1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
new file mode 100644
index 0000000000..80d5edbb0c
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
@@ -0,0 +1,65 @@
+CVE: CVE-2019-19924
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Thu, 19 Dec 2019 20:37:32 +0000
+Subject: [PATCH] When an error occurs while rewriting the parser tree for
+ window functions in the sqlite3WindowRewrite() routine, make sure that
+ pParse->nErr is set, and make sure that this shuts down any subsequent code
+ generation that might depend on the transformations that were implemented. 
+ This fixes a problem discovered by the Yongheng and Rui fuzzer.
+Amalgamation format of backported patch
+FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
+---
+ sqlite3.c | 16 +++++++++++-----
+ sqlite3.h |  2 +-
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+diff --git a/sqlite3.c b/sqlite3.c
+index 408ec4c..857c28e 100644
+--- a/sqlite3.c
+++ b/sqlite3.c
+@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
+ */
+ static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
+   assert( p->nOp>0 || p->aOp==0 );
+-  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
+  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
+          || p->pParse->nErr>0 );
+   if( p->nOp ){
+     assert( p->aOp );
+     sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
+@@ -97872,6 +97873,7 @@ static int codeCompare(
+   int addr;
+   CollSeq *p4;
+ 
+  if( pParse->nErr ) return 0;
+   p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
+   p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
+   addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
+@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
+ 
+     pTab = sqlite3DbMallocZero(db, sizeof(Table));
+     if( pTab==0 ){
+-      return SQLITE_NOMEM;
+      return sqlite3ErrorToParser(db, SQLITE_NOMEM);
+     }
+ 
+     p->pSrc = 0;
+@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
+     sqlite3DbFree(db, pTab);
+   }
+ 
+  if( rc && pParse->nErr==0 ){
+    assert( pParse->db->mallocFailed );
+    return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);
+  }
+   return rc;
+ }
+ 
+-- 
+2.24.1

diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch new file mode 100644 index 0000000000..80d5edbb0c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
@@ -0,0 +1,65 @@
	1	CVE: CVE-2019-19924
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@intel.com>
	4
	5	From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001
	6	From: "D. Richard Hipp" <drh@hwaci.com>
	7	Date: Thu, 19 Dec 2019 20:37:32 +0000
	8	Subject: [PATCH] When an error occurs while rewriting the parser tree for
	9	window functions in the sqlite3WindowRewrite() routine, make sure that
	10	pParse->nErr is set, and make sure that this shuts down any subsequent code
	11	generation that might depend on the transformations that were implemented.
	12	This fixes a problem discovered by the Yongheng and Rui fuzzer.
	13
	14	Amalgamation format of backported patch
	15	FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
	16	---
	17	sqlite3.c \| 16 +++++++++++-----
	18	sqlite3.h \| 2 +-
	19	2 files changed, 12 insertions(+), 6 deletions(-)
	20
	21	diff --git a/sqlite3.c b/sqlite3.c
	22	index 408ec4c..857c28e 100644
	23	--- a/sqlite3.c
	24	+++ b/sqlite3.c
	25	@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse pParse, Index pIdx){
	26	*/
	27	static void vdbeVComment(Vdbe p, const char zFormat, va_list ap){
	28	assert( p->nOp>0 \|\| p->aOp==0 );
	29	- assert( p->aOp==0 \|\| p->aOp[p->nOp-1].zComment==0 \|\| p->db->mallocFailed );
	30	+ assert( p->aOp==0 \|\| p->aOp[p->nOp-1].zComment==0 \|\| p->db->mallocFailed
	31	+ \|\| p->pParse->nErr>0 );
	32	if( p->nOp ){
	33	assert( p->aOp );
	34	sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
	35	@@ -97872,6 +97873,7 @@ static int codeCompare(
	36	int addr;
	37	CollSeq *p4;
	38
	39	+ if( pParse->nErr ) return 0;
	40	p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
	41	p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
	42	addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
	43	@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse pParse, Select p){
	44
	45	pTab = sqlite3DbMallocZero(db, sizeof(Table));
	46	if( pTab==0 ){
	47	- return SQLITE_NOMEM;
	48	+ return sqlite3ErrorToParser(db, SQLITE_NOMEM);
	49	}
	50
	51	p->pSrc = 0;
	52	@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse pParse, Select p){
	53	sqlite3DbFree(db, pTab);
	54	}
	55
	56	+ if( rc && pParse->nErr==0 ){
	57	+ assert( pParse->db->mallocFailed );
	58	+ return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);
	59	+ }
	60	return rc;
	61	}
	62
	63	--
	64	2.24.1
	65