CVE: CVE-2019-19959
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>

From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Mon, 23 Dec 2019 21:04:33 +0000
Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
 it is able to deal with goofy filenames that contain embedded zeros.

FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
---
 shell.c   | 4 ++--
 sqlite3.c | 4 ++--
 sqlite3.h | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/shell.c b/shell.c
index 404a8d4..48065e9 100644
--- a/shell.c
+++ b/shell.c
@@ -5841,7 +5841,7 @@ static int zipfileUpdate(
         zFree = sqlite3_mprintf("%s/", zPath);
         if( zFree==0 ){ rc = SQLITE_NOMEM; }
         zPath = (const char*)zFree;
-        nPath++;
+        nPath = (int)strlen(zPath);
       }
     }
 
@@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
   }else{
     if( zName[nName-1]!='/' ){
       zName = zFree = sqlite3_mprintf("%s/", zName);
-      nName++;
       if( zName==0 ){
         rc = SQLITE_NOMEM;
         goto zipfile_step_out;
       }
+      nName = (int)strlen(zName);
     }else{
       while( nName>1 && zName[nName-2]=='/' ) nName--;
     }
-- 
2.24.1