packages/sqlite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sqlite/6003-Fix-CVE-2020-11656.patch
wubo009 c6c12b31bc update pkg in lts branch
2020-05-12 23:06:17 +08:00

119 lines
3.4 KiB
Diff
Raw Blame History

From 9b063329ebbd9aafdad82ebf0b9103ce2dd1af18 Mon Sep 17 00:00:00 2001
From: shenkai8 <shenkai8@huawei.com>
Date: Thu, 16 Apr 2020 17:22:49 +0000
Subject: [PATCH] backport Fix CVE-2020-11656
Fix a case when a pointer might be used after being freed in
the ALTER TABLE code. Fix for [4722bdab08cb1].
(check-in: d09f8c36 user: dan tags: trunk)
Do not suppress errors when resolving references in an ORDER BY
clause belonging to a compound SELECT within a view or trigger
within ALTER TABLE. Fix for ticket [a10a14e9b4ba2].
(check-in: 68429388 user: dan tags: trunk)
Signed-off-by: dan <<dan@noemail.net>>
---
src/alter.c | 16 ++++++++++++++++
src/resolve.c | 2 +-
test/altertab.test | 31 ++++++++++++++++++++++++++++++-
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/src/alter.c b/src/alter.c
index ee193d1..918df77 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -756,6 +756,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
}
/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+ Parse *pParse,
+ IdList *pIdList
+){
+ if( pIdList ){
+ int ii;
+ for(ii=0; ii<pIdList->nId; ii++){
+ sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+ }
+ }
+}
+
+/*
** Walker callback used by sqlite3RenameExprUnmap().
*/
static int renameUnmapSelectCb(Walker *pWalker, Select *p){
@@ -776,6 +791,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
for(i=0; i<pSrc->nSrc; i++){
sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+ unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
}
}
diff --git a/src/resolve.c b/src/resolve.c
index 119a07f..894958c 100644
--- a/src/resolve.c
+++ b/src/resolve.c
@@ -1177,7 +1177,7 @@ static int resolveOrderByTermToExprList(
nc.nErr = 0;
db = pParse->db;
savedSuppErr = db->suppressErr;
- db->suppressErr = 1;
+ if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
rc = sqlite3ResolveExprNames(&nc, pE);
db->suppressErr = savedSuppErr;
if( rc ) return 0;
diff --git a/test/altertab.test b/test/altertab.test
index 7dcf8a5..01dd61a 100644
--- a/test/altertab.test
+++ b/test/altertab.test
@@ -594,7 +594,6 @@ reset_db
do_execsql_test 18.1.0 {
CREATE TABLE t0 (c0 INTEGER, PRIMARY KEY(c0)) WITHOUT ROWID;
}
-breakpoint
do_execsql_test 18.1.1 {
ALTER TABLE t0 RENAME COLUMN c0 TO c1;
}
@@ -613,4 +612,34 @@ do_execsql_test 18.2.2 {
SELECT sql FROM sqlite_master;
} {{CREATE TABLE t0 (c1 INTEGER, PRIMARY KEY(c1))}}
+# Ticket 4722bdab08cb14
+reset_db
+do_execsql_test 20.0 {
+ CREATE TABLE a(a);
+ CREATE VIEW b AS SELECT(SELECT *FROM c JOIN a USING(d, a, a, a) JOIN a) IN();
+}
+
+do_execsql_test 20.1 {
+ ALTER TABLE a RENAME a TO e;
+} {}
+
+reset_db
+do_execsql_test 21.0 {
+ CREATE TABLE a(b);
+ CREATE VIEW c AS
+ SELECT NULL INTERSECT
+ SELECT NULL ORDER BY
+ likelihood(NULL, (d, (SELECT c)));
+} {}
+do_catchsql_test 21.1 {
+ SELECT likelihood(NULL, (d, (SELECT c)));
+} {1 {second argument to likelihood() must be a constant between 0.0 and 1.0}}
+do_catchsql_test 21.2 {
+ SELECT * FROM c;
+} {1 {1st ORDER BY term does not match any column in the result set}}
+
+do_catchsql_test 21.3 {
+ ALTER TABLE a RENAME TO e;
+} {1 {error in view c: 1st ORDER BY term does not match any column in the result set}}
+
finish_test
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink