1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CVE-2020-9327 in SQLite

Browse Source 
This was taken from abc473fb8fb99900 in SQLite, ref:
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900

Fixes: QTBUG-82533
Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
(cherry picked from commit 2c1b4e37b936f64d6b52e2bc10ff97184a714b9a)
This commit is contained in:
Andy Shaw 2020-03-04 07:44:22 +01:00
parent 283d9b01dc
commit cf92591348
2 changed files with 225 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch vendored Normal file
View File

@ -0,0 +1,203 @@
From 63566d1fff2665b777650594eec6eefd3587e177 Mon Sep 17 00:00:00 2001
From: Andy Shaw <andy.shaw@qt.io>
Date: Wed, 4 Mar 2020 07:44:22 +0100
Subject: [PATCH] Fix CVE-2020-9327 in SQLite
This was taken from abc473fb8fb99900 in SQLite, ref:
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
Fixes: QTBUG-82533
Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
---
.../0001-Fix-CVE-2020-9327-in-SQLite.patch | 96 +++++++++++++++++++
src/3rdparty/sqlite/sqlite3.c | 31 ++++--
2 files changed, 118 insertions(+), 9 deletions(-)
create mode 100644 src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
diff --git a/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
new file mode 100644
index 0000000000..e0e8206db5
--- /dev/null
+++ b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
@@ -0,0 +1,96 @@
+From f79860e0fe251e3267a3cd5558dce98f918e0caa Mon Sep 17 00:00:00 2001
+From: Andy Shaw <andy.shaw@qt.io>
+Date: Wed, 4 Mar 2020 07:44:22 +0100
+Subject: [PATCH] Fix CVE-2020-9327 in SQLite
+
+Fixes: QTBUG-82533
+Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
+---
+ src/3rdparty/sqlite/sqlite3.c | 31 ++++++++++++++++++++++---------
+ 1 file changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
+index 55dc686ee0..dfe5323a59 100644
+--- a/src/3rdparty/sqlite/sqlite3.c
++++ b/src/3rdparty/sqlite/sqlite3.c
+@@ -17428,8 +17428,11 @@ struct Table {
+ */
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ # define IsVirtual(X) ((X)->nModuleArg)
++# define ExprIsVtab(X) \
++ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
+ #else
+ # define IsVirtual(X) 0
++# define ExprIsVtab(X) 0
+ #endif
+
+ /*
+@@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
+ case TK_LT:
+ case TK_LE:
+ case TK_GT:
+- case TK_GE:
++ case TK_GE: {
++ Expr *pLeft = pExpr->pLeft;
++ Expr *pRight = pExpr->pRight;
+ testcase( pExpr->op==TK_EQ );
+ testcase( pExpr->op==TK_NE );
+ testcase( pExpr->op==TK_LT );
+ testcase( pExpr->op==TK_LE );
+ testcase( pExpr->op==TK_GT );
+ testcase( pExpr->op==TK_GE );
+- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
+- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
++ /* The y.pTab=0 assignment in wherecode.c always happens after the
++ ** impliesNotNullRow() test */
++ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
++ && IsVirtual(pLeft->y.pTab))
++ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
++ && IsVirtual(pRight->y.pTab))
+ ){
+- return WRC_Prune;
++ return WRC_Prune;
+ }
+-
++ }
+ default:
+ return WRC_Continue;
+ }
+@@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
+ ** MATCH(expression,vtab_column)
+ */
+ pCol = pList->a[1].pExpr;
+- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++ if( ExprIsVtab(pCol) ){
+ for(i=0; i<ArraySize(aOp); i++){
+ if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
+ *peOp2 = aOp[i].eOp2;
+@@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
+ ** with function names in an arbitrary case.
+ */
+ pCol = pList->a[0].pExpr;
+- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++ if( ExprIsVtab(pCol) ){
+ sqlite3_vtab *pVtab;
+ sqlite3_module *pMod;
+ void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
+@@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
+ int res = 0;
+ Expr *pLeft = pExpr->pLeft;
+ Expr *pRight = pExpr->pRight;
+- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
++ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
++ if( ExprIsVtab(pLeft) ){
+ res++;
+ }
+- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
++ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
++ if( pRight && ExprIsVtab(pRight) ){
+ res++;
+ SWAP(Expr*, pLeft, pRight);
+ }
+--
+2.21.0 (Apple Git-122.2)
+
diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index 55dc686ee0..dfe5323a59 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -17428,8 +17428,11 @@ struct Table {
*/
#ifndef SQLITE_OMIT_VIRTUALTABLE
# define IsVirtual(X) ((X)->nModuleArg)
+# define ExprIsVtab(X) \
+ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
#else
# define IsVirtual(X) 0
+# define ExprIsVtab(X) 0
#endif
/*
@@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
case TK_LT:
case TK_LE:
case TK_GT:
- case TK_GE:
+ case TK_GE: {
+ Expr *pLeft = pExpr->pLeft;
+ Expr *pRight = pExpr->pRight;
testcase( pExpr->op==TK_EQ );
testcase( pExpr->op==TK_NE );
testcase( pExpr->op==TK_LT );
testcase( pExpr->op==TK_LE );
testcase( pExpr->op==TK_GT );
testcase( pExpr->op==TK_GE );
- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
+ /* The y.pTab=0 assignment in wherecode.c always happens after the
+ ** impliesNotNullRow() test */
+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
+ && IsVirtual(pLeft->y.pTab))
+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
+ && IsVirtual(pRight->y.pTab))
){
- return WRC_Prune;
+ return WRC_Prune;
}
-
+ }
default:
return WRC_Continue;
}
@@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
** MATCH(expression,vtab_column)
*/
pCol = pList->a[1].pExpr;
- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+ if( ExprIsVtab(pCol) ){
for(i=0; i<ArraySize(aOp); i++){
if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
*peOp2 = aOp[i].eOp2;
@@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
** with function names in an arbitrary case.
*/
pCol = pList->a[0].pExpr;
- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+ if( ExprIsVtab(pCol) ){
sqlite3_vtab *pVtab;
sqlite3_module *pMod;
void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
@@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
int res = 0;
Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight;
- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
+ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
+ if( ExprIsVtab(pLeft) ){
res++;
}
- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
+ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
+ if( pRight && ExprIsVtab(pRight) ){
res++;
SWAP(Expr*, pLeft, pRight);
}
--
2.21.0 (Apple Git-122.2)

31
src/3rdparty/sqlite/sqlite3.c vendored
View File

@ -17428,8 +17428,11 @@ struct Table {
*/ */
#ifndef SQLITE_OMIT_VIRTUALTABLE #ifndef SQLITE_OMIT_VIRTUALTABLE
# define IsVirtual(X) ((X)->nModuleArg) # define IsVirtual(X) ((X)->nModuleArg)
# define ExprIsVtab(X) \
((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
#else #else
# define IsVirtual(X) 0 # define IsVirtual(X) 0
# define ExprIsVtab(X) 0
#endif #endif
/* /*
@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
case TK_LT: case TK_LT:
case TK_LE: case TK_LE:
case TK_GT: case TK_GT:
case TK_GE: case TK_GE: {
Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight;
testcase( pExpr->op==TK_EQ ); testcase( pExpr->op==TK_EQ );
testcase( pExpr->op==TK_NE ); testcase( pExpr->op==TK_NE );
testcase( pExpr->op==TK_LT ); testcase( pExpr->op==TK_LT );
testcase( pExpr->op==TK_LE ); testcase( pExpr->op==TK_LE );
testcase( pExpr->op==TK_GT ); testcase( pExpr->op==TK_GT );
testcase( pExpr->op==TK_GE ); testcase( pExpr->op==TK_GE );
if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) /* The y.pTab=0 assignment in wherecode.c always happens after the
|| (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) ** impliesNotNullRow() test */
if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
&& IsVirtual(pLeft->y.pTab))
|| (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
&& IsVirtual(pRight->y.pTab))
){ ){
return WRC_Prune; return WRC_Prune;
} }
}
default: default:
return WRC_Continue; return WRC_Continue;
} }
@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
** MATCH(expression,vtab_column) ** MATCH(expression,vtab_column)
*/ */
pCol = pList->a[1].pExpr; pCol = pList->a[1].pExpr;
if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
if( ExprIsVtab(pCol) ){
for(i=0; i<ArraySize(aOp); i++){ for(i=0; i<ArraySize(aOp); i++){
if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){ if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
*peOp2 = aOp[i].eOp2; *peOp2 = aOp[i].eOp2;
@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
** with function names in an arbitrary case. ** with function names in an arbitrary case.
*/ */
pCol = pList->a[0].pExpr; pCol = pList->a[0].pExpr;
if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
if( ExprIsVtab(pCol) ){
sqlite3_vtab *pVtab; sqlite3_vtab *pVtab;
sqlite3_module *pMod; sqlite3_module *pMod;
void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
int res = 0; int res = 0;
Expr *pLeft = pExpr->pLeft; Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight; Expr *pRight = pExpr->pRight;
if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
if( ExprIsVtab(pLeft) ){
res++; res++;
} }
if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
if( pRight && ExprIsVtab(pRight) ){
res++; res++;
SWAP(Expr*, pLeft, pRight); SWAP(Expr*, pLeft, pRight);
} }