packages/sqlite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sqlite/CVE-2021-20227.patch
herengui cf40a73141 Fix CVE-2021-20227 
Signed-off-by: herengui <herengui@uniontech.com>
2022-01-28 11:00:06 +08:00

70 lines
2.4 KiB
Diff
Raw Blame History

Index: sqlite-src-3320300/src/select.c
==================================================================
--- sqlite-src-3320300/src/select.c
+++ sqlite-src-3320300/src/select.c
@@ -5613,11 +5613,13 @@
** within the HAVING expression with a constant "1".
*/
static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){
if( pExpr->op!=TK_AND ){
Select *pS = pWalker->u.pSelect;
- if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){
+ if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy)
+ && ExprAlwaysFalse(pExpr)==0
+ ){
sqlite3 *db = pWalker->pParse->db;
Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1");
if( pNew ){
Expr *pWhere = pS->pWhere;
SWAP(Expr, *pNew, *pExpr);
Index: sqlite-src-3320300/test/having.test
==================================================================
--- sqlite-src-3320300/test/having.test
+++ sqlite-src-3320300/test/having.test
@@ -63,12 +63,12 @@
"SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a HAVING sum(b)>5"
3 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING a=2"
"SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a COLLATE binary"
- 5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 0"
- "SELECT a, sum(b) FROM t1 WHERE 0 GROUP BY a COLLATE binary"
+ 5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 1"
+ "SELECT a, sum(b) FROM t1 WHERE 1 GROUP BY a COLLATE binary"
6 "SELECT count(*) FROM t1,t2 WHERE a=c GROUP BY b, d HAVING b=d"
"SELECT count(*) FROM t1,t2 WHERE a=c AND b=d GROUP BY b, d"
7 {
@@ -151,8 +151,28 @@
#
set ::nondeter_ret 0
do_execsql_test 4.3 {
SELECT a, sum(b) FROM t3 WHERE nondeter(a) GROUP BY a
} {1 4 2 2}
+
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 5.0 {
+ CREATE TABLE t1(a, b);
+ CREATE TABLE t2(x, y);
+ INSERT INTO t1 VALUES('a', 'b');
+}
+
+# The WHERE clause (a=2), uses an aggregate column from the outer query.
+# If the HAVING term (0) is moved into the WHERE clause in this case,
+# SQLite would at one point optimize (a=2 AND 0) to simply (0). Which
+# is logically correct, but happened to cause problems in aggregate
+# processing for the outer query. This test case verifies that those
+# problems are no longer present.
+do_execsql_test 5.1 {
+ SELECT min(b), (
+ SELECT x FROM t2 WHERE a=2 GROUP BY y HAVING 0
+ ) FROM t1;
+} {b {}}
finish_test
Reference in New Issue View Git Blame Copy Permalink