DO NOT MERGE Fix CVE-2020-15358 and CVE-2020-13871
Test: atest SQLiteSecurityTest
Bug: 192605364
Bug: 192606047
Change-Id: If729ab11c364eea165eed1dfc21518bf60d694e2
diff --git a/README.version b/README.version
index e8aeabd..9fd2338 100644
--- a/README.version
+++ b/README.version
@@ -1,4 +1,4 @@
-URL: https://www.sqlite.org/src/tarball/b302b260/SQLite-b302b260.tar.gz
-Version: 3.28.0 b2325a6e
-This patch fixes app compatibility bug b/147928666
+URL: https://www.sqlite.org/src/tarball/d2e67220/SQLite-d2e67220.tar.gz
+Version: 3.28a d2e67220
+This patch fixes CVE-2020-15358 and CVE-2020-13871, b/192605364 and b/192606047
BugComponent: 24950
diff --git a/dist/Android.patch b/dist/Android.patch
index cda5b55..36bbcb1 100644
--- a/dist/Android.patch
+++ b/dist/Android.patch
@@ -1,5 +1,5 @@
---- orig/shell.c 2020-05-07 10:06:07.883965871 +0100
-+++ shell.c 2020-05-07 10:08:55.333081159 +0100
+--- orig/shell.c 2021-07-14 18:36:30.410913351 +0100
++++ shell.c 2021-07-14 18:37:50.691479583 +0100
@@ -87,6 +87,12 @@
#endif
#include <ctype.h>
@@ -37,9 +37,9 @@
if( p->openMode==SHELL_OPEN_ZIPFILE ){
char *zSql = sqlite3_mprintf(
"CREATE VIRTUAL TABLE zip USING zipfile(%Q);", p->zDbFilename);
---- orig/sqlite3.c 2020-05-07 10:06:07.867965765 +0100
-+++ sqlite3.c 2020-05-07 10:08:55.333081159 +0100
-@@ -32446,6 +32446,10 @@
+--- orig/sqlite3.c 2021-07-14 18:36:30.454913661 +0100
++++ sqlite3.c 2021-07-14 18:37:50.691479583 +0100
+@@ -32447,6 +32447,10 @@
# include <sys/mount.h>
#endif
@@ -50,7 +50,7 @@
#ifdef HAVE_UTIME
# include <utime.h>
#endif
-@@ -33205,6 +33209,12 @@
+@@ -33206,6 +33210,12 @@
#if defined(FD_CLOEXEC) && (!defined(O_CLOEXEC) || O_CLOEXEC==0)
osFcntl(fd, F_SETFD, osFcntl(fd, F_GETFD, 0) | FD_CLOEXEC);
#endif
@@ -63,7 +63,7 @@
}
return fd;
}
-@@ -33785,7 +33795,13 @@
+@@ -33786,7 +33796,13 @@
** and move on.
*/
static void robust_close(unixFile *pFile, int h, int lineno){
@@ -77,7 +77,7 @@
unixLogErrorAtLine(SQLITE_IOERR_CLOSE, "close",
pFile ? pFile->zPath : 0, lineno);
}
-@@ -36318,7 +36334,7 @@
+@@ -36319,7 +36335,7 @@
SimulateIOError( rc=1 );
if( rc!=0 ){
storeLastErrno((unixFile*)id, errno);
@@ -86,7 +86,7 @@
}
*pSize = buf.st_size;
-@@ -36354,7 +36370,7 @@
+@@ -36355,7 +36371,7 @@
struct stat buf; /* Used to hold return values of fstat() */
if( osFstat(pFile->h, &buf) ){
@@ -95,7 +95,7 @@
}
nSize = ((nByte+pFile->szChunk-1) / pFile->szChunk) * pFile->szChunk;
-@@ -37040,7 +37056,7 @@
+@@ -37041,7 +37057,7 @@
** with the same permissions.
*/
if( osFstat(pDbFd->h, &sStat) ){
@@ -104,7 +104,7 @@
goto shm_open_err;
}
-@@ -124046,7 +124062,7 @@
+@@ -124047,7 +124063,7 @@
}
if( pDb->pSchema->file_format>SQLITE_MAX_FILE_FORMAT ){
sqlite3SetString(pzErrMsg, db, "unsupported file format");
@@ -113,7 +113,7 @@
goto initone_error_out;
}
-@@ -164418,13 +164434,25 @@
+@@ -164415,13 +164431,25 @@
** module with sqlite.
*/
if( SQLITE_OK==rc
diff --git a/dist/orig/sqlite3.c b/dist/orig/sqlite3.c
index 163bbe9..b1b9cce 100644
--- a/dist/orig/sqlite3.c
+++ b/dist/orig/sqlite3.c
@@ -1164,7 +1164,7 @@
*/
#define SQLITE_VERSION "3.28.0"
#define SQLITE_VERSION_NUMBER 3028000
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -17812,6 +17812,7 @@
#define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */
#define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
#define SF_ComplexResult 0x40000 /* Result contains subquery or function */
+#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */
/*
** The results of a SELECT can be distributed in several ways, as defined
@@ -126326,8 +126327,6 @@
assert( pExpr!=0 );
assert( pNC->pSrcList!=0 );
- assert( pExpr->op!=TK_AGG_COLUMN ); /* This routine runes before aggregates
- ** are processed */
switch( pExpr->op ){
case TK_COLUMN: {
/* The expression is a column. Locate the table the column is being
@@ -126649,7 +126648,6 @@
pColExpr = pColExpr->pRight;
assert( pColExpr!=0 );
}
- assert( pColExpr->op!=TK_AGG_COLUMN );
if( pColExpr->op==TK_COLUMN ){
/* For columns use the column name name */
int iCol = pColExpr->iColumn;
@@ -127375,9 +127373,7 @@
selectOpName(p->op)));
rc = sqlite3Select(pParse, p, &uniondest);
testcase( rc!=SQLITE_OK );
- /* Query flattening in sqlite3Select() might refill p->pOrderBy.
- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
- sqlite3ExprListDelete(db, p->pOrderBy);
+ assert( p->pOrderBy==0 );
pDelete = p->pPrior;
p->pPrior = pPrior;
p->pOrderBy = 0;
@@ -128693,7 +128689,7 @@
** We look at every expression in the outer query and every place we see
** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
*/
- if( pSub->pOrderBy ){
+ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
/* At this point, any non-zero iOrderByCol values indicate that the
** ORDER BY column expression is identical to the iOrderByCol'th
** expression returned by SELECT statement pSub. Since these values
@@ -130327,6 +130323,7 @@
sqlite3ExprListDelete(db, p->pOrderBy);
p->pOrderBy = 0;
p->selFlags &= ~SF_Distinct;
+ p->selFlags |= SF_NoopOrderBy;
}
sqlite3SelectPrep(pParse, p, 0);
if( pParse->nErr || db->mallocFailed ){
@@ -218337,7 +218334,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29", -1, SQLITE_TRANSIENT);
}
/*
@@ -223101,9 +223098,9 @@
#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
/************** End of stmt.c ************************************************/
-#if __LINE__!=223104
+#if __LINE__!=223101
#undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418falt2"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a9602alt2"
#endif
/* Return the source-id for this library */
SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }
diff --git a/dist/orig/sqlite3.h b/dist/orig/sqlite3.h
index 2f9c25a..10c8284 100644
--- a/dist/orig/sqlite3.h
+++ b/dist/orig/sqlite3.h
@@ -125,7 +125,7 @@
*/
#define SQLITE_VERSION "3.28.0"
#define SQLITE_VERSION_NUMBER 3028000
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29"
/*
** CAPI3REF: Run-Time Library Version Numbers
diff --git a/dist/sqlite3.c b/dist/sqlite3.c
index ede258f..f9df329 100644
--- a/dist/sqlite3.c
+++ b/dist/sqlite3.c
@@ -1164,7 +1164,7 @@
*/
#define SQLITE_VERSION "3.28.0"
#define SQLITE_VERSION_NUMBER 3028000
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -17812,6 +17812,7 @@
#define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */
#define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
#define SF_ComplexResult 0x40000 /* Result contains subquery or function */
+#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */
/*
** The results of a SELECT can be distributed in several ways, as defined
@@ -126342,8 +126343,6 @@
assert( pExpr!=0 );
assert( pNC->pSrcList!=0 );
- assert( pExpr->op!=TK_AGG_COLUMN ); /* This routine runes before aggregates
- ** are processed */
switch( pExpr->op ){
case TK_COLUMN: {
/* The expression is a column. Locate the table the column is being
@@ -126665,7 +126664,6 @@
pColExpr = pColExpr->pRight;
assert( pColExpr!=0 );
}
- assert( pColExpr->op!=TK_AGG_COLUMN );
if( pColExpr->op==TK_COLUMN ){
/* For columns use the column name name */
int iCol = pColExpr->iColumn;
@@ -127391,9 +127389,7 @@
selectOpName(p->op)));
rc = sqlite3Select(pParse, p, &uniondest);
testcase( rc!=SQLITE_OK );
- /* Query flattening in sqlite3Select() might refill p->pOrderBy.
- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
- sqlite3ExprListDelete(db, p->pOrderBy);
+ assert( p->pOrderBy==0 );
pDelete = p->pPrior;
p->pPrior = pPrior;
p->pOrderBy = 0;
@@ -128709,7 +128705,7 @@
** We look at every expression in the outer query and every place we see
** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
*/
- if( pSub->pOrderBy ){
+ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
/* At this point, any non-zero iOrderByCol values indicate that the
** ORDER BY column expression is identical to the iOrderByCol'th
** expression returned by SELECT statement pSub. Since these values
@@ -130343,6 +130339,7 @@
sqlite3ExprListDelete(db, p->pOrderBy);
p->pOrderBy = 0;
p->selFlags &= ~SF_Distinct;
+ p->selFlags |= SF_NoopOrderBy;
}
sqlite3SelectPrep(pParse, p, 0);
if( pParse->nErr || db->mallocFailed ){
@@ -218365,7 +218362,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29", -1, SQLITE_TRANSIENT);
}
/*
@@ -223129,9 +223126,9 @@
#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
/************** End of stmt.c ************************************************/
-#if __LINE__!=223104
+#if __LINE__!=223101
#undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418falt2"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a9602alt2"
#endif
/* Return the source-id for this library */
SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }
diff --git a/dist/sqlite3.h b/dist/sqlite3.h
index 2f9c25a..10c8284 100644
--- a/dist/sqlite3.h
+++ b/dist/sqlite3.h
@@ -125,7 +125,7 @@
*/
#define SQLITE_VERSION "3.28.0"
#define SQLITE_VERSION_NUMBER 3028000
-#define SQLITE_SOURCE_ID "2020-05-06 18:46:38 b2325a6e1cfa19e9fd533c1f7dacfc8e5aa4f2e111fa066a5c7d3040418fc8ad"
+#define SQLITE_SOURCE_ID "2021-07-13 15:30:48 d2e672203704aa18fdc652e9567eb29b71dae32e871f514308478a7a96025f29"
/*
** CAPI3REF: Run-Time Library Version Numbers
