51 lines
1.5 KiB
Diff
51 lines
1.5 KiB
Diff
From 156cc9423d4c4bade28468b2232226e2cd61aa6c Mon Sep 17 00:00:00 2001
|
|
From: shenkai8 <shenkai8@huawei.com>
|
|
Date: Thu, 16 Apr 2020 17:04:17 +0000
|
|
Subject: [PATCH] backport-Fix-CVE-2020-11655
|
|
|
|
In the event of a semantic error in an aggregate query,
|
|
early-out the resetAccumulator() function to prevent
|
|
problems due to incomplete or incorrect initialization
|
|
of the AggInfo object. Fix for ticket [af4556bb5c285c08].
|
|
|
|
Signed-off-by: drh <drh@noemail.net>
|
|
---
|
|
src/select.c | 1 +
|
|
test/window1.test | 9 +++++++++
|
|
2 files changed, 10 insertions(+)
|
|
|
|
diff --git a/src/select.c b/src/select.c
|
|
index 595b6eb..b5e5a75 100644
|
|
--- a/src/select.c
|
|
+++ b/src/select.c
|
|
@@ -5352,6 +5352,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
|
|
struct AggInfo_func *pFunc;
|
|
int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
|
|
if( nReg==0 ) return;
|
|
+ if( pParse->nErr ) return;
|
|
#ifdef SQLITE_DEBUG
|
|
/* Verify that all AggInfo registers are within the range specified by
|
|
** AggInfo.mnReg..AggInfo.mxReg */
|
|
diff --git a/test/window1.test b/test/window1.test
|
|
index 833e211..18b9bdc 100644
|
|
--- a/test/window1.test
|
|
+++ b/test/window1.test
|
|
@@ -1593,5 +1593,14 @@ do_execsql_test 48.1 {
|
|
FROM (SELECT (SELECT sum(a) FROM t1 GROUP BY a) AS x FROM t1);
|
|
} {2 2 2}
|
|
|
|
+# 2020-04-03 ticket af4556bb5c285c08
|
|
+#
|
|
+reset_db
|
|
+do_catchsql_test 51.1 {
|
|
+ CREATE TABLE a(b, c);
|
|
+ SELECT c FROM a GROUP BY c
|
|
+ HAVING(SELECT(sum(b) OVER(ORDER BY b),
|
|
+ sum(b) OVER(PARTITION BY min(DISTINCT c), c ORDER BY b)));
|
|
+} {1 {row value misused}}
|
|
|
|
finish_test
|
|
--
|
|
1.8.3.1
|
|
|