diff options
Diffstat (limited to 'meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch')
-rw-r--r-- | meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch new file mode 100644 index 0000000000..80d5edbb0c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | CVE: CVE-2019-19924 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 20:37:32 +0000 | ||
8 | Subject: [PATCH] When an error occurs while rewriting the parser tree for | ||
9 | window functions in the sqlite3WindowRewrite() routine, make sure that | ||
10 | pParse->nErr is set, and make sure that this shuts down any subsequent code | ||
11 | generation that might depend on the transformations that were implemented. | ||
12 | This fixes a problem discovered by the Yongheng and Rui fuzzer. | ||
13 | |||
14 | Amalgamation format of backported patch | ||
15 | FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f | ||
16 | --- | ||
17 | sqlite3.c | 16 +++++++++++----- | ||
18 | sqlite3.h | 2 +- | ||
19 | 2 files changed, 12 insertions(+), 6 deletions(-) | ||
20 | |||
21 | diff --git a/sqlite3.c b/sqlite3.c | ||
22 | index 408ec4c..857c28e 100644 | ||
23 | --- a/sqlite3.c | ||
24 | +++ b/sqlite3.c | ||
25 | @@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ | ||
26 | */ | ||
27 | static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ | ||
28 | assert( p->nOp>0 || p->aOp==0 ); | ||
29 | - assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); | ||
30 | + assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed | ||
31 | + || p->pParse->nErr>0 ); | ||
32 | if( p->nOp ){ | ||
33 | assert( p->aOp ); | ||
34 | sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); | ||
35 | @@ -97872,6 +97873,7 @@ static int codeCompare( | ||
36 | int addr; | ||
37 | CollSeq *p4; | ||
38 | |||
39 | + if( pParse->nErr ) return 0; | ||
40 | p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); | ||
41 | p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); | ||
42 | addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, | ||
43 | @@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
44 | |||
45 | pTab = sqlite3DbMallocZero(db, sizeof(Table)); | ||
46 | if( pTab==0 ){ | ||
47 | - return SQLITE_NOMEM; | ||
48 | + return sqlite3ErrorToParser(db, SQLITE_NOMEM); | ||
49 | } | ||
50 | |||
51 | p->pSrc = 0; | ||
52 | @@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
53 | sqlite3DbFree(db, pTab); | ||
54 | } | ||
55 | |||
56 | + if( rc && pParse->nErr==0 ){ | ||
57 | + assert( pParse->db->mallocFailed ); | ||
58 | + return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM); | ||
59 | + } | ||
60 | return rc; | ||
61 | } | ||
62 | |||
63 | -- | ||
64 | 2.24.1 | ||
65 | |||