sqlite: backport CVE fixes

Fixes CVE-2020-11655 and CVE-2020-11656

(From OE-Core rev: e63a38ca6ea95c0dbc79d5024c0cec31062d2e39)

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 70 insertions, 0 deletions

diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11656.patch b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch
new file mode 100644
index 0000000000..b88a724e8c
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch
@@ -0,0 +1,70 @@
+From 2d69a520d027eb73eb6da9f2653d23e33b10e8bb Mon Sep 17 00:00:00 2001
+From: Sakib Sajal <sakib.sajal@windriver.com>
+Date: Thu, 30 Apr 2020 10:14:36 -0700
+Subject: [PATCH 1/2] Fix a case when a pointer might be used after
+ being freed in  the ALTER TABLE code. Fix for [4722bdab08cb1].
+
+FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
+Upstream Status: Backport [fb99e388ec7f30fe43e4878236e3695ff24ae58d]
+
+[PATCH 2/2] Do not suppress errors when resolving references in an ORDER
+ BY clause belonging to a compound SELECT within a view or trigger within
+ ALTER TABLE. Fix for ticket [a10a14e9b4ba2].
+
+FossilOrigin-Name: 684293882c302600e112cf52553c19d84fdb31663d96e5dd7f8ac17dda00a026
+Upstream Status: Backport [4db7ab53f9c30e2e22731ace93ab6b18eef6c4ae]
+
+The two patches were converted to amalgamation format.
+
+CVE: CVE-2020-11656
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ sqlite3.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 64fae04..1df6633 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -97945,7 +97945,7 @@ static int resolveOrderByTermToExprList(
+   nc.nErr = 0;
+   db = pParse->db;
+   savedSuppErr = db->suppressErr;
+-  db->suppressErr = 1;
++  if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
+   rc = sqlite3ResolveExprNames(&nc, pE);
+   db->suppressErr = savedSuppErr;
+   if( rc ) return 0;
+@@ -105383,6 +105383,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
+   }
+ }
+ 
++/*
++** Unmap all tokens in the IdList object passed as the second argument.
++*/
++static void unmapColumnIdlistNames(
++  Parse *pParse,
++  IdList *pIdList
++){
++  if( pIdList ){
++    int ii;
++    for(ii=0; ii<pIdList->nId; ii++){
++      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
++    }
++  }
++}
++
+ /*
+ ** Walker callback used by sqlite3RenameExprUnmap().
+ */
+@@ -105404,6 +105419,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
+     for(i=0; i<pSrc->nSrc; i++){
+       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
+       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
++      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
+     }
+   }
+ 
+-- 
+2.17.1
+