1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CVE-2019-19645 in SQLite

Browse Source 
Task-number: QTBUG-81020
Change-Id: I58b1dd9e7a90ba998c3af7f25a4627d8bdd70970
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 1e89c132e1280276e1d3a82ec3464afec8c14c3a)
This commit is contained in:
Andy Shaw 2020-01-02 08:47:23 +01:00
parent 3271df912b
commit cb5f69882e
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
src/3rdparty/sqlite/patches/0005-Fix-CVE-2019-19645-in-SQLite.patch vendored Normal file
View File

@ -0,0 +1,83 @@
From 78c972eec5bab03a408b8ba1373572bcfe2db630 Mon Sep 17 00:00:00 2001
From: Andy Shaw <andy.shaw@qt.io>
Date: Thu, 2 Jan 2020 08:47:23 +0100
Subject: [PATCH] Fix CVE-2019-19645 in SQLite
Task-number: QTBUG-81020
Change-Id: I58b1dd9e7a90ba998c3af7f25a4627d8bdd70970
---
src/3rdparty/sqlite/sqlite3.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index d3e0c065b6..57e61b8313 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -17946,6 +17946,7 @@ struct Select {
#define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
#define SF_ComplexResult 0x40000 /* Result contains subquery or function */
#define SF_WhereBegin 0x80000 /* Really a WhereBegin() call. Debug Only */
+#define SF_View 0x0200000 /* SELECT statement is a view */
/*
** The results of a SELECT can be distributed in several ways, as defined
@@ -103920,6 +103921,7 @@ static int renameUnmapExprCb(Walker *pWalker, Expr *pExpr){
static int renameUnmapSelectCb(Walker *pWalker, Select *p){
Parse *pParse = pWalker->pParse;
int i;
+ if( p->selFlags & SF_View ) return WRC_Prune;
if( ALWAYS(p->pEList) ){
ExprList *pList = p->pEList;
for(i=0; i<pList->nExpr; i++){
@@ -104024,6 +104026,7 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
** descend into sub-select statements.
*/
static int renameColumnSelectCb(Walker *pWalker, Select *p){
+ if( p->selFlags & SF_View ) return WRC_Prune;
renameWalkWith(pWalker, p);
return WRC_Continue;
}
@@ -104489,8 +104492,9 @@ static void renameColumnFunc(
if( sParse.pNewTable ){
Select *pSelect = sParse.pNewTable->pSelect;
if( pSelect ){
+ pSelect->selFlags &= ~SF_View;
sParse.rc = SQLITE_OK;
- sqlite3SelectPrep(&sParse, sParse.pNewTable->pSelect, 0);
+ sqlite3SelectPrep(&sParse, pSelect, 0);
rc = (db->mallocFailed ? SQLITE_NOMEM : sParse.rc);
if( rc==SQLITE_OK ){
sqlite3WalkSelect(&sWalker, pSelect);
@@ -104602,6 +104606,7 @@ static int renameTableSelectCb(Walker *pWalker, Select *pSelect){
int i;
RenameCtx *p = pWalker->u.pRename;
SrcList *pSrc = pSelect->pSrc;
+ if( pSelect->selFlags & SF_View ) return WRC_Prune;
if( pSrc==0 ){
assert( pWalker->pParse->db->mallocFailed );
return WRC_Abort;
@@ -104681,10 +104686,13 @@ static void renameTableFunc(
if( pTab->pSelect ){
if( isLegacy==0 ){
+ Select *pSelect = pTab->pSelect;
NameContext sNC;
memset(&sNC, 0, sizeof(sNC));
sNC.pParse = &sParse;
+ assert( pSelect->selFlags & SF_View );
+ pSelect->selFlags &= ~SF_View;
sqlite3SelectPrep(&sParse, pTab->pSelect, &sNC);
if( sParse.nErr ) rc = sParse.rc;
sqlite3WalkSelect(&sWalker, pTab->pSelect);
@@ -109994,6 +110002,7 @@ SQLITE_PRIVATE void sqlite3CreateView(
** allocated rather than point to the input string - which means that
** they will persist after the current sqlite3_exec() call returns.
*/
+ pSelect->selFlags |= SF_View;
if( IN_RENAME_OBJECT ){
p->pSelect = pSelect;
pSelect = 0;
--
2.21.0 (Apple Git-122.2)

11
src/3rdparty/sqlite/sqlite3.c vendored
View File

@ -17946,6 +17946,7 @@ struct Select {
#define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
#define SF_ComplexResult 0x40000 /* Result contains subquery or function */ #define SF_ComplexResult 0x40000 /* Result contains subquery or function */
#define SF_WhereBegin 0x80000 /* Really a WhereBegin() call. Debug Only */ #define SF_WhereBegin 0x80000 /* Really a WhereBegin() call. Debug Only */
#define SF_View 0x0200000 /* SELECT statement is a view */
/* /*
** The results of a SELECT can be distributed in several ways, as defined ** The results of a SELECT can be distributed in several ways, as defined
@ -103926,6 +103927,7 @@ static int renameUnmapExprCb(Walker *pWalker, Expr *pExpr){
static int renameUnmapSelectCb(Walker *pWalker, Select *p){ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
Parse *pParse = pWalker->pParse; Parse *pParse = pWalker->pParse;
int i; int i;
if( p->selFlags & SF_View ) return WRC_Prune;
if( ALWAYS(p->pEList) ){ if( ALWAYS(p->pEList) ){
ExprList *pList = p->pEList; ExprList *pList = p->pEList;
for(i=0; i<pList->nExpr; i++){ for(i=0; i<pList->nExpr; i++){
@ -104030,6 +104032,7 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
** descend into sub-select statements. ** descend into sub-select statements.
*/ */
static int renameColumnSelectCb(Walker *pWalker, Select *p){ static int renameColumnSelectCb(Walker *pWalker, Select *p){
if( p->selFlags & SF_View ) return WRC_Prune;
renameWalkWith(pWalker, p); renameWalkWith(pWalker, p);
return WRC_Continue; return WRC_Continue;
} }
@ -104495,8 +104498,9 @@ static void renameColumnFunc(
if( sParse.pNewTable ){ if( sParse.pNewTable ){
Select *pSelect = sParse.pNewTable->pSelect; Select *pSelect = sParse.pNewTable->pSelect;
if( pSelect ){ if( pSelect ){
pSelect->selFlags &= ~SF_View;
sParse.rc = SQLITE_OK; sParse.rc = SQLITE_OK;
sqlite3SelectPrep(&sParse, sParse.pNewTable->pSelect, 0); sqlite3SelectPrep(&sParse, pSelect, 0);
rc = (db->mallocFailed ? SQLITE_NOMEM : sParse.rc); rc = (db->mallocFailed ? SQLITE_NOMEM : sParse.rc);
if( rc==SQLITE_OK ){ if( rc==SQLITE_OK ){
sqlite3WalkSelect(&sWalker, pSelect); sqlite3WalkSelect(&sWalker, pSelect);
@ -104608,6 +104612,7 @@ static int renameTableSelectCb(Walker *pWalker, Select *pSelect){
int i; int i;
RenameCtx *p = pWalker->u.pRename; RenameCtx *p = pWalker->u.pRename;
SrcList *pSrc = pSelect->pSrc; SrcList *pSrc = pSelect->pSrc;
if( pSelect->selFlags & SF_View ) return WRC_Prune;
if( pSrc==0 ){ if( pSrc==0 ){
assert( pWalker->pParse->db->mallocFailed ); assert( pWalker->pParse->db->mallocFailed );
return WRC_Abort; return WRC_Abort;
@ -104687,10 +104692,13 @@ static void renameTableFunc(
if( pTab->pSelect ){ if( pTab->pSelect ){
if( isLegacy==0 ){ if( isLegacy==0 ){
Select *pSelect = pTab->pSelect;
NameContext sNC; NameContext sNC;
memset(&sNC, 0, sizeof(sNC)); memset(&sNC, 0, sizeof(sNC));
sNC.pParse = &sParse; sNC.pParse = &sParse;
assert( pSelect->selFlags & SF_View );
pSelect->selFlags &= ~SF_View;
sqlite3SelectPrep(&sParse, pTab->pSelect, &sNC); sqlite3SelectPrep(&sParse, pTab->pSelect, &sNC);
if( sParse.nErr ) rc = sParse.rc; if( sParse.nErr ) rc = sParse.rc;
sqlite3WalkSelect(&sWalker, pTab->pSelect); sqlite3WalkSelect(&sWalker, pTab->pSelect);
@ -110014,6 +110022,7 @@ SQLITE_PRIVATE void sqlite3CreateView(
** allocated rather than point to the input string - which means that ** allocated rather than point to the input string - which means that
** they will persist after the current sqlite3_exec() call returns. ** they will persist after the current sqlite3_exec() call returns.
*/ */
pSelect->selFlags |= SF_View;
if( IN_RENAME_OBJECT ){ if( IN_RENAME_OBJECT ){
p->pSelect = pSelect; p->pSelect = pSelect;
pSelect = 0; pSelect = 0;