| Running fts5 prefix queries inside a transaction could trigger a heap-based |
| buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an |
| information leak. |
| |
| CVE: CVE-2019-9936 |
| Upstream-Status: Backport [https://sqlite.org/src/vpatch?from=45c73deb440496e8&to=b3fa58dd7403dbd4] |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| --- |
| sqlite3.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/sqlite3.c b/sqlite3.c |
| index 4729f45..65527d8 100644 |
| --- a/sqlite3.c |
| +++ b/sqlite3.c |
| @@ -207759,7 +207759,9 @@ static int fts5HashEntrySort( |
| for(iSlot=0; iSlot<pHash->nSlot; iSlot++){ |
| Fts5HashEntry *pIter; |
| for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){ |
| - if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){ |
| + if( pTerm==0 |
| + || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm)) |
| + ){ |
| Fts5HashEntry *pEntry = pIter; |
| pEntry->pScanNext = 0; |
| for(i=0; ap[i]; i++){ |
| -- |
| 2.20.1 |