From a75d238b3194ae4973be7f6ce0508a526d4aa49e Mon Sep 17 00:00:00 2001
From: Andy Shaw <andy.shaw@qt.io>
Date: Thu, 19 Dec 2019 22:31:15 +0100
Subject: Fix CVE-2019-19603 in SQLite

This includes the patch needed to fix this CVE and a supporting one to
include a new function added that it depends on.

Task-number: QTBUG-80903
Change-Id: Ic7639d50c89a3ee7d45426588c3ab0efd0eebb72
Reviewed-by: Christian Ehrlicher <ch.ehrlicher@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
 .../0003-Fix-CVE-2019-19603-in-SQLite.patch        | 95 ++++++++++++++++++++++
 src/3rdparty/sqlite/sqlite3.c                      | 32 ++++++--
 2 files changed, 121 insertions(+), 6 deletions(-)
 create mode 100644 src/3rdparty/sqlite/patches/0003-Fix-CVE-2019-19603-in-SQLite.patch

diff --git a/src/3rdparty/sqlite/patches/0003-Fix-CVE-2019-19603-in-SQLite.patch b/src/3rdparty/sqlite/patches/0003-Fix-CVE-2019-19603-in-SQLite.patch
new file mode 100644
index 0000000000..1b8deaa4a1
--- /dev/null
+++ b/src/3rdparty/sqlite/patches/0003-Fix-CVE-2019-19603-in-SQLite.patch
@@ -0,0 +1,95 @@
+From 11a2f4647b67494fb731a6fd793f1b28074631d3 Mon Sep 17 00:00:00 2001
+From: Andy Shaw <andy.shaw@qt.io>
+Date: Thu, 19 Dec 2019 22:31:15 +0100
+Subject: [PATCH] Fix CVE-2019-19603 in SQLite
+
+This includes the patch needed to fix this CVE and a supporting one to
+include a new function added that it depends on.
+
+Task-number: QTBUG-80903
+Change-Id: Ic7639d50c89a3ee7d45426588c3ab0efd0eebb72
+---
+ src/3rdparty/sqlite/sqlite3.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
+index d3e0c065b6..a430554db7 100644
+--- a/src/3rdparty/sqlite/sqlite3.c
++++ b/src/3rdparty/sqlite/sqlite3.c
+@@ -19519,6 +19519,12 @@ SQLITE_PRIVATE    Module *sqlite3VtabCreateModule(
+    );
+ #  define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
+ #endif
++SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
++#else
++# define sqlite3ShadowTableName(A,B) 0
++#endif
+ SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
+ SQLITE_PRIVATE void sqlite3VtabMakeWritable(Parse*,Table*);
+@@ -108483,6 +108489,22 @@ SQLITE_PRIVATE int sqlite3WritableSchema(sqlite3 *db){
+   return (db->flags&(SQLITE_WriteSchema|SQLITE_Defensive))==SQLITE_WriteSchema;
+ }
+ 
++/*
++ ** Return TRUE if shadow tables should be read-only in the current
++ ** context.
++ */
++int sqlite3ReadOnlyShadowTables(sqlite3 *db){
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++    if( (db->flags & SQLITE_Defensive)!=0
++       && db->pVtabCtx==0
++       && db->nVdbeExec==0
++       ){
++        return 1;
++    }
++#endif
++    return 0;
++}
++
+ /*
+ ** This routine is used to check if the UTF-8 string zName is a legal
+ ** unqualified name for a new schema object (table, index, view or
+@@ -108516,8 +108538,8 @@ SQLITE_PRIVATE int sqlite3CheckObjectName(
+       }
+     }
+   }else{
+-    if( pParse->nested==0 
+-     && 0==sqlite3StrNICmp(zName, "sqlite_", 7)
++      if( (pParse->nested==0 && 0==sqlite3StrNICmp(zName, "sqlite_", 7))
++       || (sqlite3ReadOnlyShadowTables(db) && sqlite3ShadowTableName(db, zName))
+     ){
+       sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s",
+                       zName);
+@@ -109662,7 +109684,7 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ ** zName is temporarily modified while this routine is running, but is
+ ** restored to its original value prior to this routine returning.
+ */
+-static int isShadowTableName(sqlite3 *db, char *zName){
++int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+   char *zTail;                  /* Pointer to the last "_" in zName */
+   Table *pTab;                  /* Table that zName is a shadow of */
+   Module *pMod;                 /* Module for the virtual table */
+@@ -109680,8 +109702,6 @@ static int isShadowTableName(sqlite3 *db, char *zName){
+   if( pMod->pModule->xShadowName==0 ) return 0;
+   return pMod->pModule->xShadowName(zTail+1);
+ }
+-#else
+-# define isShadowTableName(x,y) 0
+ #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+ 
+ /*
+@@ -109723,7 +109743,7 @@ SQLITE_PRIVATE void sqlite3EndTable(
+   p = pParse->pNewTable;
+   if( p==0 ) return;
+ 
+-  if( pSelect==0 && isShadowTableName(db, p->zName) ){
++  if( pSelect==0 && sqlite3ShadowTableName(db, p->zName) ){
+     p->tabFlags |= TF_Shadow;
+   }
+ 
+-- 
+2.21.0 (Apple Git-122.2)
+
diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index d3e0c065b6..a430554db7 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -19519,6 +19519,12 @@ SQLITE_PRIVATE    Module *sqlite3VtabCreateModule(
    );
 #  define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
 #endif
+SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
+#else
+# define sqlite3ShadowTableName(A,B) 0
+#endif
 SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*);
 SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
 SQLITE_PRIVATE void sqlite3VtabMakeWritable(Parse*,Table*);
@@ -108483,6 +108489,22 @@ SQLITE_PRIVATE int sqlite3WritableSchema(sqlite3 *db){
   return (db->flags&(SQLITE_WriteSchema|SQLITE_Defensive))==SQLITE_WriteSchema;
 }
 
+/*
+ ** Return TRUE if shadow tables should be read-only in the current
+ ** context.
+ */
+int sqlite3ReadOnlyShadowTables(sqlite3 *db){
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( (db->flags & SQLITE_Defensive)!=0
+       && db->pVtabCtx==0
+       && db->nVdbeExec==0
+       ){
+        return 1;
+    }
+#endif
+    return 0;
+}
+
 /*
 ** This routine is used to check if the UTF-8 string zName is a legal
 ** unqualified name for a new schema object (table, index, view or
@@ -108516,8 +108538,8 @@ SQLITE_PRIVATE int sqlite3CheckObjectName(
       }
     }
   }else{
-    if( pParse->nested==0 
-     && 0==sqlite3StrNICmp(zName, "sqlite_", 7)
+      if( (pParse->nested==0 && 0==sqlite3StrNICmp(zName, "sqlite_", 7))
+       || (sqlite3ReadOnlyShadowTables(db) && sqlite3ShadowTableName(db, zName))
     ){
       sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s",
                       zName);
@@ -109662,7 +109684,7 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
 ** zName is temporarily modified while this routine is running, but is
 ** restored to its original value prior to this routine returning.
 */
-static int isShadowTableName(sqlite3 *db, char *zName){
+int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
   char *zTail;                  /* Pointer to the last "_" in zName */
   Table *pTab;                  /* Table that zName is a shadow of */
   Module *pMod;                 /* Module for the virtual table */
@@ -109680,8 +109702,6 @@ static int isShadowTableName(sqlite3 *db, char *zName){
   if( pMod->pModule->xShadowName==0 ) return 0;
   return pMod->pModule->xShadowName(zTail+1);
 }
-#else
-# define isShadowTableName(x,y) 0
 #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
 
 /*
@@ -109723,7 +109743,7 @@ SQLITE_PRIVATE void sqlite3EndTable(
   p = pParse->pNewTable;
   if( p==0 ) return;
 
-  if( pSelect==0 && isShadowTableName(db, p->zName) ){
+  if( pSelect==0 && sqlite3ShadowTableName(db, p->zName) ){
     p->tabFlags |= TF_Shadow;
   }
 
-- 
cgit v1.2.3