Fix CVE-2019-19645 in SQLite

Task-number: QTBUG-81020 Change-Id: I58b1dd9e7a90ba998c3af7f25a4627d8bdd70970 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
author: Andy Shaw <andy.shaw@qt.io> 2020-01-02 08:47:23 +0100
committer: Andy Shaw <andy.shaw@qt.io> 2020-01-03 10:36:58 +0100
commit: 1e89c132e1280276e1d3a82ec3464afec8c14c3a (patch)
tree: dcd82dd7a69439268a29383561111d37ea210bd1 /src/3rdparty/sqlite
parent: 3b697f496303bd005ae9d1d2c974efeed259d8a3 (diff)
2 files changed, 93 insertions, 1 deletions
diff --git a/src/3rdparty/sqlite/patches/0005-Fix-CVE-2019-19645-in-SQLite.patch b/src/3rdparty/sqlite/patches/0005-Fix-CVE-2019-19645-in-SQLite.patch
new file mode 100644
index 0000000000..e92c566881
--- /dev/null
+++ b/src/3rdparty/sqlite/patches/0005-Fix-CVE-2019-19645-in-SQLite.patch
@@ -0,0 +1,83 @@
+From 78c972eec5bab03a408b8ba1373572bcfe2db630 Mon Sep 17 00:00:00 2001
+From: Andy Shaw <andy.shaw@qt.io>
+Date: Thu, 2 Jan 2020 08:47:23 +0100
+Subject: [PATCH] Fix CVE-2019-19645 in SQLite
+
+Task-number: QTBUG-81020
+Change-Id: I58b1dd9e7a90ba998c3af7f25a4627d8bdd70970
+---
+ src/3rdparty/sqlite/sqlite3.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
+index d3e0c065b6..57e61b8313 100644
+--- a/src/3rdparty/sqlite/sqlite3.c
++++ b/src/3rdparty/sqlite/sqlite3.c
+@@ -17946,6 +17946,7 @@ struct Select {
+ #define SF_IncludeHidden  0x20000  /* Include hidden columns in output */
+ #define SF_ComplexResult  0x40000  /* Result contains subquery or function */
+ #define SF_WhereBegin     0x80000  /* Really a WhereBegin() call.  Debug Only */
++#define SF_View          0x0200000 /* SELECT statement is a view */
+ 
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+@@ -103920,6 +103921,7 @@ static int renameUnmapExprCb(Walker *pWalker, Expr *pExpr){
+ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
+   Parse *pParse = pWalker->pParse;
+   int i;
++  if( p->selFlags & SF_View ) return WRC_Prune;
+   if( ALWAYS(p->pEList) ){
+     ExprList *pList = p->pEList;
+     for(i=0; i<pList->nExpr; i++){
+@@ -104024,6 +104026,7 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
+ ** descend into sub-select statements.
+ */
+ static int renameColumnSelectCb(Walker *pWalker, Select *p){
++  if( p->selFlags & SF_View ) return WRC_Prune;
+   renameWalkWith(pWalker, p);
+   return WRC_Continue;
+ }
+@@ -104489,8 +104492,9 @@ static void renameColumnFunc(
+   if( sParse.pNewTable ){
+     Select *pSelect = sParse.pNewTable->pSelect;
+     if( pSelect ){
++      pSelect->selFlags &= ~SF_View;
+       sParse.rc = SQLITE_OK;
+-      sqlite3SelectPrep(&sParse, sParse.pNewTable->pSelect, 0);
++      sqlite3SelectPrep(&sParse, pSelect, 0);
+       rc = (db->mallocFailed ? SQLITE_NOMEM : sParse.rc);
+       if( rc==SQLITE_OK ){
+         sqlite3WalkSelect(&sWalker, pSelect);
+@@ -104602,6 +104606,7 @@ static int renameTableSelectCb(Walker *pWalker, Select *pSelect){
+   int i;
+   RenameCtx *p = pWalker->u.pRename;
+   SrcList *pSrc = pSelect->pSrc;
++  if( pSelect->selFlags & SF_View ) return WRC_Prune;
+   if( pSrc==0 ){
+     assert( pWalker->pParse->db->mallocFailed );
+     return WRC_Abort;
+@@ -104681,10 +104686,13 @@ static void renameTableFunc(
+ 
+         if( pTab->pSelect ){
+           if( isLegacy==0 ){
++            Select *pSelect = pTab->pSelect;
+             NameContext sNC;
+             memset(&sNC, 0, sizeof(sNC));
+             sNC.pParse = &sParse;
+ 
++            assert( pSelect->selFlags & SF_View );
++            pSelect->selFlags &= ~SF_View;
+             sqlite3SelectPrep(&sParse, pTab->pSelect, &sNC);
+             if( sParse.nErr ) rc = sParse.rc;
+             sqlite3WalkSelect(&sWalker, pTab->pSelect);
+@@ -109994,6 +110002,7 @@ SQLITE_PRIVATE void sqlite3CreateView(
+   ** allocated rather than point to the input string - which means that
+   ** they will persist after the current sqlite3_exec() call returns.
+   */
++  pSelect->selFlags |= SF_View;
+   if( IN_RENAME_OBJECT ){
+     p->pSelect = pSelect;
+     pSelect = 0;
+-- 
+2.21.0 (Apple Git-122.2)
+
diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index 712a103ef6..d5b43857ad 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -17946,6 +17946,7 @@ struct Select {
 #define SF_IncludeHidden  0x20000  /* Include hidden columns in output */
 #define SF_ComplexResult  0x40000  /* Result contains subquery or function */
 #define SF_WhereBegin     0x80000  /* Really a WhereBegin() call.  Debug Only */
+#define SF_View          0x0200000 /* SELECT statement is a view */
 
 /*
 ** The results of a SELECT can be distributed in several ways, as defined
@@ -103926,6 +103927,7 @@ static int renameUnmapExprCb(Walker *pWalker, Expr *pExpr){
 static int renameUnmapSelectCb(Walker *pWalker, Select *p){
   Parse *pParse = pWalker->pParse;
   int i;
+  if( p->selFlags & SF_View ) return WRC_Prune;
   if( ALWAYS(p->pEList) ){
     ExprList *pList = p->pEList;
     for(i=0; i<pList->nExpr; i++){
@@ -104030,6 +104032,7 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
 ** descend into sub-select statements.
 */
 static int renameColumnSelectCb(Walker *pWalker, Select *p){
+  if( p->selFlags & SF_View ) return WRC_Prune;
   renameWalkWith(pWalker, p);
   return WRC_Continue;
 }
@@ -104495,8 +104498,9 @@ static void renameColumnFunc(
   if( sParse.pNewTable ){
     Select *pSelect = sParse.pNewTable->pSelect;
     if( pSelect ){
+      pSelect->selFlags &= ~SF_View;
       sParse.rc = SQLITE_OK;
-      sqlite3SelectPrep(&sParse, sParse.pNewTable->pSelect, 0);
+      sqlite3SelectPrep(&sParse, pSelect, 0);
       rc = (db->mallocFailed ? SQLITE_NOMEM : sParse.rc);
       if( rc==SQLITE_OK ){
         sqlite3WalkSelect(&sWalker, pSelect);
@@ -104608,6 +104612,7 @@ static int renameTableSelectCb(Walker *pWalker, Select *pSelect){
   int i;
   RenameCtx *p = pWalker->u.pRename;
   SrcList *pSrc = pSelect->pSrc;
+  if( pSelect->selFlags & SF_View ) return WRC_Prune;
   if( pSrc==0 ){
     assert( pWalker->pParse->db->mallocFailed );
     return WRC_Abort;
@@ -104687,10 +104692,13 @@ static void renameTableFunc(
 
         if( pTab->pSelect ){
           if( isLegacy==0 ){
+            Select *pSelect = pTab->pSelect;
             NameContext sNC;
             memset(&sNC, 0, sizeof(sNC));
             sNC.pParse = &sParse;
 
+            assert( pSelect->selFlags & SF_View );
+            pSelect->selFlags &= ~SF_View;
             sqlite3SelectPrep(&sParse, pTab->pSelect, &sNC);
             if( sParse.nErr ) rc = sParse.rc;
             sqlite3WalkSelect(&sWalker, pTab->pSelect);
@@ -110014,6 +110022,7 @@ SQLITE_PRIVATE void sqlite3CreateView(
   ** allocated rather than point to the input string - which means that
   ** they will persist after the current sqlite3_exec() call returns.
   */
+  pSelect->selFlags |= SF_View;
   if( IN_RENAME_OBJECT ){
     p->pSelect = pSelect;
     pSelect = 0;
author	Andy Shaw <andy.shaw@qt.io>	2020-01-02 08:47:23 +0100
committer	Andy Shaw <andy.shaw@qt.io>	2020-01-03 10:36:58 +0100
commit	1e89c132e1280276e1d3a82ec3464afec8c14c3a (patch)
tree	dcd82dd7a69439268a29383561111d37ea210bd1 /src/3rdparty/sqlite
parent	3b697f496303bd005ae9d1d2c974efeed259d8a3 (diff)