RESTRICT AUTOMERGE: Apply security patch to sqlite 3.19.
This patch fixes Magellan SQLite Security Vulnerability as in
b/121156452
Download from https://www.sqlite.org/src/info/553a923c82e96810
Get the Tarball or ZIP Archive, unzip it on linux machine then run:
mkdir bld; cd bld; ../configure; make sqlite3.c
Copy sqlite3.c, sqlite3.h, sqlite3ext.h, shell.c from bld directory
to dist/orig.
dist contains a copy of dist/orig, but with the Android.patch
file applied.
Bug: 121156452
Test: select sqlite_version() - returns 3.19.4
Test: cts-tradefed run cts -m CtsDatabaseTestCases -t android.database.sqlite.cts.SQLiteDatabaseTest
Test: cts-tradefed run cts -m CtsDatabaseTestCases -t android.database.sqlite.cts.SQLiteSecurityTest
Change-Id: Iad8c3d1d74d8591a75a4c033c8bf9d3956d2fe4f
(cherry picked from commit 23443d501b8736a55d63f769f915fcb5333b249a)
diff --git a/README.version b/README.version
index 58f47fa..9b62c26 100644
--- a/README.version
+++ b/README.version
@@ -1,3 +1,4 @@
-URL: https://sqlite.org/src/tarball/SQLite-605907e7.tar.gz
-Version: 3.19.4 605907e73adb4533
+URL: https://www.sqlite.org/src/info/553a923c82e96810
+Version: 3.19.4 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4
+This patch fixes Magellan SQLite Security Vulnerability as in b/121156452
BugComponent: 24950
diff --git a/dist/Android.patch b/dist/Android.patch
index 95cde52..f3dd051 100644
--- a/dist/Android.patch
+++ b/dist/Android.patch
@@ -1,6 +1,5 @@
-diff -r -u -d orig/shell.c ./shell.c
---- orig/shell.c 2017-07-21 09:46:53.488326209 +0900
-+++ ./shell.c 2017-07-21 09:46:53.620324492 +0900
+--- orig/shell.c 2019-01-02 14:50:34.332810092 -0800
++++ shell.c 2019-01-02 14:50:34.384809875 -0800
@@ -52,6 +52,12 @@
#endif
#include <ctype.h>
@@ -37,10 +36,9 @@
}
}
-diff -r -u -d orig/sqlite3.c ./sqlite3.c
---- orig/sqlite3.c 2017-08-04 10:42:31.294648222 +0900
-+++ ./sqlite3.c 2017-08-10 13:27:29.784569745 +0900
-@@ -33618,7 +33618,7 @@
+--- orig/sqlite3.c 2019-01-02 15:26:14.984740997 -0800
++++ sqlite3.c 2019-01-02 15:39:55.689451371 -0800
+@@ -33622,7 +33622,7 @@
SimulateIOError( rc=1 );
if( rc!=0 ){
storeLastErrno((unixFile*)id, errno);
@@ -49,7 +47,7 @@
}
*pSize = buf.st_size;
-@@ -33654,7 +33654,7 @@
+@@ -33658,7 +33658,7 @@
struct stat buf; /* Used to hold return values of fstat() */
if( osFstat(pFile->h, &buf) ){
@@ -58,7 +56,7 @@
}
nSize = ((nByte+pFile->szChunk-1) / pFile->szChunk) * pFile->szChunk;
-@@ -34262,7 +34262,7 @@
+@@ -34266,7 +34266,7 @@
** with the same permissions.
*/
if( osFstat(pDbFd->h, &sStat) ){
@@ -67,7 +65,7 @@
goto shm_open_err;
}
-@@ -116120,7 +116120,7 @@
+@@ -116137,7 +116137,7 @@
}
if( pDb->pSchema->file_format>SQLITE_MAX_FILE_FORMAT ){
sqlite3SetString(pzErrMsg, db, "unsupported file format");
@@ -76,7 +74,15 @@
goto initone_error_out;
}
-@@ -149914,13 +149914,25 @@
+@@ -149535,6 +149535,7 @@
+ char *zErr = sqlite3_mprintf("illegal first argument to %s", zFunc);
+ sqlite3_result_error(pContext, zErr, -1);
+ sqlite3_free(zErr);
++ *ppCsr = pRet;
+ return SQLITE_ERROR;
+ }
+ *ppCsr = pRet;
+@@ -149929,13 +149930,25 @@
** module with sqlite.
*/
if( SQLITE_OK==rc
diff --git a/dist/orig/sqlite3.c b/dist/orig/sqlite3.c
index b036aa1..1a487bc 100644
--- a/dist/orig/sqlite3.c
+++ b/dist/orig/sqlite3.c
@@ -400,7 +400,7 @@
*/
#define SQLITE_VERSION "3.19.4"
#define SQLITE_VERSION_NUMBER 3019004
-#define SQLITE_SOURCE_ID "2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10"
+#define SQLITE_SOURCE_ID "2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -4960,6 +4960,7 @@
SQLITE_API double sqlite3_value_double(sqlite3_value*);
SQLITE_API int sqlite3_value_int(sqlite3_value*);
SQLITE_API sqlite3_int64 sqlite3_value_int64(sqlite3_value*);
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value*);
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16le(sqlite3_value*);
@@ -5278,6 +5279,7 @@
SQLITE_API void sqlite3_result_int(sqlite3_context*, int);
SQLITE_API void sqlite3_result_int64(sqlite3_context*, sqlite3_int64);
SQLITE_API void sqlite3_result_null(sqlite3_context*);
+SQLITE_API void sqlite3_result_pointer(sqlite3_context*, void*);
SQLITE_API void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
SQLITE_API void sqlite3_result_text64(sqlite3_context*, const char*,sqlite3_uint64,
void(*)(void*), unsigned char encoding);
@@ -18184,6 +18186,7 @@
double r; /* Real value used when MEM_Real is set in flags */
i64 i; /* Integer value used when MEM_Int is set in flags */
int nZero; /* Used when bit MEM_Zero is set in flags */
+ void *pPtr; /* Pointer when flags==MEM_Ptr|MEM_Null */
FuncDef *pDef; /* Used only when flags==MEM_Agg */
RowSet *pRowSet; /* Used only when flags==MEM_RowSet */
VdbeFrame *pFrame; /* Used when flags==MEM_Frame */
@@ -18241,6 +18244,7 @@
** policy for Mem.z. The MEM_Term flag tells us whether or not the
** string is \000 or \u0000 terminated
*/
+#define MEM_Ptr 0x8000 /* u.pPtr is valid if type==SQLITE_NULL */
#define MEM_Term 0x0200 /* String rep is nul terminated */
#define MEM_Dyn 0x0400 /* Need to call Mem.xDel() on Mem.z */
#define MEM_Static 0x0800 /* Mem.z points to a static string */
@@ -18263,7 +18267,7 @@
** Clear any existing type flags from a Mem and replace them with f
*/
#define MemSetTypeFlag(p, f) \
- ((p)->flags = ((p)->flags&~(MEM_TypeMask|MEM_Zero))|f)
+ ((p)->flags = ((p)->flags&~(MEM_TypeMask|MEM_Zero|MEM_Ptr))|f)
/*
** Return true if a memory cell is not marked as invalid. This macro
@@ -48227,7 +48231,7 @@
#endif
#ifdef SQLITE_ENABLE_BATCH_ATOMIC_WRITE
- if( dc&SQLITE_IOCAP_BATCH_ATOMIC ){
+ if( pPager->dbSize>0 && (dc&SQLITE_IOCAP_BATCH_ATOMIC) ){
return -1;
}
#endif
@@ -53510,8 +53514,9 @@
if( bBatch ){
if( rc==SQLITE_OK ){
rc = sqlite3OsFileControl(fd, SQLITE_FCNTL_COMMIT_ATOMIC_WRITE, 0);
- }else{
- sqlite3OsFileControl(fd, SQLITE_FCNTL_ROLLBACK_ATOMIC_WRITE, 0);
+ }
+ if( rc!=SQLITE_OK ){
+ sqlite3OsFileControlHint(fd, SQLITE_FCNTL_ROLLBACK_ATOMIC_WRITE, 0);
}
}
@@ -76465,6 +76470,11 @@
Mem *pMem = (Mem*)pVal;
return ((pMem->flags & MEM_Subtype) ? pMem->eSubtype : 0);
}
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value *pVal){
+ Mem *p = (Mem*)pVal;
+ if( (p->flags&(MEM_TypeMask|MEM_Ptr))==(MEM_Null|MEM_Ptr) ) return p->u.pPtr;
+ return 0;
+}
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value *pVal){
return (const unsigned char *)sqlite3ValueText(pVal, SQLITE_UTF8);
}
@@ -76639,6 +76649,13 @@
assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
sqlite3VdbeMemSetInt64(pCtx->pOut, iVal);
}
+SQLITE_API void sqlite3_result_pointer(sqlite3_context *pCtx, void *pPtr){
+ assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
+ sqlite3VdbeMemSetNull(pCtx->pOut);
+ assert( (pCtx->pOut->flags & (MEM_TypeMask|MEM_Ptr))==MEM_Null );
+ pCtx->pOut->flags |= MEM_Ptr;
+ pCtx->pOut->u.pPtr = pPtr;
+}
SQLITE_API void sqlite3_result_null(sqlite3_context *pCtx){
assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
sqlite3VdbeMemSetNull(pCtx->pOut);
@@ -147764,7 +147781,7 @@
const char *zCsr = zNode; /* Cursor to iterate through node */
const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
char *zBuffer = 0; /* Buffer to load terms into */
- int nAlloc = 0; /* Size of allocated buffer */
+ i64 nAlloc = 0; /* Size of allocated buffer */
int isFirstTerm = 1; /* True when processing first term on page */
sqlite3_int64 iChild; /* Block id of child node to descend to */
@@ -147802,14 +147819,14 @@
zCsr += fts3GetVarint32(zCsr, &nSuffix);
assert( nPrefix>=0 && nSuffix>=0 );
- if( &zCsr[nSuffix]>zEnd ){
+ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
rc = FTS_CORRUPT_VTAB;
goto finish_scan;
}
- if( nPrefix+nSuffix>nAlloc ){
+ if( (i64)nPrefix+nSuffix>nAlloc ){
char *zNew;
- nAlloc = (nPrefix+nSuffix) * 2;
- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
if( !zNew ){
rc = SQLITE_NOMEM;
goto finish_scan;
@@ -149295,8 +149312,7 @@
switch( iCol-p->nColumn ){
case 0:
/* The special 'table-name' column */
- sqlite3_result_blob(pCtx, &pCsr, sizeof(Fts3Cursor*), SQLITE_TRANSIENT);
- sqlite3_result_subtype(pCtx, SQLITE_BLOB);
+ sqlite3_result_pointer(pCtx, pCsr);
break;
case 1:
@@ -149514,16 +149530,15 @@
sqlite3_value *pVal, /* argv[0] passed to function */
Fts3Cursor **ppCsr /* OUT: Store cursor handle here */
){
- int rc = SQLITE_OK;
- if( sqlite3_value_subtype(pVal)==SQLITE_BLOB ){
- *ppCsr = *(Fts3Cursor**)sqlite3_value_blob(pVal);
- }else{
+ Fts3Cursor *pRet = (Fts3Cursor*)sqlite3_value_pointer(pVal);
+ if( pRet==0 ){
char *zErr = sqlite3_mprintf("illegal first argument to %s", zFunc);
sqlite3_result_error(pContext, zErr, -1);
sqlite3_free(zErr);
- rc = SQLITE_ERROR;
+ return SQLITE_ERROR;
}
- return rc;
+ *ppCsr = pRet;
+ return SQLITE_OK;
}
/*
@@ -157406,15 +157421,19 @@
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nPrefix<0 || nSuffix<=0
- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
+ if( nSuffix<=0
+ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+ || nPrefix>pReader->nTermAlloc
){
return FTS_CORRUPT_VTAB;
}
- if( nPrefix+nSuffix>pReader->nTermAlloc ){
- int nNew = (nPrefix+nSuffix)*2;
- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+ ** overflow - hence the (i64) casts. */
+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
if( !zNew ){
return SQLITE_NOMEM;
}
@@ -157436,7 +157455,7 @@
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
@@ -159759,6 +159778,9 @@
}
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+ return SQLITE_CORRUPT_VTAB;
+ }
blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
if( rc==SQLITE_OK ){
memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
@@ -159766,6 +159788,9 @@
p->iOff += nSuffix;
if( p->iChild==0 ){
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+ if( (p->nNode-p->iOff)<p->nDoclist ){
+ return SQLITE_CORRUPT_VTAB;
+ }
p->aDoclist = &p->aNode[p->iOff];
p->iOff += p->nDoclist;
}
@@ -159773,7 +159798,6 @@
}
assert( p->iOff<=p->nNode );
-
return rc;
}
@@ -199213,7 +199237,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4", -1, SQLITE_TRANSIENT);
}
static int fts5Init(sqlite3 *db){
diff --git a/dist/orig/sqlite3.h b/dist/orig/sqlite3.h
index 977b05b..aa32bab 100644
--- a/dist/orig/sqlite3.h
+++ b/dist/orig/sqlite3.h
@@ -123,7 +123,7 @@
*/
#define SQLITE_VERSION "3.19.4"
#define SQLITE_VERSION_NUMBER 3019004
-#define SQLITE_SOURCE_ID "2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10"
+#define SQLITE_SOURCE_ID "2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -4683,6 +4683,7 @@
SQLITE_API double sqlite3_value_double(sqlite3_value*);
SQLITE_API int sqlite3_value_int(sqlite3_value*);
SQLITE_API sqlite3_int64 sqlite3_value_int64(sqlite3_value*);
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value*);
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16le(sqlite3_value*);
@@ -5001,6 +5002,7 @@
SQLITE_API void sqlite3_result_int(sqlite3_context*, int);
SQLITE_API void sqlite3_result_int64(sqlite3_context*, sqlite3_int64);
SQLITE_API void sqlite3_result_null(sqlite3_context*);
+SQLITE_API void sqlite3_result_pointer(sqlite3_context*, void*);
SQLITE_API void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
SQLITE_API void sqlite3_result_text64(sqlite3_context*, const char*,sqlite3_uint64,
void(*)(void*), unsigned char encoding);
diff --git a/dist/sqlite3.c b/dist/sqlite3.c
index 912acbe..84f7166 100644
--- a/dist/sqlite3.c
+++ b/dist/sqlite3.c
@@ -400,7 +400,7 @@
*/
#define SQLITE_VERSION "3.19.4"
#define SQLITE_VERSION_NUMBER 3019004
-#define SQLITE_SOURCE_ID "2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10"
+#define SQLITE_SOURCE_ID "2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -4960,6 +4960,7 @@
SQLITE_API double sqlite3_value_double(sqlite3_value*);
SQLITE_API int sqlite3_value_int(sqlite3_value*);
SQLITE_API sqlite3_int64 sqlite3_value_int64(sqlite3_value*);
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value*);
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16le(sqlite3_value*);
@@ -5278,6 +5279,7 @@
SQLITE_API void sqlite3_result_int(sqlite3_context*, int);
SQLITE_API void sqlite3_result_int64(sqlite3_context*, sqlite3_int64);
SQLITE_API void sqlite3_result_null(sqlite3_context*);
+SQLITE_API void sqlite3_result_pointer(sqlite3_context*, void*);
SQLITE_API void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
SQLITE_API void sqlite3_result_text64(sqlite3_context*, const char*,sqlite3_uint64,
void(*)(void*), unsigned char encoding);
@@ -18184,6 +18186,7 @@
double r; /* Real value used when MEM_Real is set in flags */
i64 i; /* Integer value used when MEM_Int is set in flags */
int nZero; /* Used when bit MEM_Zero is set in flags */
+ void *pPtr; /* Pointer when flags==MEM_Ptr|MEM_Null */
FuncDef *pDef; /* Used only when flags==MEM_Agg */
RowSet *pRowSet; /* Used only when flags==MEM_RowSet */
VdbeFrame *pFrame; /* Used when flags==MEM_Frame */
@@ -18241,6 +18244,7 @@
** policy for Mem.z. The MEM_Term flag tells us whether or not the
** string is \000 or \u0000 terminated
*/
+#define MEM_Ptr 0x8000 /* u.pPtr is valid if type==SQLITE_NULL */
#define MEM_Term 0x0200 /* String rep is nul terminated */
#define MEM_Dyn 0x0400 /* Need to call Mem.xDel() on Mem.z */
#define MEM_Static 0x0800 /* Mem.z points to a static string */
@@ -18263,7 +18267,7 @@
** Clear any existing type flags from a Mem and replace them with f
*/
#define MemSetTypeFlag(p, f) \
- ((p)->flags = ((p)->flags&~(MEM_TypeMask|MEM_Zero))|f)
+ ((p)->flags = ((p)->flags&~(MEM_TypeMask|MEM_Zero|MEM_Ptr))|f)
/*
** Return true if a memory cell is not marked as invalid. This macro
@@ -48227,7 +48231,7 @@
#endif
#ifdef SQLITE_ENABLE_BATCH_ATOMIC_WRITE
- if( dc&SQLITE_IOCAP_BATCH_ATOMIC ){
+ if( pPager->dbSize>0 && (dc&SQLITE_IOCAP_BATCH_ATOMIC) ){
return -1;
}
#endif
@@ -53510,8 +53514,9 @@
if( bBatch ){
if( rc==SQLITE_OK ){
rc = sqlite3OsFileControl(fd, SQLITE_FCNTL_COMMIT_ATOMIC_WRITE, 0);
- }else{
- sqlite3OsFileControl(fd, SQLITE_FCNTL_ROLLBACK_ATOMIC_WRITE, 0);
+ }
+ if( rc!=SQLITE_OK ){
+ sqlite3OsFileControlHint(fd, SQLITE_FCNTL_ROLLBACK_ATOMIC_WRITE, 0);
}
}
@@ -76465,6 +76470,11 @@
Mem *pMem = (Mem*)pVal;
return ((pMem->flags & MEM_Subtype) ? pMem->eSubtype : 0);
}
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value *pVal){
+ Mem *p = (Mem*)pVal;
+ if( (p->flags&(MEM_TypeMask|MEM_Ptr))==(MEM_Null|MEM_Ptr) ) return p->u.pPtr;
+ return 0;
+}
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value *pVal){
return (const unsigned char *)sqlite3ValueText(pVal, SQLITE_UTF8);
}
@@ -76639,6 +76649,13 @@
assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
sqlite3VdbeMemSetInt64(pCtx->pOut, iVal);
}
+SQLITE_API void sqlite3_result_pointer(sqlite3_context *pCtx, void *pPtr){
+ assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
+ sqlite3VdbeMemSetNull(pCtx->pOut);
+ assert( (pCtx->pOut->flags & (MEM_TypeMask|MEM_Ptr))==MEM_Null );
+ pCtx->pOut->flags |= MEM_Ptr;
+ pCtx->pOut->u.pPtr = pPtr;
+}
SQLITE_API void sqlite3_result_null(sqlite3_context *pCtx){
assert( sqlite3_mutex_held(pCtx->pOut->db->mutex) );
sqlite3VdbeMemSetNull(pCtx->pOut);
@@ -147764,7 +147781,7 @@
const char *zCsr = zNode; /* Cursor to iterate through node */
const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
char *zBuffer = 0; /* Buffer to load terms into */
- int nAlloc = 0; /* Size of allocated buffer */
+ i64 nAlloc = 0; /* Size of allocated buffer */
int isFirstTerm = 1; /* True when processing first term on page */
sqlite3_int64 iChild; /* Block id of child node to descend to */
@@ -147802,14 +147819,14 @@
zCsr += fts3GetVarint32(zCsr, &nSuffix);
assert( nPrefix>=0 && nSuffix>=0 );
- if( &zCsr[nSuffix]>zEnd ){
+ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
rc = FTS_CORRUPT_VTAB;
goto finish_scan;
}
- if( nPrefix+nSuffix>nAlloc ){
+ if( (i64)nPrefix+nSuffix>nAlloc ){
char *zNew;
- nAlloc = (nPrefix+nSuffix) * 2;
- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
if( !zNew ){
rc = SQLITE_NOMEM;
goto finish_scan;
@@ -149295,8 +149312,7 @@
switch( iCol-p->nColumn ){
case 0:
/* The special 'table-name' column */
- sqlite3_result_blob(pCtx, &pCsr, sizeof(Fts3Cursor*), SQLITE_TRANSIENT);
- sqlite3_result_subtype(pCtx, SQLITE_BLOB);
+ sqlite3_result_pointer(pCtx, pCsr);
break;
case 1:
@@ -149514,16 +149530,16 @@
sqlite3_value *pVal, /* argv[0] passed to function */
Fts3Cursor **ppCsr /* OUT: Store cursor handle here */
){
- int rc = SQLITE_OK;
- if( sqlite3_value_subtype(pVal)==SQLITE_BLOB ){
- *ppCsr = *(Fts3Cursor**)sqlite3_value_blob(pVal);
- }else{
+ Fts3Cursor *pRet = (Fts3Cursor*)sqlite3_value_pointer(pVal);
+ if( pRet==0 ){
char *zErr = sqlite3_mprintf("illegal first argument to %s", zFunc);
sqlite3_result_error(pContext, zErr, -1);
sqlite3_free(zErr);
- rc = SQLITE_ERROR;
+ *ppCsr = pRet;
+ return SQLITE_ERROR;
}
- return rc;
+ *ppCsr = pRet;
+ return SQLITE_OK;
}
/*
@@ -157418,15 +157434,19 @@
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nPrefix<0 || nSuffix<=0
- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
+ if( nSuffix<=0
+ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+ || nPrefix>pReader->nTermAlloc
){
return FTS_CORRUPT_VTAB;
}
- if( nPrefix+nSuffix>pReader->nTermAlloc ){
- int nNew = (nPrefix+nSuffix)*2;
- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+ ** overflow - hence the (i64) casts. */
+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
if( !zNew ){
return SQLITE_NOMEM;
}
@@ -157448,7 +157468,7 @@
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
@@ -159771,6 +159791,9 @@
}
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+ return SQLITE_CORRUPT_VTAB;
+ }
blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
if( rc==SQLITE_OK ){
memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
@@ -159778,6 +159801,9 @@
p->iOff += nSuffix;
if( p->iChild==0 ){
p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+ if( (p->nNode-p->iOff)<p->nDoclist ){
+ return SQLITE_CORRUPT_VTAB;
+ }
p->aDoclist = &p->aNode[p->iOff];
p->iOff += p->nDoclist;
}
@@ -159785,7 +159811,6 @@
}
assert( p->iOff<=p->nNode );
-
return rc;
}
@@ -199225,7 +199250,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4", -1, SQLITE_TRANSIENT);
}
static int fts5Init(sqlite3 *db){
diff --git a/dist/sqlite3.h b/dist/sqlite3.h
index 977b05b..aa32bab 100644
--- a/dist/sqlite3.h
+++ b/dist/sqlite3.h
@@ -123,7 +123,7 @@
*/
#define SQLITE_VERSION "3.19.4"
#define SQLITE_VERSION_NUMBER 3019004
-#define SQLITE_SOURCE_ID "2017-08-18 19:28:12 605907e73adb4533b12d22be8422f17a8dc125b5c37bb391756a11fc3a8c4d10"
+#define SQLITE_SOURCE_ID "2018-12-19 17:05:48 553a923c82e968104296253d07dc6e1219747d85ebb7b02640d33d7056418df4"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -4683,6 +4683,7 @@
SQLITE_API double sqlite3_value_double(sqlite3_value*);
SQLITE_API int sqlite3_value_int(sqlite3_value*);
SQLITE_API sqlite3_int64 sqlite3_value_int64(sqlite3_value*);
+SQLITE_API void *sqlite3_value_pointer(sqlite3_value*);
SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16(sqlite3_value*);
SQLITE_API const void *sqlite3_value_text16le(sqlite3_value*);
@@ -5001,6 +5002,7 @@
SQLITE_API void sqlite3_result_int(sqlite3_context*, int);
SQLITE_API void sqlite3_result_int64(sqlite3_context*, sqlite3_int64);
SQLITE_API void sqlite3_result_null(sqlite3_context*);
+SQLITE_API void sqlite3_result_pointer(sqlite3_context*, void*);
SQLITE_API void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
SQLITE_API void sqlite3_result_text64(sqlite3_context*, const char*,sqlite3_uint64,
void(*)(void*), unsigned char encoding);