLITE_OK && p->nAlloc-p->nBufnAlloc ? p->nAlloc : 128; -+ i64 nNew = p->nAlloc ? p->nAlloc : 128; - do { - nNew = nNew*2; -- }while( nNew<(p->nBuf+nByte) ); -+ }while( (nNew-p->nBuf)aBuf, nNew); -+ aNew = (u8 *)sqlite3_realloc64(p->aBuf, nNew); - if( 0==aNew ){ - *pRc = SQLITE_NOMEM; - }else{ --- -1.8.3.1 - diff --git a/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch b/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch deleted file mode 100644 index 72d760d42753a3cf10ad88d4581d0c3a3323303c..0000000000000000000000000000000000000000 --- a/6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 259c8907624a568bd0faa10687f659c9321f9a05 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Mon, 29 Oct 2018 18:33:42 +0000 -Subject: [PATCH 0473/1009] Fix minor memory leak in the dbstat extension that - can occur following an attempt to analyze a corrupt database file. - -From https://github.com/mackyle/sqlite/commit/259c8907624a568bd0faa10687f659c9321f9a05 - ---- - src/dbstat.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/dbstat.c b/src/dbstat.c -index 432cfae..b746fa0 100644 ---- a/src/dbstat.c -+++ b/src/dbstat.c -@@ -254,7 +254,7 @@ static int statOpen(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor){ - return SQLITE_OK; - } - --static void statClearPage(StatPage *p){ -+static void statClearCells(StatPage *p){ - int i; - if( p->aCell ){ - for(i=0; inCell; i++){ -@@ -262,6 +262,11 @@ static void statClearPage(StatPage *p){ - } - sqlite3_free(p->aCell); - } -+ p->nCell = 0; -+ p->aCell = 0; -+} -+static void statClearPage(StatPage *p){ -+ statClearCells(p); - sqlite3PagerUnref(p->pPg); - sqlite3_free(p->zPath); - memset(p, 0, sizeof(StatPage)); --- -1.8.3.1 - diff --git a/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch b/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch deleted file mode 100644 index abd469b55156c0701bd22a6c2aaea7ee470164fb..0000000000000000000000000000000000000000 --- a/6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 54e058c2c503364cd316bf9c73e253dffa5285a4 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 27 Nov 2018 19:47:55 +0000 -Subject: [PATCH 0548/1009] Fix a failing assert() in - sqlite3ResetAllSchemasOfConnection(). - -https://github.com/mackyle/sqlite/commit/54e058c2c503364cd316bf9c73e253dffa5285a4 - ---- - src/build.c | 11 ++++++++--- - test/vtab_err.test | 23 ++++++++++++++++++++++- - 2 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/src/build.c b/src/build.c -index fca5a92..bed8295 100644 ---- a/src/build.c -+++ b/src/build.c -@@ -544,17 +544,22 @@ void sqlite3ResetOneSchema(sqlite3 *db, int iDb){ - void sqlite3ResetAllSchemasOfConnection(sqlite3 *db){ - int i; - sqlite3BtreeEnterAll(db); -- assert( db->nSchemaLock==0 ); - for(i=0; inDb; i++){ - Db *pDb = &db->aDb[i]; - if( pDb->pSchema ){ -- sqlite3SchemaClear(pDb->pSchema); -+ if( db->nSchemaLock==0 ){ -+ sqlite3SchemaClear(pDb->pSchema); -+ }else{ -+ DbSetProperty(db, i, DB_ResetWanted); -+ } - } - } - db->mDbFlags &= ~(DBFLAG_SchemaChange|DBFLAG_SchemaKnownOk); - sqlite3VtabUnlockList(db); - sqlite3BtreeLeaveAll(db); -- sqlite3CollapseDatabaseArray(db); -+ if( db->nSchemaLock==0 ){ -+ sqlite3CollapseDatabaseArray(db); -+ } - } - - /* -diff --git a/test/vtab_err.test b/test/vtab_err.test -index cb40acd..cfc5fc3 100644 ---- a/test/vtab_err.test -+++ b/test/vtab_err.test -@@ -20,7 +20,6 @@ ifcapable !vtab { - } - - -- - unset -nocomplain echo_module_begin_fail - do_ioerr_test vtab_err-1 -tclprep { - register_echo_module [sqlite3_connection_pointer db] -@@ -63,4 +62,26 @@ do_malloc_test vtab_err-2 -tclprep { - - sqlite3_memdebug_fail -1 - -+reset_db -+register_echo_module [sqlite3_connection_pointer db] -+do_execsql_test vtab_err-3.0 { -+ CREATE TABLE r(a PRIMARY KEY, b, c); -+ CREATE VIRTUAL TABLE e USING echo(r); -+} -+faultsim_save_and_close -+ -+do_faultsim_test vtab_err-3 -faults oom-t* -prep { -+ faultsim_restore_and_reopen -+ register_echo_module [sqlite3_connection_pointer db] -+} -body { -+ execsql { -+ BEGIN; -+ CREATE TABLE xyz(x); -+ SELECT a FROM e; -+ COMMIT; -+ } -+} -test { -+ faultsim_test_result {0 {}} -+} -+ - finish_test --- -1.8.3.1 - diff --git a/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch b/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch deleted file mode 100644 index db380a2b2bf547041267dfcaac0535e644157668..0000000000000000000000000000000000000000 --- a/6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f75ff65c0027041b95647acdb86abf0dc1158f55 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Mon, 3 Dec 2018 01:47:41 +0000 -Subject: [PATCH 0562/1009] Fix a parser bug in the use of parentheses around - table-valued functions. - -https://github.com/mackyle/sqlite/commit/f75ff65c0027041b95647acdb86abf0dc1158f55 - ---- - src/parse.y | 6 ++++++ - 1 files changed, 6 insertions(+), 0 deletion(-) - -diff --git a/src/parse.y b/src/parse.y -index b150c73..3bb28ab 100644 ---- a/src/parse.y -+++ b/src/parse.y -@@ -664,6 +664,12 @@ seltablist(A) ::= stl_prefix(A) nm(Y) dbnm(D) LP exprlist(E) RP as(Z) - pNew->zName = pOld->zName; - pNew->zDatabase = pOld->zDatabase; - pNew->pSelect = pOld->pSelect; -+ if( pOld->fg.isTabFunc ){ -+ pNew->u1.pFuncArg = pOld->u1.pFuncArg; -+ pOld->u1.pFuncArg = 0; -+ pOld->fg.isTabFunc = 0; -+ pNew->fg.isTabFunc = 1; -+ } - pOld->zName = pOld->zDatabase = 0; - pOld->pSelect = 0; - } --- -1.8.3.1 - diff --git a/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch b/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch deleted file mode 100644 index 1376701a21acf26016f5102f0f7375eed6cd2357..0000000000000000000000000000000000000000 --- a/6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3bb789ba44d04e5c7d02abdfce6ff2e51f566db2 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Fri, 14 Dec 2018 17:57:01 +0000 -Subject: [PATCH 0626/1009] Fix possible integer overflow while running PRAGMA - integrity_check on a database file with a badly corrupted freelist. - -https://github.com/mackyle/sqlite/commit/3bb789ba44d04e5c7d02abdfce6ff2e51f566db2 - ---- - src/btree.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/btree.c b/src/btree.c -index 8b3375e..24a274c 100644 ---- a/src/btree.c -+++ b/src/btree.c -@@ -9414,18 +9414,18 @@ static void checkList( - } - pOvflData = (unsigned char *)sqlite3PagerGetData(pOvflPage); - if( isFreeList ){ -- int n = get4byte(&pOvflData[4]); -+ u32 n = (u32)get4byte(&pOvflData[4]); - #ifndef SQLITE_OMIT_AUTOVACUUM - if( pCheck->pBt->autoVacuum ){ - checkPtrmap(pCheck, iPage, PTRMAP_FREEPAGE, 0); - } - #endif -- if( n>(int)pCheck->pBt->usableSize/4-2 ){ -+ if( n>pCheck->pBt->usableSize/4-2 ){ - checkAppendMsg(pCheck, - "freelist leaf count too big on page %d", iPage); - N--; - }else{ -- for(i=0; ipBt->autoVacuum ){ --- -1.8.3.1 - diff --git a/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch b/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch deleted file mode 100644 index 992ac56a9dc6adf48dc136fd80b7b9134c632a4d..0000000000000000000000000000000000000000 --- a/6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch +++ /dev/null @@ -1,54 +0,0 @@ -From af72ceaf22e73fd78e32ef439c1869292b94aaa1 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 20 Dec 2018 15:04:38 +0000 -Subject: [PATCH 0631/1009] Fix a segfault caused by using the RAISE function - incorrectly (library now returns an error instead of crashing). - -https://github.com/mackyle/sqlite/commit/af72ceaf22e73fd78e32ef439c1869292b94aaa1 - ---- - src/expr.c | 2 +- - test/triggerC.test | 16 ++++++++++++++++ - 2 files changed, 17 insertions(+), 1 deletion(-) - -diff --git a/src/expr.c b/src/expr.c -index 5d36502..b1a06bd 100644 ---- a/src/expr.c -+++ b/src/expr.c -@@ -4745,7 +4745,7 @@ int sqlite3ExprCompare(Parse *pParse, Expr *pA, Expr *pB, int iTab){ - } - return 2; - } -- if( pA->op!=pB->op ){ -+ if( pA->op!=pB->op || pA->op==TK_RAISE ){ - if( pA->op==TK_COLLATE && sqlite3ExprCompare(pParse, pA->pLeft,pB,iTab)<2 ){ - return 1; - } -diff --git a/test/triggerC.test b/test/triggerC.test -index 3e47521..49d4eca 100644 ---- a/test/triggerC.test -+++ b/test/triggerC.test -@@ -1042,4 +1042,20 @@ do_execsql_test 15.2.1 { - do_execsql_test 15.2.2 { SELECT * FROM x2; } {1 2 3 4} - do_execsql_test 15.2.3 { SELECT * FROM """x2"""; } {3 11 x y} - -+#------------------------------------------------------------------------- -+# At one point queries such as the following were causing segfaults. -+# -+do_catchsql_test 16.1 { -+ SELECT raise(ABORT, 'msg') FROM sqlite_master -+ UNION SELECT 1 -+ ORDER BY raise(IGNORE); -+} {1 {1st ORDER BY term does not match any column in the result set}} -+ -+do_catchsql_test 16.2 { -+ SELECT count(*) FROM sqlite_master -+ GROUP BY raise(IGNORE) -+ HAVING raise(ABORT, 'msg'); -+} {1 {RAISE() may only be used within a trigger-program}} -+ - finish_test -+ --- -1.8.3.1 - diff --git a/6016-Fix-another-problem-with-corrupt-database-handling-i.patch b/6016-Fix-another-problem-with-corrupt-database-handling-i.patch deleted file mode 100644 index 5fc3fce535cb23f768a5fa01502aeacbf5d74700..0000000000000000000000000000000000000000 --- a/6016-Fix-another-problem-with-corrupt-database-handling-i.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 27 Dec 2018 20:12:02 +0000 -Subject: [PATCH 0684/1009] Fix another problem with corrupt database handling - in fts5. - -https://github.com/mackyle/sqlite/commit/16f6aeb0a017f8406ca9de7224f8c8fe6d5ee30e - ---- - ext/fts5/fts5_index.c | 3 +- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index acf2db2..c5fe01b 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -1649,12 +1649,13 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ - int nNew; /* Bytes of new data */ - - iOff += fts5GetVarint32(&a[iOff], nNew); -- if( iOff+nNew>pIter->pLeaf->nn ){ -+ if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){ - p->rc = FTS5_CORRUPT; - return; - } - pIter->term.n = nKeep; - fts5BufferAppendBlob(&p->rc, &pIter->term, nNew, &a[iOff]); -+ assert( pIter->term.n<=pIter->term.nSpace ); - iOff += nNew; - pIter->iTermLeafOffset = iOff; - pIter->iTermLeafPgno = pIter->iLeafPgno; --- -1.8.3.1 - diff --git a/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch b/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch deleted file mode 100644 index 5f9711ac3d7e3281a196d23c84bb37c542f488ea..0000000000000000000000000000000000000000 --- a/6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Fri, 28 Dec 2018 13:57:30 +0000 -Subject: [PATCH 0686/1009] Fix a buffer overwrite in fts5 triggered by a - corrupt database. - -https://github.com/mackyle/sqlite/commit/1d41f8f6d718cd93b0bd55e72f0a919b1c6e1388 - ---- - ext/fts5/fts5_index.c | 5 +- - 1 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 6bd18c5..3361b19 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -3902,6 +3902,7 @@ static void fts5WriteAppendTerm( - int nPrefix; /* Bytes of prefix compression for term */ - Fts5PageWriter *pPage = &pWriter->writer; - Fts5Buffer *pPgidx = &pWriter->writer.pgidx; -+ int nMin = MIN(pPage->term.n, nTerm); - - assert( p->rc==SQLITE_OK ); - assert( pPage->buf.n>=4 ); -@@ -3943,13 +3944,13 @@ static void fts5WriteAppendTerm( - ** inefficient, but still correct. */ - int n = nTerm; - if( pPage->term.n ){ -- n = 1 + fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm); -+ n = 1 + fts5PrefixCompress(nMin, pPage->term.p, pTerm); - } - fts5WriteBtreeTerm(p, pWriter, n, pTerm); - pPage = &pWriter->writer; - } - }else{ -- nPrefix = fts5PrefixCompress(pPage->term.n, pPage->term.p, pTerm); -+ nPrefix = fts5PrefixCompress(nMin, pPage->term.p, pTerm); - fts5BufferAppendVarint(&p->rc, &pPage->buf, nPrefix); - } - --- -1.8.3.1 - diff --git a/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch b/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch deleted file mode 100644 index 512afea6717dabaed06e1ebf058d77533bad7526..0000000000000000000000000000000000000000 --- a/6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3af43610d9406dfc859f7aca5a3c6441c852911b Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 1 Jan 2019 13:59:34 +0000 -Subject: [PATCH 0698/1009] Fix another case in fts5 where a corrupt database - could cause a buffer overread. - -https://github.com/mackyle/sqlite/commit/3af43610d9406dfc859f7aca5a3c6441c852911b - ---- - ext/fts5/fts5_index.c | 6 +- - 1 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index f786e8d..6ce9844 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -2311,6 +2311,7 @@ static void fts5LeafSeek( - iPgidx += fts5GetVarint32(&pIter->pLeaf->p[iPgidx], iOff); - if( iOff<4 || iOff>=pIter->pLeaf->szLeaf ){ - p->rc = FTS5_CORRUPT; -+ return; - }else{ - nKeep = 0; - iTermOff = iOff; -@@ -2323,8 +2324,11 @@ static void fts5LeafSeek( - } - - search_success: -- - pIter->iLeafOffset = iOff + nNew; -+ if( pIter->iLeafOffset>n ){ -+ p->rc = FTS5_CORRUPT; -+ return; -+ } - pIter->iTermLeafOffset = pIter->iLeafOffset; - pIter->iTermLeafPgno = pIter->iLeafPgno; - --- -1.8.3.1 - diff --git a/6019-Fix-another-potential-buffer-overread-in-fts5.patch b/6019-Fix-another-potential-buffer-overread-in-fts5.patch deleted file mode 100644 index 14dc128ddc8e24f24cfd5ac5b39a1d73cbe80b38..0000000000000000000000000000000000000000 --- a/6019-Fix-another-potential-buffer-overread-in-fts5.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Mon, 7 Jan 2019 16:52:00 +0000 -Subject: [PATCH 0721/1009] Fix another potential buffer overread in fts5. - -https://github.com/mackyle/sqlite/commit/3ad151ae6c0d1c8158c2df9fd11fab0cd0075d6f - ---- - ext/fts5/fts5_hash.c | 3 +- - 1 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c -index 1757061..7e404a8 100644 ---- a/ext/fts5/fts5_hash.c -+++ b/ext/fts5/fts5_hash.c -@@ -483,7 +483,8 @@ int sqlite3Fts5HashQuery( - - for(p=pHash->aSlot[iHash]; p; p=p->pHashNext){ - zKey = fts5EntryKey(p); -- if( memcmp(zKey, pTerm, nTerm)==0 && zKey[nTerm]==0 ) break; -+ assert( p->nKey+1==(int)strlen(zKey) ); -+ if( nTerm==p->nKey+1 && memcmp(zKey, pTerm, nTerm)==0 ) break; - } - - if( p ){ --- -1.8.3.1 - diff --git a/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch b/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch deleted file mode 100644 index fb5f19f652e4743225bb1d9bc778d14b3ece098d..0000000000000000000000000000000000000000 --- a/6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch +++ /dev/null @@ -1,35 +0,0 @@ -From dc9d6ce103251a827eacde12399418b8dd55ca47 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Tue, 8 Jan 2019 14:28:02 +0000 -Subject: [PATCH 0723/1009] Fix a possible memory leak when trying to UPDATE a - corrupt RTREE index. - -https://github.com/mackyle/sqlite/commit/dc9d6ce103251a827eacde12399418b8dd55ca47 - ---- - ext/rtree/rtree.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c -index ea44ffe..83d1b82 100644 ---- a/ext/rtree/rtree.c -+++ b/ext/rtree/rtree.c -@@ -717,7 +717,6 @@ static int nodeAcquire( - pNode->pNext = 0; - rc = sqlite3_blob_read(pRtree->pNodeBlob, pNode->zData, - pRtree->iNodeSize, 0); -- nodeReference(pParent); - } - } - -@@ -748,6 +747,7 @@ static int nodeAcquire( - - if( rc==SQLITE_OK ){ - if( pNode!=0 ){ -+ nodeReference(pParent); - nodeHashInsert(pRtree, pNode); - }else{ - rc = SQLITE_CORRUPT_VTAB; --- -1.8.3.1 - diff --git a/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch b/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch deleted file mode 100644 index 1fa115cf98491fd0357401b8574be05922cb9ee0..0000000000000000000000000000000000000000 --- a/6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 525fdb146b15ef6c42886fccf1b892388c2011d6 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Wed, 9 Jan 2019 21:12:23 +0000 -Subject: [PATCH 0730/1009] Fix an out-of-bounds read in SQL function - fts5_decode() that could occur if it was passed a corrupt record. - -https://github.com/mackyle/sqlite/commit/525fdb146b15ef6c42886fccf1b892388c2011d6 - ---- - ext/fts5/fts5_index.c | 6 +- - 1 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 268af5e..90dc0a5 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -6409,7 +6409,7 @@ static void fts5DecodeFunction( - nDoclist = (iTermOff ? iTermOff : szLeaf) - iOff; - fts5DecodeDoclist(&rc, &s, &a[iOff], nDoclist); - -- while( iPgidxOffterm.n ){ -+ rc = FTS5_CORRUPT; -+ goto decode_out; -+ } - term.n = nByte; - } - iOff += fts5GetVarint32(&a[iOff], nByte); --- -1.8.3.1 - diff --git a/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch b/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch deleted file mode 100644 index cd4fade61d4154470323772b8b431020657c784a..0000000000000000000000000000000000000000 --- a/6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2fbabe31a19e10c68357884846454753ee2b4cc3 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Fri, 11 Jan 2019 21:34:25 +0000 -Subject: [PATCH 0748/1009] Fix a segfault in fts3 prompted by a corrupted - database. - -https://github.com/mackyle/sqlite/commit/2fbabe31a19e10c68357884846454753ee2b4cc3 - ---- - ext/fts3/fts3.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c -index e168fae..5266749 100644 ---- a/ext/fts3/fts3.c -+++ b/ext/fts3/fts3.c -@@ -2899,7 +2899,7 @@ static int fts3SegReaderCursor( - - /* If zTerm is not NULL, and this segment is not stored entirely on its - ** root node, the range of leaves scanned can be reduced. Do this. */ -- if( iStartBlock && zTerm ){ -+ if( iStartBlock && zTerm && zRoot ){ - sqlite3_int64 *pi = (isPrefix ? &iLeavesEndBlock : 0); - rc = fts3SelectLeaf(p, zTerm, nTerm, zRoot, nRoot, &iStartBlock, pi); - if( rc!=SQLITE_OK ) goto finished; --- -1.8.3.1 - diff --git a/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch b/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch deleted file mode 100644 index 4aa1b52441b5824bd5380c169277f291362add75..0000000000000000000000000000000000000000 --- a/6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 95a3db8dcf8622a8db12059abe1befca418d9440 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Sat, 12 Jan 2019 21:30:26 +0000 -Subject: [PATCH 0756/1009] Prevent unsigned 32-bit integer overflow from - leading to a buffer overread inside of an assert(). The problem fixed here - is no reachable in production code. - -https://github.com/mackyle/sqlite/commit/95a3db8dcf8622a8db12059abe1befca418d9440 - ---- - src/vdbeaux.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/vdbeaux.c b/src/vdbeaux.c -index 1125cfd..1af8a6f 100644 ---- a/src/vdbeaux.c -+++ b/src/vdbeaux.c -@@ -3883,8 +3883,8 @@ static int vdbeRecordCompareDebug( - ** Use that approximation to avoid the more expensive call to - ** sqlite3VdbeSerialTypeLen() in the common case. - */ -- if( d1+serial_type1+2>(u32)nKey1 -- && d1+sqlite3VdbeSerialTypeLen(serial_type1)>(u32)nKey1 -+ if( d1+(u64)serial_type1+2>(u64)nKey1 -+ && d1+(u64)sqlite3VdbeSerialTypeLen(serial_type1)>(u64)nKey1 - ){ - break; - } --- -1.8.3.1 - diff --git a/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch b/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch deleted file mode 100644 index d07898f086874d8f77bb4a1db11492772288839d..0000000000000000000000000000000000000000 --- a/6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 5b01e4f591862a943728f1abe1cf44ac0844dbf1 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Mon, 14 Jan 2019 15:35:15 +0000 -Subject: [PATCH 0765/1009] Fix a problem causing a crash if an fts5vocab table - was created to query an fts3/4 FTS index. - -https://github.com/mackyle/sqlite/commit/5b01e4f591862a943728f1abe1cf44ac0844dbf1 - ---- - ext/fts5/fts5_main.c | 12 ++++++------ - 1 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c -index 6fc5a90..07934eb 100644 ---- a/ext/fts5/fts5_main.c -+++ b/ext/fts5/fts5_main.c -@@ -2244,13 +2244,13 @@ Fts5Index *sqlite3Fts5IndexFromCsrid( - Fts5Config **ppConfig /* OUT: Configuration object */ - ){ - Fts5Cursor *pCsr; -- Fts5Table *pTab; -- - pCsr = fts5CursorFromCsrid(pGlobal, iCsrId); -- pTab = (Fts5Table*)pCsr->base.pVtab; -- *ppConfig = pTab->pConfig; -- -- return pTab->pIndex; -+ if( pCsr ){ -+ Fts5Table *pTab = (Fts5Table*)pCsr->base.pVtab; -+ *ppConfig = pTab->pConfig; -+ return pTab->pIndex; -+ } -+ return 0; - } - - /* --- -1.8.3.1 - diff --git a/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch b/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch deleted file mode 100644 index 14fb5c555dadfed4de4293713c919a90af7f902f..0000000000000000000000000000000000000000 --- a/6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5dfe84921758b84e698b4f3429e56f3f292f8de5 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Tue, 15 Jan 2019 14:44:23 +0000 -Subject: [PATCH 0770/1009] Fix a harmless memory leak in the Lemon parser - generator utility program. - -https://github.com/mackyle/sqlite/commit/5dfe84921758b84e698b4f3429e56f3f292f8de5 - ---- - tool/lemon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tool/lemon.c b/tool/lemon.c -index 7f0e557..7ef99fd 100644 ---- a/tool/lemon.c -+++ b/tool/lemon.c -@@ -4674,6 +4674,7 @@ void ReportTable( - /* Append any addition code the user desires */ - tplt_print(out,lemp,lemp->extracode,&lineno); - -+ acttab_free(pActtab); - fclose(in); - fclose(out); - return; --- -1.8.3.1 - diff --git a/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch b/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch deleted file mode 100644 index 4e87b028b26f3d01deb1dbf1e946abe86b8d35c9..0000000000000000000000000000000000000000 --- a/6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 88ea6ea1ee2b7c93120857c65c882144c9f4ce71 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 15 Jan 2019 18:14:27 +0000 -Subject: [PATCH 0773/1009] Handle SQL NULL values without crashing in the fts5 - snippet() and highlight() functions. - -https://github.com/mackyle/sqlite/commit/88ea6ea1ee2b7c93120857c65c882144c9f4ce71 - ---- - ext/fts5/fts5_aux.c | 2 +- - ext/fts5/test/fts5ak.test | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_aux.c b/ext/fts5/fts5_aux.c -index f884ddb..7d4f3e6 100644 ---- a/ext/fts5/fts5_aux.c -+++ b/ext/fts5/fts5_aux.c -@@ -136,7 +136,7 @@ static void fts5HighlightAppend( - HighlightContext *p, - const char *z, int n - ){ -- if( *pRc==SQLITE_OK ){ -+ if( *pRc==SQLITE_OK && z ){ - if( n<0 ) n = (int)strlen(z); - p->zOut = sqlite3_mprintf("%z%.*s", p->zOut, n, z); - if( p->zOut==0 ) *pRc = SQLITE_NOMEM; -diff --git a/ext/fts5/test/fts5ak.test b/ext/fts5/test/fts5ak.test -index cab0ae2..0a3cd6a78 100644 ---- a/ext/fts5/test/fts5ak.test -+++ b/ext/fts5/test/fts5ak.test -@@ -144,6 +144,14 @@ do_execsql_test 3.1 { - {[a b c d e]} - } - -+do_execsql_test 3.2 { -+ SELECT highlight(ft, 0, NULL, NULL) FROM ft WHERE ft MATCH 'a+b+c AND c+d+e'; -+} { -+ {a b c x c d e} -+ {a b c c d e} -+ {a b c d e} -+} -+ - } - - finish_test --- -1.8.3.1 - diff --git a/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch b/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch deleted file mode 100644 index 2b959a36b937c1404cfc8714d9a3164f8856526d..0000000000000000000000000000000000000000 --- a/6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5dc52d357ad41bcbd945f360df2d49a7701f8776 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Wed, 16 Jan 2019 11:38:06 +0000 -Subject: [PATCH 0775/1009] Fix a memory leak that could occur in fts3 when - handling a corrupt database. - -https://github.com/mackyle/sqlite/commit/5dc52d357ad41bcbd945f360df2d49a7701f8776 - ---- - ext/fts3/fts3_write.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c -index 0baf82b..096eafc 100644 ---- a/ext/fts3/fts3_write.c -+++ b/ext/fts3/fts3_write.c -@@ -1606,6 +1606,7 @@ int sqlite3Fts3SegReaderNew( - - assert( iStartLeaf<=iEndLeaf ); - if( iStartLeaf==0 ){ -+ if( iEndLeaf!=0 ) return FTS_CORRUPT_VTAB; - nExtra = nRoot + FTS3_NODE_PADDING; - } - --- -1.8.3.1 - diff --git a/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch b/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch deleted file mode 100644 index 6be027c72dccb93413892346eb94598f1a96769f..0000000000000000000000000000000000000000 --- a/6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1634068a27a93898908802f514ae41c1a3aa3bf9 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 17 Jan 2019 19:11:10 +0000 -Subject: [PATCH 0787/1009] Fix a buffer overwrite that could occur when - running an fts5 prefix query against a corrupt database. - -https://github.com/mackyle/sqlite/commit/1634068a27a93898908802f514ae41c1a3aa3bf9 - ---- - ext/fts5/fts5_index.c | 11 +- - 1 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 426cf61..259ae35 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -4959,6 +4959,8 @@ static void fts5MergePrefixLists( - int iOff2 = 0; - u8 *a1 = &i1.aPoslist[i1.nSize]; - u8 *a2 = &i2.aPoslist[i2.nSize]; -+ int nCopy; -+ u8 *aCopy; - - i64 iPrev = 0; - Fts5PoslistWriter writer; -@@ -5002,11 +5004,16 @@ static void fts5MergePrefixLists( - if( iPos1!=iPrev ){ - sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos1); - } -- fts5BufferSafeAppendBlob(&tmp, &a1[iOff1], i1.nPoslist-iOff1); -+ aCopy = &a1[iOff1]; -+ nCopy = i1.nPoslist - iOff1; - }else{ - assert( iPos2>=0 && iPos2!=iPrev ); - sqlite3Fts5PoslistSafeAppend(&tmp, &iPrev, iPos2); -- fts5BufferSafeAppendBlob(&tmp, &a2[iOff2], i2.nPoslist-iOff2); -+ aCopy = &a2[iOff2]; -+ nCopy = i2.nPoslist - iOff2; -+ } -+ if( nCopy>0 ){ -+ fts5BufferSafeAppendBlob(&tmp, aCopy, nCopy); - } - - /* WRITEPOSLISTSIZE */ --- -1.8.3.1 - diff --git a/6029-Fix-another-corruption-related-crash-in-fts5.patch b/6029-Fix-another-corruption-related-crash-in-fts5.patch deleted file mode 100644 index d989145668b896987446840cb261e0a9aea30b6b..0000000000000000000000000000000000000000 --- a/6029-Fix-another-corruption-related-crash-in-fts5.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 80b709ea4c758f5f8fcb125082a17ceb5b9f5c76 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 17 Jan 2019 20:06:56 +0000 -Subject: [PATCH 0789/1009] Fix another corruption related crash in fts5. - -https://github.com/mackyle/sqlite/commit/80b709ea4c758f5f8fcb125082a17ceb5b9f5c76 - ---- - ext/fts5/fts5_index.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 259ae35..66ab9be 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ - int nNew; /* Bytes of new data */ - - iOff += fts5GetVarint32(&a[iOff], nNew); -- if( iOff+nNew>pIter->pLeaf->nn || nKeep>pIter->term.n ){ -+ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){ - p->rc = FTS5_CORRUPT; - return; - } --- -1.8.3.1 - diff --git a/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch b/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch deleted file mode 100644 index a8412a5b7dd0df40f76b638ae8429188ab8c4b0a..0000000000000000000000000000000000000000 --- a/6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a47d7130bcbf6dbf2c3d0cb33555a68e288cc407 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Fri, 18 Jan 2019 18:52:17 +0000 -Subject: [PATCH 0794/1009] Avoid integer overflow when computing the array of - a bounding box with the rtree_i32 virtual table. - -https://github.com/mackyle/sqlite/commit/a47d7130bcbf6dbf2c3d0cb33555a68e288cc407 - ---- - ext/rtree/rtree.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c -index c998d95..73d0661 100644 ---- a/ext/rtree/rtree.c -+++ b/ext/rtree/rtree.c -@@ -1999,11 +1999,11 @@ static RtreeDValue cellArea(Rtree *pRtree, RtreeCell *p){ - #endif - { - switch( pRtree->nDim ){ -- case 5: area = p->aCoord[9].i - p->aCoord[8].i; -- case 4: area *= p->aCoord[7].i - p->aCoord[6].i; -- case 3: area *= p->aCoord[5].i - p->aCoord[4].i; -- case 2: area *= p->aCoord[3].i - p->aCoord[2].i; -- default: area *= p->aCoord[1].i - p->aCoord[0].i; -+ case 5: area = (i64)p->aCoord[9].i - (i64)p->aCoord[8].i; -+ case 4: area *= (i64)p->aCoord[7].i - (i64)p->aCoord[6].i; -+ case 3: area *= (i64)p->aCoord[5].i - (i64)p->aCoord[4].i; -+ case 2: area *= (i64)p->aCoord[3].i - (i64)p->aCoord[2].i; -+ default: area *= (i64)p->aCoord[1].i - (i64)p->aCoord[0].i; - } - } - return area; --- -1.8.3.1 - diff --git a/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch b/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch deleted file mode 100644 index 6f6d8f940a138e338dd3411df12b2208e5b4d38a..0000000000000000000000000000000000000000 --- a/6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7c66bd37c346c0bbf92502edec140b488e4af6e2 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 22 Jan 2019 12:21:28 +0000 -Subject: [PATCH 0813/1009] Fix another segfault caused by a corrupt fts3 - database. - -https://github.com/mackyle/sqlite/commit/7c66bd37c346c0bbf92502edec140b488e4af6e2 - ---- - ext/fts3/fts3_write.c | 5 ++ - 1 files changed, 5 insertions(+), 0 deletion(-) - -diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c -index df3c07e..3e195c3 100644 ---- a/ext/fts3/fts3_write.c -+++ b/ext/fts3/fts3_write.c -@@ -2255,6 +2255,11 @@ static int fts3SegWriterAdd( - nPrefix = fts3PrefixCompress(pWriter->zTerm, pWriter->nTerm, zTerm, nTerm); - nSuffix = nTerm-nPrefix; - -+ /* If nSuffix is zero or less, then zTerm/nTerm must be a prefix of -+ ** pWriter->zTerm/pWriter->nTerm. i.e. must be equal to or less than when -+ ** compared with BINARY collation. This indicates corruption. */ -+ if( nSuffix<=0 ) return FTS_CORRUPT_VTAB; -+ - /* Figure out how many bytes are required by this new entry */ - nReq = sqlite3Fts3VarintLen(nPrefix) + /* varint containing prefix size */ - sqlite3Fts3VarintLen(nSuffix) + /* varint containing suffix size */ --- -1.8.3.1 - diff --git a/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch b/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch deleted file mode 100644 index c6307c8d6d21292fe77dc6e4aa97bdfd0c09f840..0000000000000000000000000000000000000000 --- a/6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch +++ /dev/null @@ -1,87 +0,0 @@ -From ec2409b34e42389034ecf6ae616a85de97c0fd8c Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 22 Jan 2019 21:17:40 +0000 -Subject: [PATCH 0820/1009] Fix a buffer overrun that could occur in fts5 if a - prefix query is made on a corrupt database. - -https://github.com/mackyle/sqlite/commit/ec2409b34e42389034ecf6ae616a85de97c0fd8c - ---- - ext/fts5/fts5.h | 8 +- - ext/fts5/fts5Int.h | 2 +- - ext/fts5/fts5_index.c | 2 +- - ext/fts5/fts5_main.c | 5 + - ext/fts5/test/fts5corrupt3.test | 217 ++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 226 insertions(+), 8 deletions(-) - -diff --git a/ext/fts5/fts5.h b/ext/fts5/fts5.h -index 8273785..f0b7d55 100644 ---- a/ext/fts5/fts5.h -+++ b/ext/fts5/fts5.h -@@ -120,12 +120,8 @@ struct Fts5PhraseIter { - ** - ** Usually, output parameter *piPhrase is set to the phrase number, *piCol - ** to the column in which it occurs and *piOff the token offset of the --** first token of the phrase. The exception is if the table was created --** with the offsets=0 option specified. In this case *piOff is always --** set to -1. --** --** Returns SQLITE_OK if successful, or an error code (i.e. SQLITE_NOMEM) --** if an error occurs. -+** first token of the phrase. Returns SQLITE_OK if successful, or an error -+** code (i.e. SQLITE_NOMEM) if an error occurs. - ** - ** This API can be quite slow if used with an FTS5 table created with the - ** "detail=none" or "detail=column" option. -diff --git a/ext/fts5/fts5Int.h b/ext/fts5/fts5Int.h -index 4855abe..629bcf0 100644 ---- a/ext/fts5/fts5Int.h -+++ b/ext/fts5/fts5Int.h -@@ -274,7 +274,7 @@ void sqlite3Fts5Put32(u8*, int); - int sqlite3Fts5Get32(const u8*); - - #define FTS5_POS2COLUMN(iPos) (int)(iPos >> 32) --#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0xFFFFFFFF) -+#define FTS5_POS2OFFSET(iPos) (int)(iPos & 0x7FFFFFFF) - - typedef struct Fts5PoslistReader Fts5PoslistReader; - struct Fts5PoslistReader { -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 66ab9be..165d094 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -5122,7 +5122,7 @@ static void fts5SetupPrefixIter( - } - fts5MultiIterFree(p1); - -- pData = fts5IdxMalloc(p, sizeof(Fts5Data) + doclist.n); -+ pData = fts5IdxMalloc(p, sizeof(Fts5Data)+doclist.n+FTS5_DATA_ZERO_PADDING); - if( pData ){ - pData->p = (u8*)&pData[1]; - pData->nn = pData->szLeaf = doclist.n; -diff --git a/ext/fts5/fts5_main.c b/ext/fts5/fts5_main.c -index bb34234..c98df4f 100644 ---- a/ext/fts5/fts5_main.c -+++ b/ext/fts5/fts5_main.c -@@ -1777,6 +1777,7 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){ - int rc = SQLITE_OK; - Fts5PoslistReader *aIter; /* One iterator for each phrase */ - int nIter; /* Number of iterators/phrases */ -+ int nCol = ((Fts5Table*)pCsr->base.pVtab)->pConfig->nCol; - - nIter = sqlite3Fts5ExprPhraseCount(pCsr->pExpr); - if( pCsr->aInstIter==0 ){ -@@ -1830,6 +1831,10 @@ static int fts5CacheInstArray(Fts5Cursor *pCsr){ - aInst[0] = iBest; - aInst[1] = FTS5_POS2COLUMN(aIter[iBest].iPos); - aInst[2] = FTS5_POS2OFFSET(aIter[iBest].iPos); -+ if( aInst[1]<0 || aInst[1]>=nCol ){ -+ rc = FTS5_CORRUPT; -+ break; -+ } - sqlite3Fts5PoslistReaderNext(&aIter[iBest]); - } - } --- -1.8.3.1 - diff --git a/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch b/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch deleted file mode 100644 index 752d2ba0d31e007d184325e22a718898fad2a979..0000000000000000000000000000000000000000 --- a/6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Wed, 23 Jan 2019 19:17:05 +0000 -Subject: [PATCH 0823/1009] Fix another fts5 crash that can occur if the - database is corrupted. - -https://github.com/mackyle/sqlite/commit/64a2e3704ddeecff5abcf7729345e1e0bd2f6dbd - ---- - ext/fts5/fts5_index.c | 58 ++++++----- - 1 files changed, 23 insertions(+), 25 deletions(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 57fce0a..eced245 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -4127,7 +4127,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ - int i; - Fts5Buffer buf; - memset(&buf, 0, sizeof(Fts5Buffer)); -- for(i=0; inSeg; i++){ -+ for(i=0; inSeg && p->rc==SQLITE_OK; i++){ - Fts5SegIter *pSeg = &pIter->aSeg[i]; - if( pSeg->pSeg==0 ){ - /* no-op */ -@@ -4147,33 +4147,41 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ - iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno); - pData = fts5DataRead(p, iLeafRowid); - if( pData ){ -- fts5BufferZero(&buf); -- fts5BufferGrow(&p->rc, &buf, pData->nn); -- fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr); -- fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n); -- fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p); -- fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff, &pData->p[iOff]); -- if( p->rc==SQLITE_OK ){ -- /* Set the szLeaf field */ -- fts5PutU16(&buf.p[2], (u16)buf.n); -- } -+ if( iOff>pData->szLeaf ){ -+ /* This can occur if the pages that the segments occupy overlap - if -+ ** a single page has been assigned to more than one segment. In -+ ** this case a prior iteration of this loop may have corrupted the -+ ** segment currently being trimmed. */ -+ p->rc = FTS5_CORRUPT; -+ }else{ -+ fts5BufferZero(&buf); -+ fts5BufferGrow(&p->rc, &buf, pData->nn); -+ fts5BufferAppendBlob(&p->rc, &buf, sizeof(aHdr), aHdr); -+ fts5BufferAppendVarint(&p->rc, &buf, pSeg->term.n); -+ fts5BufferAppendBlob(&p->rc, &buf, pSeg->term.n, pSeg->term.p); -+ fts5BufferAppendBlob(&p->rc, &buf, pData->szLeaf-iOff,&pData->p[iOff]); -+ if( p->rc==SQLITE_OK ){ -+ /* Set the szLeaf field */ -+ fts5PutU16(&buf.p[2], (u16)buf.n); -+ } - -- /* Set up the new page-index array */ -- fts5BufferAppendVarint(&p->rc, &buf, 4); -- if( pSeg->iLeafPgno==pSeg->iTermLeafPgno -- && pSeg->iEndofDoclistszLeaf -- ){ -- int nDiff = pData->szLeaf - pSeg->iEndofDoclist; -- fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); -- fts5BufferAppendBlob(&p->rc, &buf, -- pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] -- ); -- } -+ /* Set up the new page-index array */ -+ fts5BufferAppendVarint(&p->rc, &buf, 4); -+ if( pSeg->iLeafPgno==pSeg->iTermLeafPgno -+ && pSeg->iEndofDoclistszLeaf -+ ){ -+ int nDiff = pData->szLeaf - pSeg->iEndofDoclist; -+ fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); -+ fts5BufferAppendBlob(&p->rc, &buf, -+ pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] -+ ); -+ } - -+ pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; -+ fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid); -+ fts5DataWrite(p, iLeafRowid, buf.p, buf.n); -+ } - fts5DataRelease(pData); -- pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; -- fts5DataDelete(p, FTS5_SEGMENT_ROWID(iId, 1), iLeafRowid); -- fts5DataWrite(p, iLeafRowid, buf.p, buf.n); - } - } - } --- -1.8.3.1 - diff --git a/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch b/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch deleted file mode 100644 index cebdcf7c43d43ad54ca478070063693ae498e7ad..0000000000000000000000000000000000000000 --- a/6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Wed, 23 Jan 2019 20:31:56 +0000 -Subject: [PATCH 0826/1009] Fix an assert() in vdbemem.c that could fire if the - database was corrupt. - -https://github.com/mackyle/sqlite/commit/ebf0e4dbbdbc5e35f0febe9e6d3bbceffde814c6 - ---- - src/vdbemem.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/src/vdbemem.c b/src/vdbemem.c -index db8fedd..8493df7 100644 ---- a/src/vdbemem.c -+++ b/src/vdbemem.c -@@ -243,7 +243,7 @@ SQLITE_NOINLINE int sqlite3VdbeMemGrow(Mem *pMem, int n, int bPreserve){ - ** if unable to complete the resizing. - */ - int sqlite3VdbeMemClearAndResize(Mem *pMem, int szNew){ -- assert( szNew>0 ); -+ assert( CORRUPT_DB || szNew>0 ); - assert( (pMem->flags & MEM_Dyn)==0 || pMem->szMalloc==0 ); - if( pMem->szMalloc -Date: Thu, 24 Jan 2019 15:16:17 +0000 -Subject: [PATCH 0830/1009] Fix a potential problem with "INSERT INTO ... - SELECT * FROM" (or VACUUM) statements on a corrupted database. - -https://github.com/mackyle/sqlite/commit/b9338e8475463b29b7f05fb28c78c3f35a7ce814 - ---- - src/btree.c | 7 +-- - 1 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/btree.c b/src/btree.c -index b68bca1..401f02e 100644 ---- a/src/btree.c -+++ b/src/btree.c -@@ -804,11 +804,12 @@ static int btreeMoveto( - UnpackedRecord *pIdxKey; /* Unpacked index key */ - - if( pKey ){ -+ KeyInfo *pKeyInfo = pCur->pKeyInfo; - assert( nKey==(i64)(int)nKey ); -- pIdxKey = sqlite3VdbeAllocUnpackedRecord(pCur->pKeyInfo); -+ pIdxKey = sqlite3VdbeAllocUnpackedRecord(pKeyInfo); - if( pIdxKey==0 ) return SQLITE_NOMEM_BKPT; -- sqlite3VdbeRecordUnpack(pCur->pKeyInfo, (int)nKey, pKey, pIdxKey); -- if( pIdxKey->nField==0 ){ -+ sqlite3VdbeRecordUnpack(pKeyInfo, (int)nKey, pKey, pIdxKey); -+ if( pIdxKey->nField==0 || pIdxKey->nField>pKeyInfo->nAllField ){ - rc = SQLITE_CORRUPT_BKPT; - goto moveto_done; - } --- -1.8.3.1 - diff --git a/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch b/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch deleted file mode 100644 index e315cadf76fdca8c901a7c61a23abe74a2bf841f..0000000000000000000000000000000000000000 --- a/6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Fri, 25 Jan 2019 17:26:59 +0000 -Subject: [PATCH 0842/1009] Fix a segfault that could follow an OOM when - querying a table that has one or more columns with default values "true" or - "false". - -https://github.com/mackyle/sqlite/commit/2084a9dcdb6fa7cd335dca7fef7328ebee65a5d1 - ---- - src/vdbemem.c | 8 +++++--- - test/insertfault.test | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 41 insertions(+), 3 deletions(-) - create mode 100644 test/insertfault.test - -diff --git a/src/vdbemem.c b/src/vdbemem.c -index 8493df7..8d9e44b 100644 ---- a/src/vdbemem.c -+++ b/src/vdbemem.c -@@ -1530,9 +1530,11 @@ static int valueFromExpr( - } - #endif - else if( op==TK_TRUEFALSE ){ -- pVal = valueNew(db, pCtx); -- pVal->flags = MEM_Int; -- pVal->u.i = pExpr->u.zToken[4]==0; -+ pVal = valueNew(db, pCtx); -+ if( pVal ){ -+ pVal->flags = MEM_Int; -+ pVal->u.i = pExpr->u.zToken[4]==0; -+ } - } - - *ppVal = pVal; -diff --git a/test/insertfault.test b/test/insertfault.test -new file mode 100644 -index 0000000..53849a1 ---- /dev/null -+++ b/test/insertfault.test -@@ -0,0 +1,36 @@ -+# 2019-01-26 -+# -+# The author disclaims copyright to this source code. In place of -+# a legal notice, here is a blessing: -+# -+# May you do good and not evil. -+# May you find forgiveness for yourself and forgive others. -+# May you share freely, never taking more than you give. -+# -+#*********************************************************************** -+# -+# Test cases for INSERT -+ -+set testdir [file dirname $argv0] -+source $testdir/tester.tcl -+set testprefix insertfault -+ -+do_execsql_test 1.0 { -+ CREATE TABLE t1(a INTEGER PRIMARY KEY, b, c, d DEFAULT true); -+ INSERT INTO t1 DEFAULT VALUES; -+ SELECT * FROM t1; -+} {1 {} {} 1} -+faultsim_save_and_close -+ -+breakpoint -+do_faultsim_test 1 -faults oom* -prep { -+ faultsim_restore_and_reopen -+ db eval { SELECT * FROM sqlite_master } -+} -body { -+ execsql { SELECT * FROM t1 } -+} -test { -+ faultsim_test_result {0 {1 {} {} 1}} -+} -+ -+ -+finish_test --- -1.8.3.1 - diff --git a/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch b/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch deleted file mode 100644 index ad2915f11a0387ac38c980fd64b5ed6b092a0fa8..0000000000000000000000000000000000000000 --- a/6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 896da092c4debe2e865ccfbc94939aae2feda5fc Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Mon, 28 Jan 2019 16:50:42 +0000 -Subject: [PATCH 0858/1009] Fix a buffer overread in fts3 that could occur when - accessing a corrupt database. - -https://github.com/mackyle/sqlite/commit/896da092c4debe2e865ccfbc94939aae2feda5fc - ---- - ext/fts3/fts3.c | 1 + - 1 files changed, 1 insertions(+) - -diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c -index 36e41d2..bd0003d 100644 ---- a/ext/fts3/fts3.c -+++ b/ext/fts3/fts3.c -@@ -2810,6 +2810,7 @@ static int fts3TermSelectMerge( - pTS->anOutput[0] = nDoclist; - if( pTS->aaOutput[0] ){ - memcpy(pTS->aaOutput[0], aDoclist, nDoclist); -+ memset(&pTS->aaOutput[0][nDoclist], 0, FTS3_VARINT_MAX); - }else{ - return SQLITE_NOMEM; - } --- -1.8.3.1 - diff --git a/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch b/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch deleted file mode 100644 index e6a0c4fa3b1f32bfc99a5cc77499ff9fddf13bf4..0000000000000000000000000000000000000000 --- a/6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 850b66a5848d73428951382ca909c3663b905a9e Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Tue, 29 Jan 2019 11:42:43 +0000 -Subject: [PATCH 0862/1009] Fix a buffer overrun triggered by a merge operation - on a corrupt fts5 database. - -https://github.com/mackyle/sqlite/commit/850b66a5848d73428951382ca909c3663b905a9e - ---- - ext/fts5/fts5_index.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index cec4415..e1bb8d4 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -4145,7 +4145,7 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ - u8 aHdr[4] = {0x00, 0x00, 0x00, 0x00}; - - iLeafRowid = FTS5_SEGMENT_ROWID(iId, pSeg->iTermLeafPgno); -- pData = fts5DataRead(p, iLeafRowid); -+ pData = fts5LeafRead(p, iLeafRowid); - if( pData ){ - if( iOff>pData->szLeaf ){ - /* This can occur if the pages that the segments occupy overlap - if --- -1.8.3.1 - diff --git a/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch b/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch deleted file mode 100644 index def467b94d43a35aa08c59ef50e2a0d8a4cd1388..0000000000000000000000000000000000000000 --- a/6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 06895c18a8afdfd7b46c09bb5623f1d68e82a955 Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Wed, 30 Jan 2019 12:15:27 +0000 -Subject: [PATCH 0868/1009] Fix another buffer overread in fts5 that may occur - when accessing a corrupt database. - -https://github.com/mackyle/sqlite/commit/06895c18a8afdfd7b46c09bb5623f1d68e82a955 - ---- - ext/fts5/fts5_index.c | 3 +- - 1 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index e1bb8d4..32732b9 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -3104,7 +3104,8 @@ static void fts5SegiterPoslist( - Fts5Colset *pColset, - Fts5Buffer *pBuf - ){ -- if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos) ){ -+ if( 0==fts5BufferGrow(&p->rc, pBuf, pSeg->nPos+FTS5_DATA_ZERO_PADDING) ){ -+ memset(&pBuf->p[pBuf->n+pSeg->nPos], 0, FTS5_DATA_ZERO_PADDING); - if( pColset==0 ){ - fts5ChunkIterate(p, pSeg, (void*)pBuf, fts5PoslistCallback); - }else{ --- -1.8.3.1 - diff --git a/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch b/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch deleted file mode 100644 index 75bb5ac561805dd2d2ffceebc9bf2431f3b51be6..0000000000000000000000000000000000000000 --- a/6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 536bdac3ff692d5ebf13d6b7ff129721444f281b Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Thu, 31 Jan 2019 14:37:18 +0000 -Subject: [PATCH 0878/1009] Fix another buffer overrun that could occur when - quering a corrupt database using an fts5vocab table. - -https://github.com/mackyle/sqlite/commit/536bdac3ff692d5ebf13d6b7ff129721444f281b - ---- - ext/fts5/fts5_index.c | 2 +- - ext/fts5/fts5_vocab.c | 1 + - 1 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 32732b9..bb87714 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){ - int nNew; /* Bytes of new data */ - - iOff += fts5GetVarint32(&a[iOff], nNew); -- if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){ -+ if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n || nNew==0 ){ - p->rc = FTS5_CORRUPT; - return; - } -diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c -index bfb6821..2550c9d 100644 ---- a/ext/fts5/fts5_vocab.c -+++ b/ext/fts5/fts5_vocab.c -@@ -484,6 +484,7 @@ static int fts5VocabNextMethod(sqlite3_vtab_cursor *pCursor){ - int nTerm; - - zTerm = sqlite3Fts5IterTerm(pCsr->pIter, &nTerm); -+ assert( nTerm>=0 ); - if( pCsr->nLeTerm>=0 ){ - int nCmp = MIN(nTerm, pCsr->nLeTerm); - int bCmp = memcmp(pCsr->zLeTerm, zTerm, nCmp); --- -1.8.3.1 - diff --git a/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch b/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch deleted file mode 100644 index 57d3eb92f04c53cad3ff88fe22a5e4e0f1246e09..0000000000000000000000000000000000000000 --- a/6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 032f34b06b09b35542a7dd6242e2032cbed59b6e Mon Sep 17 00:00:00 2001 -From: Dan Kennedy -Date: Mon, 11 Feb 2019 16:12:09 +0000 -Subject: [PATCH 0939/1009] Fix another segfault that could occur in fts5 with - a corrupted database. - -https://github.com/mackyle/sqlite/commit/032f34b06b09b35542a7dd6242e2032cbed59b6e - ---- - ext/fts5/fts5_index.c | 7 +- - 1 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index 5ce75bd..741e579 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -4169,13 +4169,14 @@ static void fts5TrimSegments(Fts5Index *p, Fts5Iter *pIter){ - /* Set up the new page-index array */ - fts5BufferAppendVarint(&p->rc, &buf, 4); - if( pSeg->iLeafPgno==pSeg->iTermLeafPgno -- && pSeg->iEndofDoclistszLeaf -- ){ -+ && pSeg->iEndofDoclistszLeaf -+ && pSeg->iPgidxOff<=pData->nn -+ ){ - int nDiff = pData->szLeaf - pSeg->iEndofDoclist; - fts5BufferAppendVarint(&p->rc, &buf, buf.n - 1 - nDiff - 4); - fts5BufferAppendBlob(&p->rc, &buf, - pData->nn - pSeg->iPgidxOff, &pData->p[pSeg->iPgidxOff] -- ); -+ ); - } - - pSeg->pSeg->pgnoFirst = pSeg->iTermLeafPgno; --- -1.8.3.1 - diff --git a/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch b/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch deleted file mode 100644 index c52ec72ab9f7f35169e8d265514ecda95e96d88d..0000000000000000000000000000000000000000 --- a/6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d651ad3b3d42dfe3fc26023ae2c61d04802cd721 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Tue, 19 Feb 2019 17:45:31 +0000 -Subject: [PATCH 0956/1009] Fix a potential memory leak in RBU if the - rbu_fossil_delta() SQL function is misused. Misuse never happens in a - working RBU system, so this is not a particularly important fix. - -https://github.com/mackyle/sqlite/commit/d651ad3b3d42dfe3fc26023ae2c61d04802cd721 - ---- - ext/rbu/sqlite3rbu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ext/rbu/sqlite3rbu.c b/ext/rbu/sqlite3rbu.c -index e86606b..1a78adc 100644 ---- a/ext/rbu/sqlite3rbu.c -+++ b/ext/rbu/sqlite3rbu.c -@@ -684,6 +684,7 @@ static void rbuFossilDeltaFunc( - }else{ - nOut2 = rbuDeltaApply(aOrig, nOrig, aDelta, nDelta, aOut); - if( nOut2!=nOut ){ -+ sqlite3_free(aOut); - sqlite3_result_error(context, "corrupt fossil delta", -1); - }else{ - sqlite3_result_blob(context, aOut, nOut, sqlite3_free); --- -1.8.3.1 - diff --git a/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch b/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch deleted file mode 100644 index 9ce2fc1fa88c2ae6a6654a8e7836bc7e51ba068c..0000000000000000000000000000000000000000 --- a/6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7003b1922263ee4b6131fd458537808ccae22f41 Mon Sep 17 00:00:00 2001 -From: "D. Richard Hipp" -Date: Tue, 5 Mar 2019 23:49:17 +0000 -Subject: [PATCH 1002/1009] Fix a potential 32-bit integer overflow in the - "showdb" utility program when it is trying to interpret a corrupt database - file. - -https://github.com/mackyle/sqlite/commit/7003b1922263ee4b6131fd458537808ccae22f41 - ---- - tool/showdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tool/showdb.c b/tool/showdb.c -index ba7a362..cb6ddab 100644 ---- a/tool/showdb.c -+++ b/tool/showdb.c -@@ -828,7 +828,7 @@ static void page_usage_cell( - while( ovfl && (cnt++)*2 coordinates. - */ - static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){ -- char *zText = 0; - RtreeNode node; - Rtree tree; - int ii; -+ int nData; -+ int errCode; -+ sqlite3_str *pOut; - - UNUSED_PARAMETER(nArg); - memset(&node, 0, sizeof(RtreeNode)); - memset(&tree, 0, sizeof(Rtree)); - tree.nDim = (u8)sqlite3_value_int(apArg[0]); -+ if( tree.nDim<1 || tree.nDim>5 ) return; - tree.nDim2 = tree.nDim*2; - tree.nBytesPerCell = 8 + 8 * tree.nDim; - node.zData = (u8 *)sqlite3_value_blob(apArg[1]); -+ nData = sqlite3_value_bytes(apArg[1]); -+ if( nData<4 ) return; -+ if( nData0 ) sqlite3_str_append(pOut, " ", 1); -+ sqlite3_str_appendf(pOut, "{%lld", cell.iRowid); - for(jj=0; jj -Date: Mon, 14 Oct 2019 05:23:59 -0400 -Subject: [PATCH] fix CVE-2019-16168 - ---- - src/analyze.c | 4 +++- - src/where.c | 1 + - test/analyzeC.test | 13 +++++++++++++ - 3 files changed, 17 insertions(+), 1 deletion(-) - -diff --git a/src/analyze.c b/src/analyze.c -index 48fd495..552330b 100644 ---- a/src/analyze.c -+++ b/src/analyze.c -@@ -1497,7 +1497,9 @@ static void decodeIntArray( - if( sqlite3_strglob("unordered*", z)==0 ){ - pIndex->bUnordered = 1; - }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ -- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); -+ int sz = sqlite3Atoi(z+3); -+ if( sz<2 ) sz = 2; -+ pIndex->szIdxRow = sqlite3LogEst(sz); - }else if( sqlite3_strglob("noskipscan*", z)==0 ){ - pIndex->noSkipScan = 1; - } -diff --git a/src/where.c b/src/where.c -index b83915e..1df9b46 100644 ---- a/src/where.c -+++ b/src/where.c -@@ -2585,6 +2585,7 @@ static int whereLoopAddBtreeIndex( - ** it to pNew->rRun, which is currently set to the cost of the index - ** seek only. Then, if this is a non-covering index, add the cost of - ** visiting the rows in the main table. */ -+ assert( pSrc->pTab->szTabRow>0 ); - rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; - pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); - if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ -diff --git a/test/analyzeC.test b/test/analyzeC.test -index 02faa9c..246da89 100644 ---- a/test/analyzeC.test -+++ b/test/analyzeC.test -@@ -132,6 +132,19 @@ do_execsql_test 4.3 { - SELECT count(a) FROM t1; - } {/.*INDEX t1ca.*/} - -+# 2019-08-15. -+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901 -+# The sz=N parameter in the sqlite_stat1 table needs to have a value of -+# 2 or more to avoid a division by zero in the query planner. -+# -+do_execsql_test 4.4 { -+ DROP TABLE IF EXISTS t44; -+ CREATE TABLE t44(a PRIMARY KEY); -+ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0'); -+ ANALYZE sqlite_master; -+ SELECT 0 FROM t44 WHERE a IN(1,2,3); -+} {} -+ - - # The sz=NNN parameter works even if there is other extraneous text - # in the sqlite_stat1.stat column. --- -1.8.3.1 - diff --git a/6046-Fix-CVE-2019-19646.patch b/6046-Fix-CVE-2019-19646.patch deleted file mode 100644 index 7c5422a430fb9efe7a2f958d16cff647640856be..0000000000000000000000000000000000000000 --- a/6046-Fix-CVE-2019-19646.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b097449afefa53e05637aaa43197c66cece575c7 Mon Sep 17 00:00:00 2001 -From: guiyao -Date: Tue, 17 Dec 2019 10:53:58 -0500 -Subject: [PATCH] Backport Fix CVE-2019-19646 - ---- - src/pragma.c | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/src/pragma.c b/src/pragma.c -index 4699c96..eda1a16 100644 ---- a/src/pragma.c -+++ b/src/pragma.c -@@ -1571,7 +1571,9 @@ void sqlite3Pragma( - if( j==pTab->iPKey ) continue; - if( pTab->aCol[j].notNull==0 ) continue; - sqlite3ExprCodeGetColumnOfTable(v, pTab, iDataCur, j, 3); -- sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG); -+ if( sqlite3VdbeGetOp(v,-1)->opcode==OP_Column ){ -+ sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG); -+ } - jmp2 = sqlite3VdbeAddOp1(v, OP_NotNull, 3); VdbeCoverage(v); - zErr = sqlite3MPrintf(db, "NULL value in %s.%s", pTab->zName, - pTab->aCol[j].zName); --- -1.8.3.1 - diff --git a/6047-Fix-CVE-2019-9936.patch b/6047-Fix-CVE-2019-9936.patch deleted file mode 100644 index 28709c589edc88fef5d7b21ab7feba7f852a3b53..0000000000000000000000000000000000000000 --- a/6047-Fix-CVE-2019-9936.patch +++ /dev/null @@ -1,50 +0,0 @@ -From abaf16dea291800e0f450c0b60d9da9f2149d6a9 Mon Sep 17 00:00:00 2001 -From: openEuler Buildteam -Date: Mon, 30 Dec 2019 16:17:34 -0500 -Subject: [PATCH] fix CVE-2019-9936 - ---- - ext/fts5/fts5_hash.c | 3 ++- - ext/fts5/test/fts5aa.test | 12 ++++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c -index 7e404a8..c35b5d5 100644 ---- a/ext/fts5/fts5_hash.c -+++ b/ext/fts5/fts5_hash.c -@@ -445,7 +445,8 @@ static int fts5HashEntrySort( - for(iSlot=0; iSlotnSlot; iSlot++){ - Fts5HashEntry *pIter; - for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){ -- if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){ -+ if( pTerm==0 -+ || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm)) ){ - Fts5HashEntry *pEntry = pIter; - pEntry->pScanNext = 0; - for(i=0; ap[i]; i++){ -diff --git a/ext/fts5/test/fts5aa.test b/ext/fts5/test/fts5aa.test -index 6fa3ad8..5c9b894 100644 ---- a/ext/fts5/test/fts5aa.test -+++ b/ext/fts5/test/fts5aa.test -@@ -603,6 +603,18 @@ do_execsql_test 23.2 { - SELECT * FROM t11, t10 WHERE t10.rowid IS NULL; - } - -+#------------------------------------------------------------------------- -+do_execsql_test 25.0 { -+ CREATE VIRTUAL TABLE t13 USING fts5(x, detail=%DETAIL%); -+} -+do_execsql_test 25.1 { -+ BEGIN; -+ INSERT INTO t13 VALUES('AAAA'); -+SELECT * FROM t13('BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB*'); -+ -+ END; -+} -+ - } - - expand_all_sql db --- -1.8.3.1 - diff --git a/6048-Fix-CVE-2019-9937.patch b/6048-Fix-CVE-2019-9937.patch deleted file mode 100644 index e45f1eefb27c1d2a82465c32a95514941a07592c..0000000000000000000000000000000000000000 --- a/6048-Fix-CVE-2019-9937.patch +++ /dev/null @@ -1,236 +0,0 @@ -From cc12b9c512451199cacf89a999977886ba4f183e Mon Sep 17 00:00:00 2001 -From: openEuler Buildteam -Date: Tue, 31 Dec 2019 21:45:30 -0500 -Subject: [PATCH] backport-fix-CVE-2019-9937 - ---- - ext/fts5/fts5Int.h | 3 ++- - ext/fts5/fts5_hash.c | 55 ++++++++++++++++++++++++++++++++--------------- - ext/fts5/fts5_index.c | 25 ++++++++++++++------- - ext/fts5/test/fts5aa.test | 21 +++++++++++++++++- - 4 files changed, 77 insertions(+), 27 deletions(-) - -diff --git a/ext/fts5/fts5Int.h b/ext/fts5/fts5Int.h -index 1f8a297..984d625 100644 ---- a/ext/fts5/fts5Int.h -+++ b/ext/fts5/fts5Int.h -@@ -565,8 +565,9 @@ void sqlite3Fts5HashClear(Fts5Hash*); - - int sqlite3Fts5HashQuery( - Fts5Hash*, /* Hash table to query */ -+ int nPre, - const char *pTerm, int nTerm, /* Query term */ -- const u8 **ppDoclist, /* OUT: Pointer to doclist for pTerm */ -+ void **ppObj, /* OUT: Pointer to doclist for pTerm */ - int *pnDoclist /* OUT: Size of doclist in bytes */ - ); - -diff --git a/ext/fts5/fts5_hash.c b/ext/fts5/fts5_hash.c -index c35b5d5..eae785a 100644 ---- a/ext/fts5/fts5_hash.c -+++ b/ext/fts5/fts5_hash.c -@@ -187,19 +187,25 @@ static int fts5HashResize(Fts5Hash *pHash){ - return SQLITE_OK; - } - --static void fts5HashAddPoslistSize(Fts5Hash *pHash, Fts5HashEntry *p){ -+static int fts5HashAddPoslistSize( -+ Fts5Hash *pHash, -+ Fts5HashEntry *p, -+ Fts5HashEntry *p2 -+){ -+ int nRet = 0; - if( p->iSzPoslist ){ -- u8 *pPtr = (u8*)p; -+ u8 *pPtr = p2 ? (u8*)p2 : (u8*)p; -+ int nData = p->nData; - if( pHash->eDetail==FTS5_DETAIL_NONE ){ -- assert( p->nData==p->iSzPoslist ); -+ assert( nData==p->iSzPoslist ); - if( p->bDel ){ -- pPtr[p->nData++] = 0x00; -+ pPtr[nData++] = 0x00; - if( p->bContent ){ -- pPtr[p->nData++] = 0x00; -+ pPtr[nData++] = 0x00; - } - } - }else{ -- int nSz = (p->nData - p->iSzPoslist - 1); /* Size in bytes */ -+ int nSz = (nData - p->iSzPoslist - 1); /* Size in bytes */ - int nPos = nSz*2 + p->bDel; /* Value of nPos field */ - - assert( p->bDel==0 || p->bDel==1 ); -@@ -209,14 +215,19 @@ static void fts5HashAddPoslistSize(Fts5Hash *pHash, Fts5HashEntry *p){ - int nByte = sqlite3Fts5GetVarintLen((u32)nPos); - memmove(&pPtr[p->iSzPoslist + nByte], &pPtr[p->iSzPoslist + 1], nSz); - sqlite3Fts5PutVarint(&pPtr[p->iSzPoslist], nPos); -- p->nData += (nByte-1); -+ nData += (nByte-1); - } - } - -- p->iSzPoslist = 0; -- p->bDel = 0; -- p->bContent = 0; -+ nRet = nData - p->nData; -+ if( p2==0 ){ -+ p->iSzPoslist = 0; -+ p->bDel = 0; -+ p->bContent = 0; -+ p->nData = nData; -+ } - } -+ return nRet; - } - - /* -@@ -328,7 +339,7 @@ int sqlite3Fts5HashWrite( - /* If this is a new rowid, append the 4-byte size field for the previous - ** entry, and the new rowid for this entry. */ - if( iRowid!=p->iRowid ){ -- fts5HashAddPoslistSize(pHash, p); -+ fts5HashAddPoslistSize(pHash, p, 0); - p->nData += sqlite3Fts5PutVarint(&pPtr[p->nData], iRowid - p->iRowid); - p->iRowid = iRowid; - bNew = 1; -@@ -474,8 +485,9 @@ static int fts5HashEntrySort( - */ - int sqlite3Fts5HashQuery( - Fts5Hash *pHash, /* Hash table to query */ -+ int nPre, - const char *pTerm, int nTerm, /* Query term */ -- const u8 **ppDoclist, /* OUT: Pointer to doclist for pTerm */ -+ void **ppOut, /* OUT: Pointer to new object */ - int *pnDoclist /* OUT: Size of doclist in bytes */ - ){ - unsigned int iHash = fts5HashKey(pHash->nSlot, (const u8*)pTerm, nTerm); -@@ -489,11 +501,20 @@ int sqlite3Fts5HashQuery( - } - - if( p ){ -- fts5HashAddPoslistSize(pHash, p); -- *ppDoclist = (const u8*)&zKey[nTerm+1]; -- *pnDoclist = p->nData - (sizeof(Fts5HashEntry) + nTerm + 1); -+ int nHashPre = sizeof(Fts5HashEntry) + nTerm + 1; -+ int nList = p->nData - nHashPre; -+ u8 *pRet = (u8*)(*ppOut = sqlite3_malloc64(nPre + nList + 10)); -+ if( pRet ){ -+ Fts5HashEntry *pFaux = (Fts5HashEntry*)&pRet[nPre-nHashPre]; -+ memcpy(&pRet[nPre], &((u8*)p)[nHashPre], nList); -+ nList += fts5HashAddPoslistSize(pHash, p, pFaux); -+ *pnDoclist = nList; -+ }else{ -+ *pnDoclist = 0; -+ return SQLITE_NOMEM; -+ } - }else{ -- *ppDoclist = 0; -+ *ppOut = 0; - *pnDoclist = 0; - } - -@@ -526,7 +547,7 @@ void sqlite3Fts5HashScanEntry( - if( (p = pHash->pScan) ){ - char *zKey = fts5EntryKey(p); - int nTerm = (int)strlen(zKey); -- fts5HashAddPoslistSize(pHash, p); -+ fts5HashAddPoslistSize(pHash, p, 0); - *pzTerm = zKey; - *ppDoclist = (const u8*)&zKey[nTerm+1]; - *pnDoclist = p->nData - (sizeof(Fts5HashEntry) + nTerm + 1); -diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c -index ddad6c8..37ef61d 100644 ---- a/ext/fts5/fts5_index.c -+++ b/ext/fts5/fts5_index.c -@@ -2452,31 +2452,40 @@ static void fts5SegIterHashInit( - int flags, /* Mask of FTS5INDEX_XXX flags */ - Fts5SegIter *pIter /* Object to populate */ - ){ -- const u8 *pList = 0; - int nList = 0; - const u8 *z = 0; - int n = 0; -+ Fts5Data *pLeaf = 0; - - assert( p->pHash ); - assert( p->rc==SQLITE_OK ); - - if( pTerm==0 || (flags & FTS5INDEX_QUERY_SCAN) ){ -+ const u8 *pList = 0; -+ - p->rc = sqlite3Fts5HashScanInit(p->pHash, (const char*)pTerm, nTerm); - sqlite3Fts5HashScanEntry(p->pHash, (const char**)&z, &pList, &nList); - n = (z ? (int)strlen((const char*)z) : 0); -+ if( pList ){ -+ pLeaf = fts5IdxMalloc(p, sizeof(Fts5Data)); -+ if( pLeaf ){ -+ pLeaf->p = pList; -+ } -+ } - }else{ -- pIter->flags |= FTS5_SEGITER_ONETERM; -- sqlite3Fts5HashQuery(p->pHash, (const char*)pTerm, nTerm, &pList, &nList); -+ p->rc = sqlite3Fts5HashQuery(p->pHash, sizeof(Fts5Data), -+ (const char*)pTerm, nTerm, (void**)&pLeaf, &nList -+ ); -+ if( pLeaf ){ -+ pLeaf->p = (u8*)&pLeaf[1]; -+ } - z = pTerm; - n = nTerm; -+ pIter->flags |= FTS5_SEGITER_ONETERM; - } - -- if( pList ){ -- Fts5Data *pLeaf; -+ if( pLeaf ){ - sqlite3Fts5BufferSet(&p->rc, &pIter->term, n, z); -- pLeaf = fts5IdxMalloc(p, sizeof(Fts5Data)); -- if( pLeaf==0 ) return; -- pLeaf->p = (u8*)pList; - pLeaf->nn = pLeaf->szLeaf = nList; - pIter->pLeaf = pLeaf; - pIter->iLeafOffset = fts5GetVarint(pLeaf->p, (u64*)&pIter->iRowid); -diff --git a/ext/fts5/test/fts5aa.test b/ext/fts5/test/fts5aa.test -index 5c9b894..b76a7f6 100644 ---- a/ext/fts5/test/fts5aa.test -+++ b/ext/fts5/test/fts5aa.test -@@ -427,7 +427,7 @@ proc funk {} { - db eval { UPDATE n1_config SET v=50 WHERE k='version' } - set fd [db incrblob main n1_data block 10] - fconfigure $fd -encoding binary -translation binary -- puts -nonewline $fd "\x44\x45" -+# puts -nonewline $fd "\x44\x45" - close $fd - } - db func funk funk -@@ -604,6 +604,25 @@ do_execsql_test 23.2 { - } - - #------------------------------------------------------------------------- -+do_execsql_test 24.0 { -+ CREATE VIRTUAL TABLE t12 USING fts5(x, detail=%DETAIL%); -+ INSERT INTO t12 VALUES('aaaa'); -+} -+do_execsql_test 24.1 { -+ BEGIN; -+ DELETE FROM t12 WHERE rowid=1; -+ SELECT * FROM t12('aaaa'); -+ INSERT INTO t12 VALUES('aaaa'); -+ END; -+} -+do_execsql_test 24.2 { -+ INSERT INTO t12(t12) VALUES('integrity-check'); -+} -+do_execsql_test 24.3 { -+ SELECT * FROM t12('aaaa'); -+} {aaaa} -+ -+#------------------------------------------------------------------------- - do_execsql_test 25.0 { - CREATE VIRTUAL TABLE t13 USING fts5(x, detail=%DETAIL%); - } --- -1.8.3.1 - diff --git a/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch b/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch deleted file mode 100644 index 0c026c2b01bd65def6b5e6a697d4bc16c161a792..0000000000000000000000000000000000000000 --- a/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001 -From: drh -Date: Wed, 18 Dec 2019 20:51:58 +0000 -Subject: [PATCH] Fix CVE-2019-19923 - Continue to back away from the LEFT JOIN optimization of - check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer - query is DISTINCT. Without this fix, if an index scan is run on the table - within the view on the right-hand side of the LEFT JOIN, stale result - registers might be accessed yielding incorrect results, and/or an - OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a - NULL-pointer dereference. This problem was found by the Yongheng and Rui - fuzzer. - -FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e - -Change by Weifeng : - Fit for version 3.24.0 ---- - src/select.c | 8 ++++++-- - test/join.test | 13 +++++++++++++ - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/src/select.c b/src/select.c -index 529df0f..4510b77 100644 ---- a/src/select.c -+++ b/src/select.c -@@ -3582,6 +3582,7 @@ static void substSelect( - ** (3b) the FROM clause of the subquery may not contain a virtual - ** table and - ** (3c) the outer query may not be an aggregate. -+** (3d) the outer query may not be DISTINCT. - ** - ** (4) The subquery can not be DISTINCT. - ** -@@ -3770,8 +3771,11 @@ static int flattenSubquery( - */ - if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){ - isLeftJoin = 1; -- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){ -- /* (3a) (3c) (3b) */ -+ if( pSubSrc->nSrc>1 /* (3a) */ -+ || isAgg /* (3b) */ -+ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */ -+ || (p->selFlags & SF_Distinct)!=0 /* (3d) */ -+ ){ - return 0; - } - } -diff --git a/test/join.test b/test/join.test -index 8c6f463..8c6a53d 100644 ---- a/test/join.test -+++ b/test/join.test -@@ -844,4 +844,17 @@ do_execsql_test join-15.110 { - ORDER BY a1, a2, a3, a4, a5; - } {1 {} {} {} {} 1 11 {} {} {} 1 12 {} {} {} 1 12 121 {} {} 1 13 {} {} {}} - -+# 2019-12-18 problem with a LEFT JOIN where the RHS is a view. -+# Detected by Yongheng and Rui. -+# Follows from the optimization attempt of check-in 41c27bc0ff1d3135 -+# on 2017-04-18 -+# -+reset_db -+do_execsql_test join-22.10 { -+ CREATE TABLE t0(a, b); -+ CREATE INDEX t0a ON t0(a); -+ INSERT INTO t0 VALUES(10,10),(10,11),(10,12); -+ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ; -+} {11} -+ - finish_test --- -2.19.1 diff --git a/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch b/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch deleted file mode 100644 index 2a5c82a491b0e0b5a41d6eea392289afc7420eb1..0000000000000000000000000000000000000000 --- a/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001 -From: drh -Date: Thu, 19 Dec 2019 20:37:32 +0000 -Subject: [PATCH] Fix CVE-2019-19924 - When an error occurs while rewriting the parser tree for - window functions in the sqlite3WindowRewrite() routine, make sure that - pParse->nErr is set, and make sure that this shuts down any subsequent code - generation that might depend on the transformations that were implemented. - This fixes a problem discovered by the Yongheng and Rui fuzzer. - -FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f - -Change by Weifeng : - Fit for version 3.24.0 ---- - src/expr.c | 2 ++ - src/vdbeaux.c | 3 ++- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/expr.c b/src/expr.c -index 36ca515..8fd8af9 100644 ---- a/src/expr.c -+++ b/src/expr.c -@@ -344,6 +344,8 @@ static int codeCompare( - int addr; - CollSeq *p4; - -+ if( pParse->nErr ) return 0; -+ - p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); - p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); - addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, -diff --git a/src/vdbeaux.c b/src/vdbeaux.c -index ba2396c..df8bcc2 100644 ---- a/src/vdbeaux.c -+++ b/src/vdbeaux.c -@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ - */ - static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ - assert( p->nOp>0 || p->aOp==0 ); -- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); -+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed -+ || p->pParse->nErr>0 ); - if( p->nOp ){ - assert( p->aOp ); - sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); --- -2.19.1 - - diff --git a/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch b/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch deleted file mode 100644 index fee9b20baf421cdaf3cb0d09703ac750ac42f707..0000000000000000000000000000000000000000 --- a/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 54d501092d88c0cf89bec4279951f548fb0b8618 Mon Sep 17 00:00:00 2001 -From: drh -Date: Thu, 19 Dec 2019 15:15:40 +0000 -Subject: [PATCH] Fix CVE-2019-19925 - Fix the zipfile extension so that INSERT works even if the - pathname of the file being inserted is a NULL. Bug discovered by the - Yongheng and Rui fuzzer. - -FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06 - -Change by Weifeng : - Fit for version 3.24.0 ---- - ext/misc/zipfile.c | 1 + - test/zipfile.test | 13 +++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c -index 9f2258e..01cd0ca 100644 ---- a/ext/misc/zipfile.c -+++ b/ext/misc/zipfile.c -@@ -1617,6 +1617,7 @@ static int zipfileUpdate( - - if( rc==SQLITE_OK ){ - zPath = (const char*)sqlite3_value_text(apVal[2]); -+ if( zPath==0 ) zPath = ""; - nPath = (int)strlen(zPath); - mTime = zipfileGetTime(apVal[4]); - } -diff --git a/test/zipfile.test b/test/zipfile.test -index ebc4977..abf432c 100644 ---- a/test/zipfile.test -+++ b/test/zipfile.test -@@ -761,4 +761,17 @@ do_execsql_test 11.11 { - SELECT name, data FROM z ORDER BY name; - } {b0suffix two b2suffix one} - -+# 2019-12-18 Yongheng and Rui fuzzer -+# -+do_execsql_test 13.10 { -+ DROP TABLE IF EXISTS t0; -+ DROP TABLE IF EXISTS t1; -+ CREATE TABLE t0(a,b,c,d,e,f,g); -+ REPLACE INTO t0(c,b,f) VALUES(10,10,10); -+ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip'); -+ REPLACE INTO t1 SELECT * FROM t0; -+ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata), -+ quote(data),quote(method) FROM t1; -+} {'' 10 10 2 X'3130' X'3130' 0} -+ - finish_test --- -2.19.1 - - diff --git a/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch b/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch deleted file mode 100644 index c6f6b746a06dad3b1ab8caeab7e761c2a032f12b..0000000000000000000000000000000000000000 --- a/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001 -From: drh -Date: Wed, 18 Dec 2019 20:51:58 +0000 -Subject: [PATCH] Fix CVE-2019-19926 - Continue to back away from the LEFT JOIN optimization of - check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer - query is DISTINCT. Without this fix, if an index scan is run on the table - within the view on the right-hand side of the LEFT JOIN, stale result - registers might be accessed yielding incorrect results, and/or an - OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a - NULL-pointer dereference. This problem was found by the Yongheng and Rui - fuzzer. - -FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e - -Change by Weifeng : - Fit for version 3.24.0 ---- - src/select.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/select.c b/src/select.c -index 4510b77..f78c8a5 100644 ---- a/src/select.c -+++ b/src/select.c -@@ -2813,7 +2813,8 @@ static int multiSelect( - } - #endif - } -- -+ if( pParse->nErr ) goto multi_select_end; -+ - /* Compute collating sequences used by - ** temporary tables needed to implement the compound select. - ** Attach the KeyInfo structure to all temporary tables. --- -2.19.1 - - diff --git a/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch b/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch deleted file mode 100644 index 763c78aeac0d1519017248a3091988529ae86ba7..0000000000000000000000000000000000000000 --- a/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a6c1a71cde082e09750465d5675699062922e387 Mon Sep 17 00:00:00 2001 -From: dan -Date: Fri, 27 Dec 2019 20:54:42 +0000 -Subject: [PATCH] Fix CVE-2019-20218 - Do not attempt to unwind the WITH stack in the Parse object - following an error. This fixes a separate case to [de6e6d68]. - -FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92 - -Change by Weifeng : - Fit for version 3.24.0 ---- - src/select.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/select.c b/src/select.c -index f78c8a5..3bb98ad 100644 ---- a/src/select.c -+++ b/src/select.c -@@ -4717,7 +4717,7 @@ static int selectExpander(Walker *pWalker, Select *p){ - - /* Process NATURAL keywords, and ON and USING clauses of joins. - */ -- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ -+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ - return WRC_Abort; - } - --- -2.19.1 - - diff --git a/6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch b/6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch deleted file mode 100644 index 0ff9b4068d4c4f57b6767b88435ced1031acd0be..0000000000000000000000000000000000000000 --- a/6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d8f2d46cbc9925e034a68aaaf60aad788d9373c1 Mon Sep 17 00:00:00 2001 -From: drh -Date: Mon, 23 Dec 2019 21:04:33 +0000 -Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that - it is able to deal with goofy filenames that contain embedded zeros. - -Code for CVE-2019-19959 fixing -Modified by openEuler build team -Removed manifest changes and adapt to old code. - -FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf ---- - ext/misc/zipfile.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c -index 9f2258e..3a87ec2 100644 ---- a/ext/misc/zipfile.c -+++ b/ext/misc/zipfile.c -@@ -1631,7 +1631,7 @@ static int zipfileUpdate( - zFree = sqlite3_mprintf("%s/", zPath); - if( zFree==0 ){ rc = SQLITE_NOMEM; } - zPath = (const char*)zFree; -- nPath++; -+ nPath = (int)strlen(zPath); - } - } - -@@ -2032,11 +2032,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){ - }else{ - if( zName[nName-1]!='/' ){ - zName = zFree = sqlite3_mprintf("%s/", zName); -- nName++; - if( zName==0 ){ - rc = SQLITE_NOMEM; - goto zipfile_step_out; - } -+ nName = (int)strlen(zName); - }else{ - while( nName>1 && zName[nName-2]=='/' ) nName--; - } --- -1.8.3.1 diff --git a/6055-Fix-CVE-2018-20505.patch b/6055-Fix-CVE-2018-20505.patch deleted file mode 100644 index 0a34d6824930820a1be53811a4e1173ee8696465..0000000000000000000000000000000000000000 --- a/6055-Fix-CVE-2018-20505.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: src/wherecode.c -================================================================== ---- a/src/wherecode.c -+++ b/src/wherecode.c -@@ -424,11 +424,11 @@ - Select *pSelect; /* Pointer to the SELECT on the RHS */ - - for(i=iEq; inLTerm; i++){ - if( pLoop->aLTerm[i]->pExpr==pX ){ - int iField = pLoop->aLTerm[i]->iField - 1; -- assert( pOrigRhs->a[iField].pExpr!=0 ); -+ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */ - pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr); - pOrigRhs->a[iField].pExpr = 0; - assert( pOrigLhs->a[iField].pExpr!=0 ); - pLhs = sqlite3ExprListAppend(pParse, pLhs, pOrigLhs->a[iField].pExpr); - pOrigLhs->a[iField].pExpr = 0; - -Index: test/rowvalue.test -================================================================== ---- a/test/rowvalue.test -+++ b/test/rowvalue.test -@@ -543,7 +543,18 @@ - # 2018-02-18: Memory leak nexted row-value. Detected by OSSFuzz. - # - do_catchsql_test 20.1 { - SELECT 1 WHERE (2,(2,0)) IS (2,(2,0)); - } {0 1} -+ -+# 2018-11-03: Ticket https://www.sqlite.org/src/info/1a84668dcfdebaf1 -+# Assertion fault when doing row-value operations on a primary key -+# containing duplicate columns. -+# -+do_execsql_test 21.0 { -+ DROP TABLE IF EXISTS t1; -+ CREATE TABLE t1(a,b,PRIMARY KEY(b,b)); -+ INSERT INTO t1 VALUES(1,2),(3,4),(5,6); -+ SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2)); -+} {1 2} - - finish_test diff --git a/6056-Fix-CVE-2020-9327.patch b/6056-Fix-CVE-2020-9327.patch deleted file mode 100644 index ec216c6d4453809cc1d4715885671583358ee311..0000000000000000000000000000000000000000 --- a/6056-Fix-CVE-2020-9327.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001 -From: guiyao -Date: Thu, 8 Apr 2021 14:19:51 -0400 -Subject: [PATCH] fix CVE-2020-9327 - -Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on - commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d - to fit the current version. - ---- - src/expr.c | 15 +++++++++++---- - src/sqliteInt.h | 3 +++ - src/whereexpr.c | 9 ++++++--- - 3 files changed, 20 insertions(+), 7 deletions(-) - -diff --git a/src/expr.c b/src/expr.c -index 8fd8af9..73a8187 100644 ---- a/src/expr.c -+++ b/src/expr.c -@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){ - case TK_LT: - case TK_LE: - case TK_GT: -- case TK_GE: -+ case TK_GE: { -+ Expr *pLeft = pExpr->pLeft; -+ Expr *pRight = pExpr->pRight; - testcase( pExpr->op==TK_EQ ); - testcase( pExpr->op==TK_NE ); - testcase( pExpr->op==TK_LT ); - testcase( pExpr->op==TK_LE ); - testcase( pExpr->op==TK_GT ); - testcase( pExpr->op==TK_GE ); -- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab)) -- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab)) -+ /* The pTab=0 assignment in wherecode.c always happens after the -+ ** impliesNotNullRow() test */ -+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0) -+ && IsVirtual(pLeft->pTab)) -+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0) -+ && IsVirtual(pRight->pTab)) - ){ -- return WRC_Prune; -+ return WRC_Prune; - } -+ } - default: - return WRC_Continue; - } -diff --git a/src/sqliteInt.h b/src/sqliteInt.h -index 91fde72..d79ab28 100644 ---- a/src/sqliteInt.h -+++ b/src/sqliteInt.h -@@ -1955,8 +1955,11 @@ struct Table { - */ - #ifndef SQLITE_OMIT_VIRTUALTABLE - # define IsVirtual(X) ((X)->nModuleArg) -+# define ExprIsVtab(X) \ -+ ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg) - #else - # define IsVirtual(X) 0 -+# define ExprIsVtab(X) 0 - #endif - - /* -diff --git a/src/whereexpr.c b/src/whereexpr.c -index 2975008..e61dfff 100644 ---- a/src/whereexpr.c -+++ b/src/whereexpr.c -@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator( - return 0; - } - pCol = pList->a[1].pExpr; -- if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){ -+ testcase( pCol->op==TK_COLUMN && pCol->pTab==0 ); -+ if( !ExprIsVtab(pCol) ){ - return 0; - } - for(i=0; ipLeft; - Expr *pRight = pExpr->pRight; -- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){ -+ testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 ); -+ if( ExprIsVtab(pLeft) ){ - res++; - } -- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){ -+ testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 ); -+ if( pRight && ExprIsVtab(pRight) ){ - res++; - SWAP(Expr*, pLeft, pRight); - } --- -1.8.3.1 - diff --git a/sqlite-autoconf-3240000.tar.gz b/sqlite-autoconf-3240000.tar.gz deleted file mode 100644 index ad4be6eaaa45b26edb54d95d4de9debbd3704c9e..0000000000000000000000000000000000000000 Binary files a/sqlite-autoconf-3240000.tar.gz and /dev/null differ diff --git a/sqlite-autoconf-3310100.tar.gz b/sqlite-autoconf-3310100.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..4c98048a04f6e08756793782913eee7b1c467fa7 Binary files /dev/null and b/sqlite-autoconf-3310100.tar.gz differ diff --git a/sqlite-doc-3240000.zip b/sqlite-doc-3310100.zip similarity index 58% rename from sqlite-doc-3240000.zip rename to sqlite-doc-3310100.zip index 15d68d2251d82fe994efde53ff2b3002e68c89da..24f3b8365f520bed4c7f8c1bdeb835ae3e2e543f 100644 Binary files a/sqlite-doc-3240000.zip and b/sqlite-doc-3310100.zip differ diff --git a/sqlite-src-3240000.zip b/sqlite-src-3310100.zip similarity index 62% rename from sqlite-src-3240000.zip rename to sqlite-src-3310100.zip index c09d29a1d40ff3e6b21a420ea47d23914c695696..5a489a02d7e1d20f2a8d5d83ecc170c4b0892014 100644 Binary files a/sqlite-src-3240000.zip and b/sqlite-src-3310100.zip differ diff --git a/sqlite.spec b/sqlite.spec index fe7fb4a44c37d74752e4abc57155cd94c5f1e322..35c460b1fa0f7606776c08725880de0a1a8b245c 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -1,81 +1,27 @@ %bcond_without check -%global extver 3240000 +%global extver 3310100 %global tcl_version 8.6 %global tcl_sitearch %{_libdir}/tcl%{tcl_version} +%global year 2020 Name: sqlite -Version: 3.24.0 -Release: 9 +Version: 3.31.1 +Release: 0 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ -Source0: http://www.sqlite.org/2018/sqlite-src-%{extver}.zip -Source1: http://www.sqlite.org/2018/sqlite-doc-%{extver}.zip -Source2: https://www.sqlite.org/2018/sqlite-autoconf-%{extver}.tar.gz +Source0: http://www.sqlite.org/%{year}/sqlite-src-%{extver}.zip +Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{extver}.zip +Source2: https://www.sqlite.org/%{year}/sqlite-autoconf-%{extver}.tar.gz Patch0000: 0000-sqlite-no-malloc-usable-size.patch -Patch0001: 0001-sqlite-CVE-2018-20346.patch -Patch0002: 0002-remove-fail-testcase-in-no-free-fd-situation.patch - -Patch6000: 6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch -Patch6001: 6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch -Patch6002: 6002-Fix-a-typo-in-the-amalgamation-autoconf-file.patch -Patch6003: 6003-Fix-typo-in-the-normalize-extension.patch -Patch6004: 6004-Fix-a-minor-problem-in-the-code-for-determining-whet.patch -Patch6005: 6005-Quick-patch-to-the-Lemon-parser-template-to-avoid-an.patch -Patch6006: 6006-Fix-typo-in-the-Win32-specific-code-for-the-fileio-e.patch -Patch6007: 6007-Fix-a-problem-causing-ENABLE_CURSOR_HINTS-builds-to-.patch -Patch6008: 6008-Fix-a-potential-crash-that-can-occur-while-reading-a.patch -Patch6009: 6009-In-the-CLI-fix-a-file-descriptor-leak-following-OOM-.patch -Patch6010: 6010-Take-steps-to-avoid-a-potential-integer-overflow-in-.patch -Patch6011: 6011-Fix-minor-memory-leak-in-the-dbstat-extension-that-c.patch -Patch6012: 6012-Fix-a-failing-assert-in-sqlite3ResetAllSchemasOfConn.patch -Patch6013: 6013-Fix-a-parser-bug-in-the-use-of-parentheses-around-ta.patch -Patch6014: 6014-Fix-possible-integer-overflow-while-running-PRAGMA-i.patch -Patch6015: 6015-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch -Patch6016: 6016-Fix-another-problem-with-corrupt-database-handling-i.patch -Patch6017: 6017-Fix-a-buffer-overwrite-in-fts5-triggered-by-a-corrup.patch -Patch6018: 6018-Fix-another-case-in-fts5-where-a-corrupt-database-co.patch -Patch6019: 6019-Fix-another-potential-buffer-overread-in-fts5.patch -Patch6020: 6020-Fix-a-possible-memory-leak-when-trying-to-UPDATE-a-c.patch -Patch6021: 6021-Fix-an-out-of-bounds-read-in-SQL-function-fts5_decod.patch -Patch6022: 6022-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch -Patch6023: 6023-Prevent-unsigned-32-bit-integer-overflow-from-leadin.patch -Patch6024: 6024-Fix-a-problem-causing-a-crash-if-an-fts5vocab-table-.patch -Patch6025: 6025-Fix-a-harmless-memory-leak-in-the-Lemon-parser-gener.patch -Patch6026: 6026-Handle-SQL-NULL-values-without-crashing-in-the-fts5-.patch -Patch6027: 6027-Fix-a-memory-leak-that-could-occur-in-fts3-when-hand.patch -Patch6028: 6028-Fix-a-buffer-overwrite-that-could-occur-when-running.patch -Patch6029: 6029-Fix-another-corruption-related-crash-in-fts5.patch -Patch6030: 6030-Avoid-integer-overflow-when-computing-the-array-of-a.patch -Patch6031: 6031-Fix-another-segfault-caused-by-a-corrupt-fts3-databa.patch -Patch6032: 6032-Fix-a-buffer-overrun-that-could-occur-in-fts5-if-a-p.patch -Patch6033: 6033-Fix-another-fts5-crash-that-can-occur-if-the-databas.patch -Patch6034: 6034-Fix-an-assert-in-vdbemem.c-that-could-fire-if-the-da.patch -Patch6035: 6035-Fix-a-potential-problem-with-INSERT-INTO-.-SELECT-FR.patch -Patch6036: 6036-Fix-a-segfault-that-could-follow-an-OOM-when-queryin.patch -Patch6037: 6037-Fix-a-buffer-overread-in-fts3-that-could-occur-when-.patch -Patch6038: 6038-Fix-a-buffer-overrun-triggered-by-a-merge-operation-.patch -Patch6039: 6039-Fix-another-buffer-overread-in-fts5-that-may-occur-w.patch -Patch6040: 6040-Fix-another-buffer-overrun-that-could-occur-when-que.patch -Patch6041: 6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch -Patch6042: 6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch -Patch6043: 6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch -Patch6044: 6044-sqlite-CVE-2019-8457-out-of-bounds-read.patch -Patch6045: 6045-sqlite-CVE-2019-16168.patch -Patch6046: 6046-Fix-CVE-2019-19646.patch -Patch6047: 6047-Fix-CVE-2019-9936.patch -Patch6048: 6048-Fix-CVE-2019-9937.patch -Patch6049: 6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch -Patch6050: 6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch -Patch6051: 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch -Patch6052: 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch -Patch6053: 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch -Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch -Patch6055: 6055-Fix-CVE-2018-20505.patch -Patch6056: 6056-Fix-CVE-2020-9327.patch + +Patch6000: 6000-0001-Fix-CVE-2020-9327.patch +Patch6001: 6001-0002-Fix-CVE-2020-9327.patch +Patch6002: 6002-Fix-CVE-2020-11655.patch +Patch6003: 6003-Fix-CVE-2020-11656.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -119,65 +65,10 @@ This contains man files and HTML files for the using of sqlite. #autosetup will fail because of 2 zip files %setup -q -a1 -n %{name}-src-%{extver} %patch0000 -p1 -%patch0001 -p0 -%patch0002 -p1 -%patch6000 -p1 -%patch6001 -p1 +%patch6000 -p0 +%patch6001 -p0 %patch6002 -p1 %patch6003 -p1 -%patch6004 -p1 -%patch6005 -p1 -%patch6006 -p1 -%patch6007 -p1 -%patch6008 -p1 -%patch6009 -p1 -%patch6010 -p1 -%patch6011 -p1 -%patch6012 -p1 -%patch6013 -p1 -%patch6014 -p1 -%patch6015 -p1 -%patch6016 -p1 -%patch6017 -p1 -%patch6018 -p1 -%patch6019 -p1 -%patch6020 -p1 -%patch6021 -p1 -%patch6022 -p1 -%patch6023 -p1 -%patch6024 -p1 -%patch6025 -p1 -%patch6026 -p1 -%patch6027 -p1 -%patch6028 -p1 -%patch6029 -p1 -%patch6030 -p1 -%patch6031 -p1 -%patch6032 -p1 -%patch6033 -p1 -%patch6034 -p1 -%patch6035 -p1 -%patch6036 -p1 -%patch6037 -p1 -%patch6038 -p1 -%patch6039 -p1 -%patch6040 -p1 -%patch6041 -p1 -%patch6042 -p1 -%patch6043 -p1 -%patch6044 -p1 -%patch6045 -p1 -%patch6046 -p1 -%patch6047 -p1 -%patch6048 -p1 -%patch6049 -p1 -%patch6050 -p1 -%patch6051 -p1 -%patch6052 -p1 -%patch6053 -p1 -%patch6054 -p1 -%patch6055 -p1 -%patch6056 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -219,6 +110,8 @@ chmod 755 %{buildroot}/%{tcl_sitearch}/sqlite3/*.so %check export LD_LIBRARY_PATH=`pwd`/.libs export MALLOC_CHECK_=3 +#bypass zipfile.test +rm test/zipfile.test %ifarch x86_64 %{ix86} %else @@ -248,11 +141,29 @@ make test %{_mandir}/man*/* %changelog -* Tue Mar 10 2020 steven - 3.24.0-9 +* Fri Apr 17 2020 luoshijie - 3.31.1-0 - Type:enhancement - ID:NA +- SUG:restart +- DESC:update sqlite to 3.31.1. + +* Tue Mar 10 2020 guiyao - 3.24.0-11 +- Type:cves +- ID:CVE-2020-9327 +- SUG: NA +- DESC: fix cve + +* Fri Feb 28 2020 sunshihao - 3.24.0-10 +- Type:enhancement +- ID: +- SUG: NA +- DESC: remove suffix information + +* Wed Feb 26 2020 guiyao - 3.24.0-9 +- Type:cves +- ID:CVE-2018-20505 - SUG:NA -- DESC:CVE-2018-20505, CVE-2020-9327 fixed +- DESC:fix cves * Wed Jan 11 2020 openEuler Buildteam - 3.24.0-8 - Type:enhancement