| Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | Running fts5 prefix queries inside a transaction could trigger a heap-based |
| 2 | buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an |
| 3 | information leak. |
| 4 | |
| 5 | CVE: CVE-2019-9936 |
| 6 | Upstream-Status: Backport [https://sqlite.org/src/vpatch?from=45c73deb440496e8&to=b3fa58dd7403dbd4] |
| 7 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 8 | --- |
| 9 | sqlite3.c | 4 +++- |
| 10 | 1 file changed, 3 insertions(+), 1 deletion(-) |
| 11 | |
| 12 | diff --git a/sqlite3.c b/sqlite3.c |
| 13 | index 4729f45..65527d8 100644 |
| 14 | --- a/sqlite3.c |
| 15 | +++ b/sqlite3.c |
| 16 | @@ -207759,7 +207759,9 @@ static int fts5HashEntrySort( |
| 17 | for(iSlot=0; iSlot<pHash->nSlot; iSlot++){ |
| 18 | Fts5HashEntry *pIter; |
| 19 | for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){ |
| 20 | - if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){ |
| 21 | + if( pTerm==0 |
| 22 | + || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm)) |
| 23 | + ){ |
| 24 | Fts5HashEntry *pEntry = pIter; |
| 25 | pEntry->pScanNext = 0; |
| 26 | for(i=0; ap[i]; i++){ |
| 27 | -- |
| 28 | 2.20.1 |