!106 修复漏洞CVE-2023-7104

From: @Jeremyzz 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0004-CVE-2022-35737.patch

@@ -0,0 +1,80 @@
+From effc07ec9c6e08d3bd17665f8800054770f8c643 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Fri, 15 Jul 2022 12:34:31 +0000
+Subject: [PATCH] Fix the whereKeyStats() routine (part of STAT4 processing
+ only) so that it is able to cope with row-value comparisons against the
+ primary key index of a WITHOUT ROWID table.
+ [forum:/forumpost/3607259d3c|Forum post 3607259d3c].
+
+FossilOrigin-Name: 2a6f761864a462de5c2d5bc666b82fb0b7e124a03443cd1482620dde344b34bb
+
+---
+ src/where.c        |  4 ++--
+ test/rowvalue.test | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/where.c b/src/where.c
+index de6ea91e3..110eb4845 100644
+--- a/src/where.c
++++ b/src/where.c
+@@ -1433,7 +1433,7 @@ static int whereKeyStats(
+ #endif
+   assert( pRec!=0 );
+   assert( pIdx->nSample>0 );
+-  assert( pRec->nField>0 && pRec->nField<=pIdx->nSampleCol );
++  assert( pRec->nField>0 );
+ 
+   /* Do a binary search to find the first sample greater than or equal
+   ** to pRec. If pRec contains a single field, the set of samples to search
+@@ -1479,7 +1479,7 @@ static int whereKeyStats(
+   ** it is extended to two fields. The duplicates that this creates do not 
+   ** cause any problems.
+   */
+-  nField = pRec->nField;
++  nField = MIN(pRec->nField, pIdx->nSample);
+   iCol = 0;
+   iSample = pIdx->nSample * nField;
+   do{
+diff --git a/test/rowvalue.test b/test/rowvalue.test
+index 12fee8237..59b44d938 100644
+--- a/test/rowvalue.test
++++ b/test/rowvalue.test
+@@ -751,4 +751,35 @@ do_catchsql_test 27.10 {
+   INSERT INTO t0(c0) VALUES(0) ON CONFLICT(c0) DO UPDATE SET c0 = 3;
+ } {1 {ON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint}}
+ 
++# 2022-07-15
++# https://sqlite.org/forum/forumpost/3607259d3c
++#
++reset_db
++do_execsql_test 33.1 {
++  CREATE TABLE t1(a INT, b INT PRIMARY KEY) WITHOUT ROWID;
++  INSERT INTO t1(a, b) VALUES (0, 1),(15,-7),(3,100);
++  ANALYZE;
++} {}
++do_execsql_test 33.2 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (0,5) AND (99,-2);
++} {0 1}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (-8,5) AND (0,-2);
++} {15 -7}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,4);
++} {3 100}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,2);
++} {}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (-2,99) AND (1,0);
++} {0 1}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (14,99) AND (16,0);
++} {15 -7}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (2,99) AND (4,0);
++} {3 100}
++
+ finish_test
+-- 
+2.25.1
+

0005-CVE-2021-20223.patch

@@ -0,0 +1,73 @@
+From 4c5f8ebaf38faa9be7bdacc4fe53e91dc9750a88 Mon Sep 17 00:00:00 2001
+From: wbq_sky <wangbingquan@huawei.com>
+Date: Wed, 31 Aug 2022 10:56:50 +0800
+Subject: [PATCH] Fix CVE-2021-20223 From
+ d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b Mon Sep 17 00:00:00 2001 From: dan
+ <dan@noemail.net> Date: Mon, 26 Oct 2020 13:24:36 +0000 Subject: [PATCH]
+ Prevent fts5 tokenizer unicode61 from considering '\0' to be  a token
+ characters, even if other characters of class "Cc" are.
+
+FossilOrigin-Name: b7b7bde9b7a03665e3691c6d51118965f216d2dfb1617f138b9f9e60e418ed2f
+---
+ ext/fts5/fts5_unicode2.c    |  1 +
+ ext/fts5/test/fts5tok1.test | 35 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/ext/fts5/fts5_unicode2.c b/ext/fts5/fts5_unicode2.c
+index 161e8d8..843133e 100644
+--- a/ext/fts5/fts5_unicode2.c
++++ b/ext/fts5/fts5_unicode2.c
+@@ -773,4 +773,5 @@ void sqlite3Fts5UnicodeAscii(u8 *aArray, u8 *aAscii){
+     }
+     iTbl++;
+   }
++  aAscii[0] = 0;                  /* 0x00 is never a token character */
+ }
+diff --git a/ext/fts5/test/fts5tok1.test b/ext/fts5/test/fts5tok1.test
+index a336f11..c605ce3 100644
+--- a/ext/fts5/test/fts5tok1.test
++++ b/ext/fts5/test/fts5tok1.test
+@@ -111,5 +111,40 @@ do_catchsql_test 2.1 {
+   SELECT * FROM t4;
+ } {1 {SQL logic error}}
+ 
++#-------------------------------------------------------------------------
++# Embedded 0x00 characters.
++#
++reset_db
++do_execsql_test 3.1.0 {
++  CREATE VIRTUAL TABLE t1 USING fts5(z);
++  CREATE VIRTUAL TABLE tt USING fts5vocab(t1, 'instance');
++  INSERT INTO t1 VALUES('abc' || char(0) || 'def');
++  SELECT * FROM tt;
++} { abc 1 z 0 def 1 z 1 }
++do_execsql_test 3.1.1 {
++  SELECT hex(z) FROM t1;
++} {61626300646566}
++do_execsql_test 3.1.2 {
++  INSERT INTO t1(t1) VALUES('integrity-check');
++} {}
++
++do_execsql_test 3.2.0 {
++  CREATE VIRTUAL TABLE t2 USING fts5(z, 
++      tokenize="unicode61 categories 'L* N* Co Cc'"
++  );
++  CREATE VIRTUAL TABLE tu USING fts5vocab(t2, 'instance');
++
++  INSERT INTO t2 VALUES('abc' || char(0) || 'def');
++  SELECT * FROM tu;
++} { abc 1 z 0 def 1 z 1 }
++
++do_execsql_test 3.2.1 {
++  SELECT hex(z) FROM t1;
++} {61626300646566}
++
++do_execsql_test 3.2.2 {
++  INSERT INTO t1(t1) VALUES('integrity-check');
++} {}
++
+ 
+ finish_test
+-- 
+2.25.1
+

0006-fix-integer-overflow-on-gigabyte-string.patch

@@ -0,0 +1,28 @@
+From d409970d551d4cc9c8fc969cb3f39b0a2334841f Mon Sep 17 00:00:00 2001
+From: zwtmichael <zhuwentao5@huawei.com>
+Date: Tue, 6 Sep 2022 10:47:19 +0800
+Subject: [PATCH] fix integer overflow on gigabyte string
+
+Signed-off-by: zwtmichael <zhuwentao5@huawei.com>
+---
+ src/printf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/printf.c b/src/printf.c
+index ae95702..699bdb5 100644
+--- a/src/printf.c
++++ b/src/printf.c
+@@ -798,8 +798,8 @@ void sqlite3_str_vappendf(
+       case etSQLESCAPE:           /* %q: Escape ' characters */
+       case etSQLESCAPE2:          /* %Q: Escape ' and enclose in '...' */
+       case etSQLESCAPE3: {        /* %w: Escape " characters */
+-        int i, j, k, n, isnull;
+-        int needQuote;
++        i64 i, j, k, n;
++        int needQuote, isnull;
+         char ch;
+         char q = ((xtype==etSQLESCAPE3)?'"':'\'');   /* Quote character */
+         char *escarg;
+-- 
+2.25.1
+

0007-CVE-2023-7104.patch

@@ -0,0 +1,45 @@
+it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001
+From: mazhao <mazhao12@huawei.com>
+Date: Wed, 3 Jan 2024 12:00:45 +0800
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could
+ occur when processing a corrupt changeset.
+
+Signed-off-by: mazhao <mazhao12@huawei.com>
+---
+ ext/session/sqlite3session.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index a892804..72ad427 100644
+--- a/ext/session/sqlite3session.c
++++ b/ext/session/sqlite3session.c
+@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++        if( (pIn->nData-pIn->iNext)<8 ){
++          rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++          sqlite3_int64 v = sessionGetI64(aVal);
++          if( eType==SQLITE_INTEGER ){
++            sqlite3VdbeMemSetInt64(apOut[i], v);
++          }else{
++            double d;
++            memcpy(&d, &v, 8);
++            sqlite3VdbeMemSetDouble(apOut[i], d);
++          }
++          pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.34.1
+

sqlite.spec

@@ -7,7 +7,7 @@
 
 Name:    sqlite
 Version: 3.32.3
-Release: 3
+Release: 7
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -19,6 +19,10 @@ Source2: https://www.sqlite.org/%{year}/sqlite-autoconf-%{extver}.tar.gz
 Patch1: 0001-sqlite-no-malloc-usable-size.patch
 Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
 Patch3: CVE-2021-20227.patch
+Patch4: 0004-CVE-2022-35737.patch
+Patch5: 0005-CVE-2021-20223.patch
+Patch6: 0006-fix-integer-overflow-on-gigabyte-string.patch
+Patch7: 0007-CVE-2023-7104.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -64,7 +68,10 @@ This contains man files and HTML files for the using of sqlite.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -137,10 +144,22 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Wed Jan 3 2024 mazhao <mazhao12@huawei.com> - 3.32.3-7
+- fix the CVE-2023-7104
+
+* Tue Sep 6 2022 zhuwentao <zhuwentao5@huawei.com> - 3.32.3-6
+- fix integer overflow on gigabyte string
+
+* Wed Aug 31 2022 wbq_sky<wangbingquan@huawei.com> - 3.32.3-5
+- Fix CVE-2021-20223
+
+* Tue Aug 16 2022 liusirui<liusirui@huawei.com> - 3.32.3-4
+- Fix CVE-2022-35737
+
 * Mon Apr 26 2021 bzhaoop<bzhaojyathousandy@gmail.com> - 3.32.3-3
 - Fix CVE-2021-20227
 
-* Thu Sep 2 2020 lihaotian<lihaotian9@huawei.com> - 3.32.3-2
+* Thu Sep 3 2020 lihaotian<lihaotian9@huawei.com> - 3.32.3-2
 - update source0 url
 
 * Tue Aug 25 2020 yanglongkang <yanglongkang@huawei.com> - 3.32.3-1
@@ -182,13 +201,13 @@ make test
 - SUG:NA
 - DESC:fix cves
 
-* Wed Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-8
+* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-8
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:CVE-2019-19959 fixed
 
-* Wed Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-7
+* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-7
 - Type:enhancement
 - ID:NA
 - SUG:NA