Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame^] | 1 | From 45d491851e1bca378de158a5e279fd584ce548e4 Mon Sep 17 00:00:00 2001 |
| 2 | From: "D. Richard Hipp" <drh@hwaci.com> |
| 3 | Date: Mon, 17 Feb 2020 00:12:04 +0000 |
| 4 | Subject: [PATCH] [PATCH 1/2] Take care when checking the table of a TK_COLUMN |
| 5 | expression node to see if the table is a virtual table to first ensure that |
| 6 | the Expr.y.pTab pointer is not null due to generated column optimizations. |
| 7 | Ticket [4374860b29383380]. |
| 8 | |
| 9 | FossilOrigin-Name: 9d0d4ab95dc0c56e053c2924ed322a9ea7b25439e6f74599f706905a1994e454 |
| 10 | |
| 11 | [PATCH 2/2] A better (smaller and faster) solution to ticket |
| 12 | [4374860b29383380]. |
| 13 | |
| 14 | FossilOrigin-Name: abc473fb8fb999005dc79a360e34f97b3b25429decf1820dd2afa5c19577753d |
| 15 | |
| 16 | The two patches were converted to amalgamation format |
| 17 | |
| 18 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 19 | Upstream-Status: Backport |
| 20 | CVE: CVE-2020-9327 |
| 21 | --- |
| 22 | sqlite3.c | 35 ++++++++++++++++++++++++----------- |
| 23 | sqlite3.h | 2 +- |
| 24 | 2 files changed, 25 insertions(+), 12 deletions(-) |
| 25 | |
| 26 | diff --git a/sqlite3.c b/sqlite3.c |
| 27 | index 55dc686..64fae04 100644 |
| 28 | --- a/sqlite3.c |
| 29 | +++ b/sqlite3.c |
| 30 | @@ -1167,7 +1167,7 @@ extern "C" { |
| 31 | */ |
| 32 | #define SQLITE_VERSION "3.31.1" |
| 33 | #define SQLITE_VERSION_NUMBER 3031001 |
| 34 | -#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6" |
| 35 | +#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt1" |
| 36 | |
| 37 | /* |
| 38 | ** CAPI3REF: Run-Time Library Version Numbers |
| 39 | @@ -17428,8 +17428,11 @@ struct Table { |
| 40 | */ |
| 41 | #ifndef SQLITE_OMIT_VIRTUALTABLE |
| 42 | # define IsVirtual(X) ((X)->nModuleArg) |
| 43 | +# define ExprIsVtab(X) \ |
| 44 | + ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg) |
| 45 | #else |
| 46 | # define IsVirtual(X) 0 |
| 47 | +# define ExprIsVtab(X) 0 |
| 48 | #endif |
| 49 | |
| 50 | /* |
| 51 | @@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){ |
| 52 | case TK_LT: |
| 53 | case TK_LE: |
| 54 | case TK_GT: |
| 55 | - case TK_GE: |
| 56 | + case TK_GE: { |
| 57 | + Expr *pLeft = pExpr->pLeft; |
| 58 | + Expr *pRight = pExpr->pRight; |
| 59 | testcase( pExpr->op==TK_EQ ); |
| 60 | testcase( pExpr->op==TK_NE ); |
| 61 | testcase( pExpr->op==TK_LT ); |
| 62 | testcase( pExpr->op==TK_LE ); |
| 63 | testcase( pExpr->op==TK_GT ); |
| 64 | testcase( pExpr->op==TK_GE ); |
| 65 | - if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) |
| 66 | - || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) |
| 67 | + /* The y.pTab=0 assignment in wherecode.c always happens after the |
| 68 | + ** impliesNotNullRow() test */ |
| 69 | + if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0) |
| 70 | + && IsVirtual(pLeft->y.pTab)) |
| 71 | + || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0) |
| 72 | + && IsVirtual(pRight->y.pTab)) |
| 73 | ){ |
| 74 | - return WRC_Prune; |
| 75 | + return WRC_Prune; |
| 76 | } |
| 77 | - |
| 78 | + } |
| 79 | default: |
| 80 | return WRC_Continue; |
| 81 | } |
| 82 | @@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator( |
| 83 | ** MATCH(expression,vtab_column) |
| 84 | */ |
| 85 | pCol = pList->a[1].pExpr; |
| 86 | - if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ |
| 87 | + testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); |
| 88 | + if( ExprIsVtab(pCol) ){ |
| 89 | for(i=0; i<ArraySize(aOp); i++){ |
| 90 | if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){ |
| 91 | *peOp2 = aOp[i].eOp2; |
| 92 | @@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator( |
| 93 | ** with function names in an arbitrary case. |
| 94 | */ |
| 95 | pCol = pList->a[0].pExpr; |
| 96 | - if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ |
| 97 | + testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); |
| 98 | + if( ExprIsVtab(pCol) ){ |
| 99 | sqlite3_vtab *pVtab; |
| 100 | sqlite3_module *pMod; |
| 101 | void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); |
| 102 | @@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator( |
| 103 | int res = 0; |
| 104 | Expr *pLeft = pExpr->pLeft; |
| 105 | Expr *pRight = pExpr->pRight; |
| 106 | - if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ |
| 107 | + testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 ); |
| 108 | + if( ExprIsVtab(pLeft) ){ |
| 109 | res++; |
| 110 | } |
| 111 | - if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ |
| 112 | + testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 ); |
| 113 | + if( pRight && ExprIsVtab(pRight) ){ |
| 114 | res++; |
| 115 | SWAP(Expr*, pLeft, pRight); |
| 116 | } |
| 117 | @@ -228440,7 +228453,7 @@ SQLITE_API int sqlite3_stmt_init( |
| 118 | #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ |
| 119 | |
| 120 | /************** End of stmt.c ************************************************/ |
| 121 | -#if __LINE__!=228443 |
| 122 | +#if __LINE__!=228456 |
| 123 | #undef SQLITE_SOURCE_ID |
| 124 | #define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt2" |
| 125 | #endif |
| 126 | diff --git a/sqlite3.h b/sqlite3.h |
| 127 | index cef6eea..5b9796c 100644 |
| 128 | --- a/sqlite3.h |
| 129 | +++ b/sqlite3.h |
| 130 | @@ -125,7 +125,7 @@ extern "C" { |
| 131 | */ |
| 132 | #define SQLITE_VERSION "3.31.1" |
| 133 | #define SQLITE_VERSION_NUMBER 3031001 |
| 134 | -#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6" |
| 135 | +#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt1" |
| 136 | |
| 137 | /* |
| 138 | ** CAPI3REF: Run-Time Library Version Numbers |
| 139 | -- |
| 140 | 2.25.1 |
| 141 | |