From 3e6089b695489d5ba513723230a54b4b5e8349ae Mon Sep 17 00:00:00 2001
From: Andy Shaw <andy.shaw@qt.io>
Date: Mon, 20 Apr 2020 10:49:57 +0200
Subject: sqlite: Fix CVE-2020-11656

This was taken from d09f8c3621d5f7f8 and b64674919f673602 in SQLite,
ref: https://www3.sqlite.org/cgi/src/info/d09f8c3621d5f7f8
https://www.sqlite.org/cgi/src/info/b64674919f673602

[ChangeLog][QtSQL][sqlite] Fixed CVE-2020-11656

Fixes: QTBUG-83652
Change-Id: I99bd59dc10b753ff19822c902dff1fc339d330a8
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
 src/3rdparty/sqlite/sqlite3.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'src/3rdparty/sqlite/sqlite3.c')

diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index 054be43d95..6ff9ba42aa 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -97945,7 +97945,7 @@ static int resolveOrderByTermToExprList(
   nc.nErr = 0;
   db = pParse->db;
   savedSuppErr = db->suppressErr;
-  db->suppressErr = 1;
+  if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
   rc = sqlite3ResolveExprNames(&nc, pE);
   db->suppressErr = savedSuppErr;
   if( rc ) return 0;
@@ -105383,6 +105383,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
   }
 }
 
+/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
+      
 /*
 ** Walker callback used by sqlite3RenameExprUnmap().
 */
@@ -105404,6 +105419,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
     for(i=0; i<pSrc->nSrc; i++){
       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
     }
   }
 
-- 
cgit v1.2.3