diff options
| author | Zim <zezeozue@google.com> | 2021-07-12 20:53:12 +0100 |
|---|---|---|
| committer | Zimuzo Ezeozue <zezeozue@google.com> | 2021-07-20 13:19:27 +0000 |
| commit | 201685e7989c5a890c806c408d2ffc6a003cd8d4 (patch) | |
| tree | d9c50e59d49dd13f3696acfe509ce5b5c9a66c19 | |
| parent | b7e0b15e8d3fec8b12df74d321fc300b14a87d68 (diff) | |
| download | sqlite-201685e7989c5a890c806c408d2ffc6a003cd8d4.tar.gz | |
DO NOT MERGE Fix CVE-2020-15358 and CVE-2020-13871
Test: atest SQLiteSecurityTest
Bug: 192605364
Bug: 192606047
Change-Id: If729ab11c364eea165eed1dfc21518bf60d694e2
| -rw-r--r-- | README.version | 6 | ||||
| -rw-r--r-- | dist/Android.patch | 24 | ||||
| -rw-r--r-- | dist/orig/sqlite3.c | 19 | ||||
| -rw-r--r-- | dist/orig/sqlite3.h | 2 | ||||
| -rw-r--r-- | dist/sqlite3.c | 19 | ||||
| -rw-r--r-- | dist/sqlite3.h | 2 |
6 files changed, 33 insertions, 39 deletions
diff --git a/README.version b/README.version index e8aeabd..9fd2338 100644 --- a/README.version +++ b/README.version @@ -1,4 +1,4 @@ -URL: https://www.sqlite.org/src/tarball/b302b260/SQLite-b302b260.tar.gz -Version: 3.28.0 b2325a6e -This patch fixes app compatibility bug b/147928666 +URL: https://www.sqlite.org/src/tarball/d2e67220/SQLite-d2e67220.tar.gz +Version: 3.28a d2e67220 +This patch fixes CVE-2020-15358 and CVE-2020-13871, b/192605364 and b/192606047 BugComponent: 24950 diff --git a/dist/Android.patch b/dist/Android.patch index cda5b55..36bbcb1 100644 --- a/dist/Android.patch +++ b/dist/Android.patch @@ -1,5 +1,5 @@ ---- orig/shell.c 2020-05-07 10:06:07.883965871 +0100 -+++ shell.c 2020-05-07 10:08:55.333081159 +0100 +--- orig/shell.c 2021-07-14 18:36:30.410913351 +0100 ++++ shell.c 2021-07-14 18:37:50.691479583 +0100 @@ -87,6 +87,12 @@ #endif #include <ctype.h> @@ -37,9 +37,9 @@ if( p->openMode==SHELL_OPEN_ZIPFILE ){ char *zSql = sqlite3_mprintf( "CREATE VIRTUAL TABLE zip USING zipfile(%Q);", p->zDbFilename); ---- orig/sqlite3.c 2020-05-07 10:06:07.867965765 +0100 -+++ sqlite3.c 2020-05-07 10:08:55.333081159 +0100 -@@ -32446,6 +32446,10 @@ +--- orig/sqlite3.c 2021-07-14 18:36:30.454913661 +0100 ++++ sqlite3.c 2021-07-14 18:37:50.691479583 +0100 +@@ -32447,6 +32447,10 @@ # include <sys/mount.h> #endif @@ -50,7 +50,7 @@ #ifdef HAVE_UTIME # include <utime.h> #endif -@@ -33205,6 +33209,12 @@ +@@ -33206,6 +33210,12 @@ #if defined(FD_CLOEXEC) && (!defined(O_CLOEXEC) || O_CLOEXEC==0) osFcntl(fd, F_SETFD, osFcntl(fd, F_GETFD, 0) | FD_CLOEXEC); #endif @@ -63,7 +63,7 @@ } return fd; } -@@ -33785,7 +33795,13 @@ +@@ -33786,7 +33796,13 @@ ** and move on. */ static void robust_close(unixFile *pFile, int h, int lineno){ @@ -77,7 +77,7 @@ unixLogErrorAtLine(SQLITE_IOERR_CLOSE, "close", pFile ? pFile->zPath : 0, lineno); } -@@ -36318,7 +36334,7 @@ +@@ -36319,7 +36335,7 @@ SimulateIOError( rc=1 ); if( rc!=0 ){ storeLastErrno((unixFile*)id, errno); @@ -86,7 +86,7 @@ } *pSize = buf.st_size; -@@ -36354,7 +36370,7 @@ +@@ -36355,7 +36371,7 @@ struct stat buf; /* Used to hold return values of fstat() */ if( osFstat(pFile->h, &buf) ){ @@ -95,7 +95,7 @@ } nSize = ((nByte+pFile->szChunk-1) / pFile->szChunk) * pFile->szChunk; -@@ -37040,7 +37056,7 @@ +@@ -37041,7 +37057,7 @@ ** with the same permissions. */ if( osFstat(pDbFd->h, &sStat) ){ @@ -104,7 +104,7 @@ goto shm_open_err; } -@@ -124046,7 +124062,7 @@ +@@ -124047,7 +124063,7 @@ } if( pDb->pSchema->file_format>SQLITE_MAX_FILE_FORMAT ){ sqlite3SetString(pzErrMsg, db, "unsupported file format"); @@ -113,7 +113,7 @@ goto initone_error_out; } -@@ -164418,13 +164434,25 @@ +@@ -164415,13 +164431,25 @@ ** module with sqlite. */ if( SQLITE_OK==rc diff --git a/dist/orig/sqlite3.c b/dist/orig/sqlite3.c index 163bbe9..b1b9cce 100644 --- a/dist/orig/sqlite3.c +++ b/dist/orig/sqlite3.c @@ -1164,7 +1164,7 @@ extern "C" { */ #define SQLITE_VERSION "3.28.0" #define SQLITE_VERSION_NUMBER 3028000 -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29" /* ** CAPI3REF: Run-Time Library Version Numbers @@ -17812,6 +17812,7 @@ struct Select { #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */ #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ #define SF_ComplexResult 0x40000 /* Result contains subquery or function */ +#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ /* ** The results of a SELECT can be distributed in several ways, as defined @@ -126326,8 +126327,6 @@ static const char *columnTypeImpl( assert( pExpr!=0 ); assert( pNC->pSrcList!=0 ); - assert( pExpr->op!=TK_AGG_COLUMN ); /* This routine runes before aggregates - ** are processed */ switch( pExpr->op ){ case TK_COLUMN: { /* The expression is a column. Locate the table the column is being @@ -126649,7 +126648,6 @@ SQLITE_PRIVATE int sqlite3ColumnsFromExprList( pColExpr = pColExpr->pRight; assert( pColExpr!=0 ); } - assert( pColExpr->op!=TK_AGG_COLUMN ); if( pColExpr->op==TK_COLUMN ){ /* For columns use the column name name */ int iCol = pColExpr->iColumn; @@ -127375,9 +127373,7 @@ static int multiSelect( selectOpName(p->op))); rc = sqlite3Select(pParse, p, &uniondest); testcase( rc!=SQLITE_OK ); - /* Query flattening in sqlite3Select() might refill p->pOrderBy. - ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ - sqlite3ExprListDelete(db, p->pOrderBy); + assert( p->pOrderBy==0 ); pDelete = p->pPrior; p->pPrior = pPrior; p->pOrderBy = 0; @@ -128693,7 +128689,7 @@ static int flattenSubquery( ** We look at every expression in the outer query and every place we see ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". */ - if( pSub->pOrderBy ){ + if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ /* At this point, any non-zero iOrderByCol values indicate that the ** ORDER BY column expression is identical to the iOrderByCol'th ** expression returned by SELECT statement pSub. Since these values @@ -130327,6 +130323,7 @@ SQLITE_PRIVATE int sqlite3Select( sqlite3ExprListDelete(db, p->pOrderBy); p->pOrderBy = 0; p->selFlags &= ~SF_Distinct; + p->selFlags |= SF_NoopOrderBy; } sqlite3SelectPrep(pParse, p, 0); if( pParse->nErr || db->mallocFailed ){ @@ -218337,7 +218334,7 @@ static void fts5SourceIdFunc( ){ assert( nArg==0 ); UNUSED_PARAM2(nArg, apUnused); - sqlite3_result_text(pCtx, "fts5: 2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad", -1, SQLITE_TRANSIENT); + sqlite3_result_text(pCtx, "fts5: 2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29", -1, SQLITE_TRANSIENT); } /* @@ -223101,9 +223098,9 @@ SQLITE_API int sqlite3_stmt_init( #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ /************** End of stmt.c ************************************************/ -#if __LINE__!=223104 +#if __LINE__!=223101 #undef SQLITE_SOURCE_ID -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418falt2" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a9602alt2" #endif /* Return the source-id for this library */ SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; } diff --git a/dist/orig/sqlite3.h b/dist/orig/sqlite3.h index 2f9c25a..10c8284 100644 --- a/dist/orig/sqlite3.h +++ b/dist/orig/sqlite3.h @@ -125,7 +125,7 @@ extern "C" { */ #define SQLITE_VERSION "3.28.0" #define SQLITE_VERSION_NUMBER 3028000 -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29" /* ** CAPI3REF: Run-Time Library Version Numbers diff --git a/dist/sqlite3.c b/dist/sqlite3.c index ede258f..f9df329 100644 --- a/dist/sqlite3.c +++ b/dist/sqlite3.c @@ -1164,7 +1164,7 @@ extern "C" { */ #define SQLITE_VERSION "3.28.0" #define SQLITE_VERSION_NUMBER 3028000 -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29" /* ** CAPI3REF: Run-Time Library Version Numbers @@ -17812,6 +17812,7 @@ struct Select { #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */ #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ #define SF_ComplexResult 0x40000 /* Result contains subquery or function */ +#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ /* ** The results of a SELECT can be distributed in several ways, as defined @@ -126342,8 +126343,6 @@ static const char *columnTypeImpl( assert( pExpr!=0 ); assert( pNC->pSrcList!=0 ); - assert( pExpr->op!=TK_AGG_COLUMN ); /* This routine runes before aggregates - ** are processed */ switch( pExpr->op ){ case TK_COLUMN: { /* The expression is a column. Locate the table the column is being @@ -126665,7 +126664,6 @@ SQLITE_PRIVATE int sqlite3ColumnsFromExprList( pColExpr = pColExpr->pRight; assert( pColExpr!=0 ); } - assert( pColExpr->op!=TK_AGG_COLUMN ); if( pColExpr->op==TK_COLUMN ){ /* For columns use the column name name */ int iCol = pColExpr->iColumn; @@ -127391,9 +127389,7 @@ static int multiSelect( selectOpName(p->op))); rc = sqlite3Select(pParse, p, &uniondest); testcase( rc!=SQLITE_OK ); - /* Query flattening in sqlite3Select() might refill p->pOrderBy. - ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ - sqlite3ExprListDelete(db, p->pOrderBy); + assert( p->pOrderBy==0 ); pDelete = p->pPrior; p->pPrior = pPrior; p->pOrderBy = 0; @@ -128709,7 +128705,7 @@ static int flattenSubquery( ** We look at every expression in the outer query and every place we see ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". */ - if( pSub->pOrderBy ){ + if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ /* At this point, any non-zero iOrderByCol values indicate that the ** ORDER BY column expression is identical to the iOrderByCol'th ** expression returned by SELECT statement pSub. Since these values @@ -130343,6 +130339,7 @@ SQLITE_PRIVATE int sqlite3Select( sqlite3ExprListDelete(db, p->pOrderBy); p->pOrderBy = 0; p->selFlags &= ~SF_Distinct; + p->selFlags |= SF_NoopOrderBy; } sqlite3SelectPrep(pParse, p, 0); if( pParse->nErr || db->mallocFailed ){ @@ -218365,7 +218362,7 @@ static void fts5SourceIdFunc( ){ assert( nArg==0 ); UNUSED_PARAM2(nArg, apUnused); - sqlite3_result_text(pCtx, "fts5: 2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad", -1, SQLITE_TRANSIENT); + sqlite3_result_text(pCtx, "fts5: 2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29", -1, SQLITE_TRANSIENT); } /* @@ -223129,9 +223126,9 @@ SQLITE_API int sqlite3_stmt_init( #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ /************** End of stmt.c ************************************************/ -#if __LINE__!=223104 +#if __LINE__!=223101 #undef SQLITE_SOURCE_ID -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418falt2" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a9602alt2" #endif /* Return the source-id for this library */ SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; } diff --git a/dist/sqlite3.h b/dist/sqlite3.h index 2f9c25a..10c8284 100644 --- a/dist/sqlite3.h +++ b/dist/sqlite3.h @@ -125,7 +125,7 @@ extern "C" { */ #define SQLITE_VERSION "3.28.0" #define SQLITE_VERSION_NUMBER 3028000 -#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad" +#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29" /* ** CAPI3REF: Run-Time Library Version Numbers |