From 2c1b4e37b936f64d6b52e2bc10ff97184a714b9a Mon Sep 17 00:00:00 2001
From: Andy Shaw <andy.shaw@qt.io>
Date: Wed, 4 Mar 2020 07:44:22 +0100
Subject: Fix CVE-2020-9327 in SQLite

This was taken from abc473fb8fb99900 in SQLite, ref:
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900

Fixes: QTBUG-82533
Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 .../patches/0001-Fix-CVE-2020-9327-in-SQLite.patch | 203 +++++++++++++++++++++
 src/3rdparty/sqlite/sqlite3.c                      |  31 +++-
 2 files changed, 225 insertions(+), 9 deletions(-)
 create mode 100644 src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch

(limited to 'src')

diff --git a/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
new file mode 100644
index 0000000000..4fbb2ee339
--- /dev/null
+++ b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
@@ -0,0 +1,203 @@
+From 63566d1fff2665b777650594eec6eefd3587e177 Mon Sep 17 00:00:00 2001
+From: Andy Shaw <andy.shaw@qt.io>
+Date: Wed, 4 Mar 2020 07:44:22 +0100
+Subject: [PATCH] Fix CVE-2020-9327 in SQLite
+
+This was taken from abc473fb8fb99900 in SQLite, ref:
+https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
+
+Fixes: QTBUG-82533
+Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
+---
+ .../0001-Fix-CVE-2020-9327-in-SQLite.patch    | 96 +++++++++++++++++++
+ src/3rdparty/sqlite/sqlite3.c                 | 31 ++++--
+ 2 files changed, 118 insertions(+), 9 deletions(-)
+ create mode 100644 src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
+
+diff --git a/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
+new file mode 100644
+index 0000000000..e0e8206db5
+--- /dev/null
++++ b/src/3rdparty/sqlite/patches/0001-Fix-CVE-2020-9327-in-SQLite.patch
+@@ -0,0 +1,96 @@
++From f79860e0fe251e3267a3cd5558dce98f918e0caa Mon Sep 17 00:00:00 2001
++From: Andy Shaw <andy.shaw@qt.io>
++Date: Wed, 4 Mar 2020 07:44:22 +0100
++Subject: [PATCH] Fix CVE-2020-9327 in SQLite
++
++Fixes: QTBUG-82533
++Change-Id: I9840e29f19a0b861229987f5b59d8585ba2e55dc
++---
++ src/3rdparty/sqlite/sqlite3.c | 31 ++++++++++++++++++++++---------
++ 1 file changed, 22 insertions(+), 9 deletions(-)
++
++diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
++index 55dc686ee0..dfe5323a59 100644
++--- a/src/3rdparty/sqlite/sqlite3.c
+++++ b/src/3rdparty/sqlite/sqlite3.c
++@@ -17428,8 +17428,11 @@ struct Table {
++ */
++ #ifndef SQLITE_OMIT_VIRTUALTABLE
++ #  define IsVirtual(X)      ((X)->nModuleArg)
+++#  define ExprIsVtab(X)  \
+++              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
++ #else
++ #  define IsVirtual(X)      0
+++#  define ExprIsVtab(X)     0
++ #endif
++ 
++ /*
++@@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
++     case TK_LT:
++     case TK_LE:
++     case TK_GT:
++-    case TK_GE:
+++    case TK_GE: {
+++      Expr *pLeft = pExpr->pLeft;
+++      Expr *pRight = pExpr->pRight;
++       testcase( pExpr->op==TK_EQ );
++       testcase( pExpr->op==TK_NE );
++       testcase( pExpr->op==TK_LT );
++       testcase( pExpr->op==TK_LE );
++       testcase( pExpr->op==TK_GT );
++       testcase( pExpr->op==TK_GE );
++-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
++-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
+++      /* The y.pTab=0 assignment in wherecode.c always happens after the
+++      ** impliesNotNullRow() test */
+++      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
+++                               && IsVirtual(pLeft->y.pTab))
+++       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
+++                               && IsVirtual(pRight->y.pTab))
++       ){
++-       return WRC_Prune;
+++        return WRC_Prune;
++       }
++-
+++    }
++     default:
++       return WRC_Continue;
++   }
++@@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
++     **       MATCH(expression,vtab_column)
++     */
++     pCol = pList->a[1].pExpr;
++-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+++    if( ExprIsVtab(pCol) ){
++       for(i=0; i<ArraySize(aOp); i++){
++         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
++           *peOp2 = aOp[i].eOp2;
++@@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
++     ** with function names in an arbitrary case.
++     */
++     pCol = pList->a[0].pExpr;
++-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+++    if( ExprIsVtab(pCol) ){
++       sqlite3_vtab *pVtab;
++       sqlite3_module *pMod;
++       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
++@@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
++     int res = 0;
++     Expr *pLeft = pExpr->pLeft;
++     Expr *pRight = pExpr->pRight;
++-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
+++    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
+++    if( ExprIsVtab(pLeft) ){
++       res++;
++     }
++-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
+++    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
+++    if( pRight && ExprIsVtab(pRight) ){
++       res++;
++       SWAP(Expr*, pLeft, pRight);
++     }
++-- 
++2.21.0 (Apple Git-122.2)
++
+diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
+index 55dc686ee0..dfe5323a59 100644
+--- a/src/3rdparty/sqlite/sqlite3.c
++++ b/src/3rdparty/sqlite/sqlite3.c
+@@ -17428,8 +17428,11 @@ struct Table {
+ */
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ #  define IsVirtual(X)      ((X)->nModuleArg)
++#  define ExprIsVtab(X)  \
++              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
+ #else
+ #  define IsVirtual(X)      0
++#  define ExprIsVtab(X)     0
+ #endif
+ 
+ /*
+@@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
+     case TK_LT:
+     case TK_LE:
+     case TK_GT:
+-    case TK_GE:
++    case TK_GE: {
++      Expr *pLeft = pExpr->pLeft;
++      Expr *pRight = pExpr->pRight;
+       testcase( pExpr->op==TK_EQ );
+       testcase( pExpr->op==TK_NE );
+       testcase( pExpr->op==TK_LT );
+       testcase( pExpr->op==TK_LE );
+       testcase( pExpr->op==TK_GT );
+       testcase( pExpr->op==TK_GE );
+-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
+-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
++      /* The y.pTab=0 assignment in wherecode.c always happens after the
++      ** impliesNotNullRow() test */
++      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
++                               && IsVirtual(pLeft->y.pTab))
++       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
++                               && IsVirtual(pRight->y.pTab))
+       ){
+-       return WRC_Prune;
++        return WRC_Prune;
+       }
+-
++    }
+     default:
+       return WRC_Continue;
+   }
+@@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
+     **       MATCH(expression,vtab_column)
+     */
+     pCol = pList->a[1].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       for(i=0; i<ArraySize(aOp); i++){
+         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
+           *peOp2 = aOp[i].eOp2;
+@@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
+     ** with function names in an arbitrary case.
+     */
+     pCol = pList->a[0].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       sqlite3_vtab *pVtab;
+       sqlite3_module *pMod;
+       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
+@@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
+     int res = 0;
+     Expr *pLeft = pExpr->pLeft;
+     Expr *pRight = pExpr->pRight;
+-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
++    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
++    if( ExprIsVtab(pLeft) ){
+       res++;
+     }
+-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
++    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
++    if( pRight && ExprIsVtab(pRight) ){
+       res++;
+       SWAP(Expr*, pLeft, pRight);
+     }
+-- 
+2.21.0 (Apple Git-122.2)
+
diff --git a/src/3rdparty/sqlite/sqlite3.c b/src/3rdparty/sqlite/sqlite3.c
index 55dc686ee0..dfe5323a59 100644
--- a/src/3rdparty/sqlite/sqlite3.c
+++ b/src/3rdparty/sqlite/sqlite3.c
@@ -17428,8 +17428,11 @@ struct Table {
 */
 #ifndef SQLITE_OMIT_VIRTUALTABLE
 #  define IsVirtual(X)      ((X)->nModuleArg)
+#  define ExprIsVtab(X)  \
+              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
 #else
 #  define IsVirtual(X)      0
+#  define ExprIsVtab(X)     0
 #endif
 
 /*
@@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
     case TK_LT:
     case TK_LE:
     case TK_GT:
-    case TK_GE:
+    case TK_GE: {
+      Expr *pLeft = pExpr->pLeft;
+      Expr *pRight = pExpr->pRight;
       testcase( pExpr->op==TK_EQ );
       testcase( pExpr->op==TK_NE );
       testcase( pExpr->op==TK_LT );
       testcase( pExpr->op==TK_LE );
       testcase( pExpr->op==TK_GT );
       testcase( pExpr->op==TK_GE );
-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
+      /* The y.pTab=0 assignment in wherecode.c always happens after the
+      ** impliesNotNullRow() test */
+      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
+                               && IsVirtual(pLeft->y.pTab))
+       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
+                               && IsVirtual(pRight->y.pTab))
       ){
-       return WRC_Prune;
+        return WRC_Prune;
       }
-
+    }
     default:
       return WRC_Continue;
   }
@@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator(
     **       MATCH(expression,vtab_column)
     */
     pCol = pList->a[1].pExpr;
-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+    if( ExprIsVtab(pCol) ){
       for(i=0; i<ArraySize(aOp); i++){
         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
           *peOp2 = aOp[i].eOp2;
@@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator(
     ** with function names in an arbitrary case.
     */
     pCol = pList->a[0].pExpr;
-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
+    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
+    if( ExprIsVtab(pCol) ){
       sqlite3_vtab *pVtab;
       sqlite3_module *pMod;
       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
@@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator(
     int res = 0;
     Expr *pLeft = pExpr->pLeft;
     Expr *pRight = pExpr->pRight;
-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
+    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
+    if( ExprIsVtab(pLeft) ){
       res++;
     }
-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
+    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
+    if( pRight && ExprIsVtab(pRight) ){
       res++;
       SWAP(Expr*, pLeft, pRight);
     }
-- 
cgit v1.2.3