[RESTRICT AUTOMERGE] Apply security patch to sqlite 3.22
This patch fixes CVE-2019-9936,CVE-2019-5018,CVE-2019-8457
in b/140181188 b/140180629 and b/140182003 respectively
Download from https://www.sqlite.org/src/info/68b898381ac29429
Get the Tarball or ZIP Archive, unzip it on linux machine then run:
mkdir bld; cd bld; ../configure; make sqlite3.c
Copy sqlite3.c, sqlite3.h, sqlite3ext.h, shell.c from bld directory
to dist/orig.
dist contains a copy of dist/orig, but with the Android.patch
file applied.
Test: select sqlite_version() - returns 3.22.0
Test: atest cts/SQLiteDatabaseTest all passed.
Bug: 140181188
Bug: 140180629
Bug: 140182003
Change-Id: Ib500af90bcb7c29db6bd30574264831001bc9a3d
(cherry picked from commit 8e199cf3c1828da9d5a7d95c7c1994c5c83bc957)
diff --git a/README.version b/README.version
index a14d841..607d043 100644
--- a/README.version
+++ b/README.version
@@ -1,4 +1,4 @@
-URL: https://www.sqlite.org/src/info/c255889bd95bd543
-Version: 3.22.0 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234
-This patch fixes Magellan SQLite Security Vulnerability as in b/121156452
+URL: https://www.sqlite.org/src/info/68b898381ac29429
+Version: 3.22.0 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050
+This patch fixes CVE-2019-9936,CVE-2019-5018,CVE-2019-8457 in b/140181188 b/140180629 and b/140182003 respectively
BugComponent: 24950
diff --git a/dist/orig/sqlite3.c b/dist/orig/sqlite3.c
index 8e495f1..d14e246 100644
--- a/dist/orig/sqlite3.c
+++ b/dist/orig/sqlite3.c
@@ -1149,7 +1149,7 @@
*/
#define SQLITE_VERSION "3.22.0"
#define SQLITE_VERSION_NUMBER 3022000
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -149135,7 +149135,7 @@
}
#define GETVARINT_STEP(v, ptr, shift, mask1, mask2, var, ret) \
- v = (v & mask1) | ( (*ptr++) << shift ); \
+ v = (v & mask1) | ( (*(ptr++)) << shift ); \
if( (v & mask2)==0 ){ var = v; return ret; }
#define GETVARINT_INIT(v, ptr, shift, mask1, mask2, var, ret) \
v = (*ptr++); \
@@ -149173,20 +149173,21 @@
** a non-negative 32-bit integer before it is returned.
*/
SQLITE_PRIVATE int sqlite3Fts3GetVarint32(const char *p, int *pi){
+ const unsigned char *ptr = (const unsigned char*)p;
u32 a;
#ifndef fts3GetVarint32
- GETVARINT_INIT(a, p, 0, 0x00, 0x80, *pi, 1);
+ GETVARINT_INIT(a, ptr, 0, 0x00, 0x80, *pi, 1);
#else
- a = (*p++);
+ a = (*ptr++);
assert( a & 0x80 );
#endif
- GETVARINT_STEP(a, p, 7, 0x7F, 0x4000, *pi, 2);
- GETVARINT_STEP(a, p, 14, 0x3FFF, 0x200000, *pi, 3);
- GETVARINT_STEP(a, p, 21, 0x1FFFFF, 0x10000000, *pi, 4);
+ GETVARINT_STEP(a, ptr, 7, 0x7F, 0x4000, *pi, 2);
+ GETVARINT_STEP(a, ptr, 14, 0x3FFF, 0x200000, *pi, 3);
+ GETVARINT_STEP(a, ptr, 21, 0x1FFFFF, 0x10000000, *pi, 4);
a = (a & 0x0FFFFFFF );
- *pi = (int)(a | ((u32)(*p & 0x07) << 28));
+ *pi = (int)(a | ((u32)(*ptr & 0x07) << 28));
assert( 0==(a & 0x80000000) );
assert( *pi>=0 );
return 5;
@@ -160262,7 +160263,7 @@
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nSuffix<=0
+ if( nSuffix<=0
|| (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
|| nPrefix>pReader->nTermAlloc
){
@@ -160296,7 +160297,7 @@
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
+ if( pReader->nDoclist > pReader->nNode-(pReader->aDoclist-pReader->aNode)
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
@@ -170580,6 +170581,7 @@
}
+#if defined(SQLITE_TEST)
/*
** Implementation of a scalar function that decodes r-tree nodes to
** human readable strings. This can be used for debugging and analysis.
@@ -170641,6 +170643,7 @@
sqlite3_result_text(ctx, zText, -1, sqlite3_free);
}
+#endif
/* This routine implements an SQL function that returns the "depth" parameter
** from the front of a blob that is an r-tree node. For example:
@@ -171127,9 +171130,11 @@
*/
SQLITE_PRIVATE int sqlite3RtreeInit(sqlite3 *db){
const int utf8 = SQLITE_UTF8;
- int rc;
+ int rc = SQLITE_OK;
+#if defined(SQLITE_TEST)
rc = sqlite3_create_function(db, "rtreenode", 2, utf8, 0, rtreenode, 0, 0);
+#endif
if( rc==SQLITE_OK ){
rc = sqlite3_create_function(db, "rtreedepth", 1, utf8, 0,rtreedepth, 0, 0);
}
@@ -174528,7 +174533,7 @@
int iCid = sqlite3_column_int(pXInfo, 1);
int bDesc = sqlite3_column_int(pXInfo, 3);
const char *zCollate = (const char*)sqlite3_column_text(pXInfo, 4);
- zCols = rbuMPrintf(p, "%z%sc%d %s COLLATE %Q", zCols, zComma,
+ zCols = rbuMPrintf(p, "%z%sc%d %s COLLATE %Q", zCols, zComma,
iCid, pIter->azTblType[iCid], zCollate
);
zPk = rbuMPrintf(p, "%z%sc%d%s", zPk, zComma, iCid, bDesc?" DESC":"");
@@ -174589,7 +174594,7 @@
** "PRIMARY KEY" to the imposter table column declaration. */
zPk = "PRIMARY KEY ";
}
- zSql = rbuMPrintf(p, "%z%s\"%w\" %s %sCOLLATE %Q%s",
+ zSql = rbuMPrintf(p, "%z%s\"%w\" %s %sCOLLATE %Q%s",
zSql, zComma, zCol, pIter->azTblType[iCol], zPk, zColl,
(pIter->abNotNull[iCol] ? " NOT NULL" : "")
);
@@ -176781,7 +176786,7 @@
}
/*
-** Given that zWal points to a buffer containing a wal file name passed to
+** Given that zWal points to a buffer containing a wal file name passed to
** either the xOpen() or xAccess() VFS method, search the main-db list for
** a file-handle opened by the same database connection on the corresponding
** database file.
@@ -194166,7 +194171,9 @@
for(iSlot=0; iSlot<pHash->nSlot; iSlot++){
Fts5HashEntry *pIter;
for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){
- if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){
+ if( pTerm==0
+ || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm))
+ ){
Fts5HashEntry *pEntry = pIter;
pEntry->pScanNext = 0;
for(i=0; ap[i]; i++){
@@ -203390,7 +203397,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050", -1, SQLITE_TRANSIENT);
}
static int fts5Init(sqlite3 *db){
@@ -207658,9 +207665,9 @@
#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
/************** End of stmt.c ************************************************/
-#if __LINE__!=207661
+#if __LINE__!=207668
#undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2alt2"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3alt2"
#endif
/* Return the source-id for this library */
SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }
diff --git a/dist/orig/sqlite3.h b/dist/orig/sqlite3.h
index 57669e1..5c20a46 100644
--- a/dist/orig/sqlite3.h
+++ b/dist/orig/sqlite3.h
@@ -125,7 +125,7 @@
*/
#define SQLITE_VERSION "3.22.0"
#define SQLITE_VERSION_NUMBER 3022000
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050"
/*
** CAPI3REF: Run-Time Library Version Numbers
diff --git a/dist/shell.c b/dist/shell.c
index 735aaff..41baf67 100644
--- a/dist/shell.c
+++ b/dist/shell.c
@@ -87,12 +87,6 @@
#endif
#include <ctype.h>
#include <stdarg.h>
-// Begin Android Add
-#ifndef NO_ANDROID_FUNCS
-#include "IcuUtils.h"
-#include <sqlite3_android.h>
-#endif
-// End Android Add
#if !defined(_WIN32) && !defined(WIN32)
# include <signal.h>
@@ -10395,23 +10389,6 @@
editFunc, 0, 0);
sqlite3_create_function(p->db, "edit", 2, SQLITE_UTF8, 0,
editFunc, 0, 0);
-
- // Begin Android Add
- #ifndef NO_ANDROID_FUNCS
- InitializeIcuOrDie();
- int err = register_localized_collators(p->db, "en_US", 0);
- if (err != SQLITE_OK) {
- fprintf(stderr, "register_localized_collators() failed\n");
- exit(1);
- }
- err = register_android_functions(p->db, 0);
- if (err != SQLITE_OK) {
- fprintf(stderr, "register_android_functions() failed\n");
- exit(1);
- }
- #endif
- // End Android Add
-
if( p->openMode==SHELL_OPEN_ZIPFILE ){
char *zSql = sqlite3_mprintf(
"CREATE VIRTUAL TABLE zip USING zipfile(%Q);", p->zDbFilename);
diff --git a/dist/sqlite3.c b/dist/sqlite3.c
index 3322b52..d14e246 100644
--- a/dist/sqlite3.c
+++ b/dist/sqlite3.c
@@ -1149,7 +1149,7 @@
*/
#define SQLITE_VERSION "3.22.0"
#define SQLITE_VERSION_NUMBER 3022000
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -34428,7 +34428,7 @@
SimulateIOError( rc=1 );
if( rc!=0 ){
storeLastErrno((unixFile*)id, errno);
- return unixLogError(SQLITE_IOERR_FSTAT, "fstat", ((unixFile*)id)->zPath);
+ return SQLITE_IOERR_FSTAT;
}
*pSize = buf.st_size;
@@ -34464,7 +34464,7 @@
struct stat buf; /* Used to hold return values of fstat() */
if( osFstat(pFile->h, &buf) ){
- return unixLogError(SQLITE_IOERR_FSTAT, "fstat", pFile->zPath);
+ return SQLITE_IOERR_FSTAT;
}
nSize = ((nByte+pFile->szChunk-1) / pFile->szChunk) * pFile->szChunk;
@@ -35139,7 +35139,7 @@
** with the same permissions.
*/
if( osFstat(pDbFd->h, &sStat) ){
- rc = unixLogError(SQLITE_IOERR_FSTAT, "fstat", pDbFd->zPath);
+ rc = SQLITE_IOERR_FSTAT;
goto shm_open_err;
}
@@ -118054,7 +118054,7 @@
}
if( pDb->pSchema->file_format>SQLITE_MAX_FILE_FORMAT ){
sqlite3SetString(pzErrMsg, db, "unsupported file format");
- rc = SQLITE_CORRUPT_BKPT; // Android Change from "rc = SQLITE_ERROR;";
+ rc = SQLITE_ERROR;
goto initone_error_out;
}
@@ -149135,7 +149135,7 @@
}
#define GETVARINT_STEP(v, ptr, shift, mask1, mask2, var, ret) \
- v = (v & mask1) | ( (*ptr++) << shift ); \
+ v = (v & mask1) | ( (*(ptr++)) << shift ); \
if( (v & mask2)==0 ){ var = v; return ret; }
#define GETVARINT_INIT(v, ptr, shift, mask1, mask2, var, ret) \
v = (*ptr++); \
@@ -149173,20 +149173,21 @@
** a non-negative 32-bit integer before it is returned.
*/
SQLITE_PRIVATE int sqlite3Fts3GetVarint32(const char *p, int *pi){
+ const unsigned char *ptr = (const unsigned char*)p;
u32 a;
#ifndef fts3GetVarint32
- GETVARINT_INIT(a, p, 0, 0x00, 0x80, *pi, 1);
+ GETVARINT_INIT(a, ptr, 0, 0x00, 0x80, *pi, 1);
#else
- a = (*p++);
+ a = (*ptr++);
assert( a & 0x80 );
#endif
- GETVARINT_STEP(a, p, 7, 0x7F, 0x4000, *pi, 2);
- GETVARINT_STEP(a, p, 14, 0x3FFF, 0x200000, *pi, 3);
- GETVARINT_STEP(a, p, 21, 0x1FFFFF, 0x10000000, *pi, 4);
+ GETVARINT_STEP(a, ptr, 7, 0x7F, 0x4000, *pi, 2);
+ GETVARINT_STEP(a, ptr, 14, 0x3FFF, 0x200000, *pi, 3);
+ GETVARINT_STEP(a, ptr, 21, 0x1FFFFF, 0x10000000, *pi, 4);
a = (a & 0x0FFFFFFF );
- *pi = (int)(a | ((u32)(*p & 0x07) << 28));
+ *pi = (int)(a | ((u32)(*ptr & 0x07) << 28));
assert( 0==(a & 0x80000000) );
assert( *pi>=0 );
return 5;
@@ -152769,25 +152770,13 @@
** module with sqlite.
*/
if( SQLITE_OK==rc
-#ifndef ANDROID /* fts3_tokenizer disabled for security reasons */
&& SQLITE_OK==(rc = sqlite3Fts3InitHashTable(db, pHash, "fts3_tokenizer"))
-#endif
&& SQLITE_OK==(rc = sqlite3_overload_function(db, "snippet", -1))
&& SQLITE_OK==(rc = sqlite3_overload_function(db, "offsets", 1))
&& SQLITE_OK==(rc = sqlite3_overload_function(db, "matchinfo", 1))
&& SQLITE_OK==(rc = sqlite3_overload_function(db, "matchinfo", 2))
&& SQLITE_OK==(rc = sqlite3_overload_function(db, "optimize", 1))
){
-#ifdef SQLITE_ENABLE_FTS3_BACKWARDS
- rc = sqlite3_create_module_v2(
- db, "fts1", &fts3Module, (void *)pHash, 0
- );
- if(rc) return rc;
- rc = sqlite3_create_module_v2(
- db, "fts2", &fts3Module, (void *)pHash, 0
- );
- if(rc) return rc;
-#endif
rc = sqlite3_create_module_v2(
db, "fts3", &fts3Module, (void *)pHash, hashDestroy
);
@@ -160274,7 +160263,7 @@
** safe (no risk of overread) even if the node data is corrupted. */
pNext += fts3GetVarint32(pNext, &nPrefix);
pNext += fts3GetVarint32(pNext, &nSuffix);
- if( nSuffix<=0
+ if( nSuffix<=0
|| (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
|| nPrefix>pReader->nTermAlloc
){
@@ -160308,7 +160297,7 @@
** b-tree node. And that the final byte of the doclist is 0x00. If either
** of these statements is untrue, then the data structure is corrupt.
*/
- if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
+ if( pReader->nDoclist > pReader->nNode-(pReader->aDoclist-pReader->aNode)
|| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
){
return FTS_CORRUPT_VTAB;
@@ -170592,6 +170581,7 @@
}
+#if defined(SQLITE_TEST)
/*
** Implementation of a scalar function that decodes r-tree nodes to
** human readable strings. This can be used for debugging and analysis.
@@ -170653,6 +170643,7 @@
sqlite3_result_text(ctx, zText, -1, sqlite3_free);
}
+#endif
/* This routine implements an SQL function that returns the "depth" parameter
** from the front of a blob that is an r-tree node. For example:
@@ -171139,9 +171130,11 @@
*/
SQLITE_PRIVATE int sqlite3RtreeInit(sqlite3 *db){
const int utf8 = SQLITE_UTF8;
- int rc;
+ int rc = SQLITE_OK;
+#if defined(SQLITE_TEST)
rc = sqlite3_create_function(db, "rtreenode", 2, utf8, 0, rtreenode, 0, 0);
+#endif
if( rc==SQLITE_OK ){
rc = sqlite3_create_function(db, "rtreedepth", 1, utf8, 0,rtreedepth, 0, 0);
}
@@ -174540,7 +174533,7 @@
int iCid = sqlite3_column_int(pXInfo, 1);
int bDesc = sqlite3_column_int(pXInfo, 3);
const char *zCollate = (const char*)sqlite3_column_text(pXInfo, 4);
- zCols = rbuMPrintf(p, "%z%sc%d %s COLLATE %Q", zCols, zComma,
+ zCols = rbuMPrintf(p, "%z%sc%d %s COLLATE %Q", zCols, zComma,
iCid, pIter->azTblType[iCid], zCollate
);
zPk = rbuMPrintf(p, "%z%sc%d%s", zPk, zComma, iCid, bDesc?" DESC":"");
@@ -174601,7 +174594,7 @@
** "PRIMARY KEY" to the imposter table column declaration. */
zPk = "PRIMARY KEY ";
}
- zSql = rbuMPrintf(p, "%z%s\"%w\" %s %sCOLLATE %Q%s",
+ zSql = rbuMPrintf(p, "%z%s\"%w\" %s %sCOLLATE %Q%s",
zSql, zComma, zCol, pIter->azTblType[iCol], zPk, zColl,
(pIter->abNotNull[iCol] ? " NOT NULL" : "")
);
@@ -176793,7 +176786,7 @@
}
/*
-** Given that zWal points to a buffer containing a wal file name passed to
+** Given that zWal points to a buffer containing a wal file name passed to
** either the xOpen() or xAccess() VFS method, search the main-db list for
** a file-handle opened by the same database connection on the corresponding
** database file.
@@ -194178,7 +194171,9 @@
for(iSlot=0; iSlot<pHash->nSlot; iSlot++){
Fts5HashEntry *pIter;
for(pIter=pHash->aSlot[iSlot]; pIter; pIter=pIter->pHashNext){
- if( pTerm==0 || 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm) ){
+ if( pTerm==0
+ || (pIter->nKey+1>=nTerm && 0==memcmp(fts5EntryKey(pIter), pTerm, nTerm))
+ ){
Fts5HashEntry *pEntry = pIter;
pEntry->pScanNext = 0;
for(i=0; ap[i]; i++){
@@ -203402,7 +203397,7 @@
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050", -1, SQLITE_TRANSIENT);
}
static int fts5Init(sqlite3 *db){
@@ -207670,9 +207665,9 @@
#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
/************** End of stmt.c ************************************************/
-#if __LINE__!=207661
+#if __LINE__!=207668
#undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2alt2"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3alt2"
#endif
/* Return the source-id for this library */
SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }
diff --git a/dist/sqlite3.h b/dist/sqlite3.h
index 57669e1..5c20a46 100644
--- a/dist/sqlite3.h
+++ b/dist/sqlite3.h
@@ -125,7 +125,7 @@
*/
#define SQLITE_VERSION "3.22.0"
#define SQLITE_VERSION_NUMBER 3022000
-#define SQLITE_SOURCE_ID "2018-12-19 01:30:22 c255889bd95bd5430dc7ced3317011ae2abb483d6c9af883af3dc7d6c2c2f234"
+#define SQLITE_SOURCE_ID "2019-09-03 18:36:11 68b898381ac2942965a3dbd416a45ddf813d6df7ea160f500ae4978e44a3a050"
/*
** CAPI3REF: Run-Time Library Version Numbers