From d043bf537616da4bb5c403745093b0b88165efc9 Mon Sep 17 00:00:00 2001
From: wbq_sky <wangbingquan@huawei.com>
Date: Fri, 3 Sep 2021 16:16:38 +0800
Subject: [PATCH] fix the infinite loop in the trim function while the pattern
 is well formed.

Signed-off-by: wbq_sky <wangbingquan@huawei.com>
(cherry picked from commit d81186e4277fe39540697e8db4e62eba5c7e88ff)
---
 0003-infinite-loop-in-trim-function.patch | 88 +++++++++++++++++++++++
 sqlite.spec                               |  7 +-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 0003-infinite-loop-in-trim-function.patch

diff --git a/0003-infinite-loop-in-trim-function.patch b/0003-infinite-loop-in-trim-function.patch
new file mode 100644
index 0000000..1790e40
--- /dev/null
+++ b/0003-infinite-loop-in-trim-function.patch
@@ -0,0 +1,88 @@
+diff -ruN origin_src/src/func.c sqlite-src-3340000/src/func.c
+--- origin_src/src/func.c	2021-09-03 10:46:50.253089516 +0800
++++ sqlite-src-3340000/src/func.c	2021-09-03 10:59:23.151415929 +0800
+@@ -1315,10 +1315,10 @@
+ ){
+   const unsigned char *zIn;         /* Input string */
+   const unsigned char *zCharSet;    /* Set of characters to trim */
+-  int nIn;                          /* Number of bytes in input */
++  unsigned int nIn;                 /* Number of bytes in input */
+   int flags;                        /* 1: trimleft  2: trimright  3: trim */
+   int i;                            /* Loop counter */
+-  unsigned char *aLen = 0;          /* Length of each character in zCharSet */
++  unsigned int *aLen = 0;           /* Length of each character in zCharSet */
+   unsigned char **azChar = 0;       /* Individual characters in zCharSet */
+   int nChar;                        /* Number of characters in zCharSet */
+ 
+@@ -1327,13 +1327,13 @@
+   }
+   zIn = sqlite3_value_text(argv[0]);
+   if( zIn==0 ) return;
+-  nIn = sqlite3_value_bytes(argv[0]);
++  nIn = (unsigned)sqlite3_value_bytes(argv[0]);
+   assert( zIn==sqlite3_value_text(argv[0]) );
+   if( argc==1 ){
+-    static const unsigned char lenOne[] = { 1 };
++    static const unsigned lenOne[] = { 1 };
+     static unsigned char * const azOne[] = { (u8*)" " };
+     nChar = 1;
+-    aLen = (u8*)lenOne;
++    aLen = (unsigned*)lenOne;
+     azChar = (unsigned char **)azOne;
+     zCharSet = 0;
+   }else if( (zCharSet = sqlite3_value_text(argv[1]))==0 ){
+@@ -1344,15 +1344,16 @@
+       SQLITE_SKIP_UTF8(z);
+     }
+     if( nChar>0 ){
+-      azChar = contextMalloc(context, ((i64)nChar)*(sizeof(char*)+1));
++      azChar = contextMalloc(context, 
++                     ((i64)nChar)*(sizeof(char*)+sizeof(unsigned)));
+       if( azChar==0 ){
+         return;
+       }
+-      aLen = (unsigned char*)&azChar[nChar];
++      aLen = (unsigned*)&azChar[nChar];
+       for(z=zCharSet, nChar=0; *z; nChar++){
+         azChar[nChar] = (unsigned char *)z;
+         SQLITE_SKIP_UTF8(z);
+-        aLen[nChar] = (u8)(z - azChar[nChar]);
++        aLen[nChar] = (unsigned)(z - azChar[nChar]);
+       }
+     }
+   }
+@@ -1360,7 +1361,7 @@
+     flags = SQLITE_PTR_TO_INT(sqlite3_user_data(context));
+     if( flags & 1 ){
+       while( nIn>0 ){
+-        int len = 0;
++        unsigned int len = 0;
+         for(i=0; i<nChar; i++){
+           len = aLen[i];
+           if( len<=nIn && memcmp(zIn, azChar[i], len)==0 ) break;
+@@ -1372,7 +1373,7 @@
+     }
+     if( flags & 2 ){
+       while( nIn>0 ){
+-        int len = 0;
++        unsigned int len = 0;
+         for(i=0; i<nChar; i++){
+           len = aLen[i];
+           if( len<=nIn && memcmp(&zIn[nIn-len],azChar[i],len)==0 ) break;
+diff -ruN origin_src/test/func.test sqlite-src-3340000/test/func.test
+--- origin_src/test/func.test	2021-09-03 10:46:50.201088526 +0800
++++ sqlite-src-3340000/test/func.test	2021-09-03 10:59:42.751788869 +0800
+@@ -1111,6 +1111,13 @@
+   execsql {SELECT typeof(trim('hello',NULL));}
+ } {null}
+ 
++# 2021-06-15 - infinite loop due to unsigned character counter
++# overflow, reported by Zimuzo Ezeozue
++#
++do_execsql_test func-22.23 {
++  SELECT trim('xyzzy',x'c0808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080');
++} {xyzzy}
++
+ # This is to test the deprecated sqlite3_aggregate_count() API.
+ #
+ ifcapable deprecated {
diff --git a/sqlite.spec b/sqlite.spec
index c6600c9..4c9d387 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -6,7 +6,7 @@
 
 Name:    sqlite
 Version: 3.34.0
-Release: 1
+Release: 2
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -17,6 +17,7 @@ Source2: https://www.sqlite.org/2020/sqlite-autoconf-%{extver}.tar.gz
 
 Patch1: 0001-sqlite-no-malloc-usable-size.patch
 Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
+Patch3: 0003-infinite-loop-in-trim-function.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -61,6 +62,7 @@ This contains man files and HTML files for the using of sqlite.
 %setup -q -a1 -n %{name}-src-%{extver}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -131,6 +133,9 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-2
+- fix the infinite loop problem in the trim function while the pattern is well formed.
+
 * Thu Jan 14 2021 yanglongkang <yanglongkang@huawei.com> - 3.34.0-1
 - update package to 3.34.0
 
-- 
Gitee