add 0004-Fix-CVE-2020-15358.patch.

0004-Fix-CVE-2020-15358.patch
2020-08-03 17:47:32 +08:00 · 2020-08-03 17:47:32 +08:00 · f279132e49
commit f279132e49
parent 920187b9f1
1 changed files with 90 additions and 0 deletions
--- a/0004-Fix-CVE-2020-15358.patch
+++ b/0004-Fix-CVE-2020-15358.patch
@ -0,0 +1,90 @@
+From a144b923c5f3a60e4f7caa77305a3e4765bdba5d Mon Sep 17 00:00:00 2001
+From: Peibao Liu <peibao.liu@windriver.com>
+Date: Mon, 6 Jul 2020 15:59:47 -0400
+Subject: [PATCH] backport-Fix-CVE-2020-15358
+
+Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
+---
+ src/select.c      |  7 +++----
+ src/sqliteInt.h   |  1 +
+ test/selectA.test | 21 +++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/src/select.c b/src/select.c
+index b5e5a75..7f88e35 100644
+--- a/src/select.c
+++ b/src/select.c
+@@ -2717,9 +2717,7 @@ static int multiSelect(
+                           selectOpName(p->op)));
+         rc = sqlite3Select(pParse, p, &uniondest);
+         testcase( rc!=SQLITE_OK );
+-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
+-        sqlite3ExprListDelete(db, p->pOrderBy);
+        assert( p->pOrderBy==0 );
+         pDelete = p->pPrior;
+         p->pPrior = pPrior;
+         p->pOrderBy = 0;
+@@ -4068,7 +4066,7 @@ static int flattenSubquery(
+     ** We look at every expression in the outer query and every place we see
+     ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+     */
+-    if( pSub->pOrderBy ){
+    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+       /* At this point, any non-zero iOrderByCol values indicate that the
+       ** ORDER BY column expression is identical to the iOrderByCol'th
+       ** expression returned by SELECT statement pSub. Since these values
+@@ -5769,6 +5767,7 @@ int sqlite3Select(
+     sqlite3ExprListDelete(db, p->pOrderBy);
+     p->pOrderBy = 0;
+     p->selFlags &= ~SF_Distinct;
+    p->selFlags |= SF_NoopOrderBy;
+   }
+   sqlite3SelectPrep(pParse, p, 0);
+   if( pParse->nErr || db->mallocFailed ){
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index aa9556b..514df18 100644
+--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
+@@ -3074,6 +3074,7 @@ struct Select {
+ #define SF_WhereBegin    0x0080000 /* Really a WhereBegin() call.  Debug Only */
+ #define SF_WinRewrite    0x0100000 /* Window function rewrite accomplished */
+ #define SF_View          0x0200000 /* SELECT statement is a view */
+#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
+ 
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+diff --git a/test/selectA.test b/test/selectA.test
+index 838e5f4..7ca0096 100644
+--- a/test/selectA.test
+++ b/test/selectA.test
+@@ -1446,5 +1446,26 @@ do_execsql_test 6.1 {
+   SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
+ } {12345}
+ 
+# 2020-06-15 ticket 8f157e8010b22af0
+#
+reset_db
+do_execsql_test 7.1 {
+  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
+  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
+  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
+  CREATE VIEW t4 AS SELECT c3 FROM t3;
+  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
+}
+do_execsql_test 7.2 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
+} {123 123}
+do_execsql_test 7.3 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
+} {123 123}
+do_execsql_test 7.4 {
+  CREATE TABLE a(b);
+  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
+  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
+} {}
+ 
+ finish_test
+-- 
+2.23.0
+