summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-03-22 21:13:35 +0000
committercevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-03-22 21:13:35 +0000
commitf0e1d9fa17f7f2fd64d29b7c797baab0000b9125 (patch)
treee7aede07897eaf4ff02644376093b6cb72dfa363
parenta21ecf667e4b73294516efdb08958d1c02362d34 (diff)
downloadchromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.zip
chromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.tar.gz
chromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.tar.bz2
Fix crash with "ATTACH 12345 as db". Believed to not have security impact.
BUG=38745 TEST="ATTACH 12345 as db" Review URL: http://codereview.chromium.org/1108003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42255 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--third_party/sqlite/README.chromium4
-rw-r--r--third_party/sqlite/attach-integer.patch15
-rw-r--r--third_party/sqlite/src/attach.c6
3 files changed, 25 insertions, 0 deletions
diff --git a/third_party/sqlite/README.chromium b/third_party/sqlite/README.chromium
index 6953e64..bb30588 100644
--- a/third_party/sqlite/README.chromium
+++ b/third_party/sqlite/README.chromium
@@ -55,6 +55,7 @@ safe-tolower.patch
sqlite-poison.patch
fts2.patch
icu-regexp.patch
+attach-integer.patch
So, e.g. you could do this to apply all our patches to vanilla SQLite:
@@ -65,6 +66,7 @@ patch -p0 < ../sqlite/safe-tolower.patch
patch -p0 < ../sqlite/sqlite-poison.patch
patch -p0 < ../sqlite/fts2.patch
patch -p0 < ../sqlite/icu-regexp.patch
+patch -p0 < ../sqlite/attach-integer.patch
This will only be the case if all changes we make also update the corresponding
patch files. Therefore please remember to do that whenever you make a change!
@@ -99,6 +101,8 @@ Chris Evans <cevans@google.com>, Oct 1, 2009
As of Dec 16, 2009, these are our changes from sqlite_vendor:
+ - A fix for a crash passing an integer expression to ATTACH / DETACH. See
+ attach-integer.patch
- A fix for a crash mis-calling the REGEXP() function of the ICU extension.
See icu-regexp.patch
- A large number of fts2 robustness fixes against corrupt data in its metadata
diff --git a/third_party/sqlite/attach-integer.patch b/third_party/sqlite/attach-integer.patch
new file mode 100644
index 0000000..aa74e2e
--- /dev/null
+++ b/third_party/sqlite/attach-integer.patch
@@ -0,0 +1,15 @@
+--- src/attach.c.orig 2010-03-21 21:28:14.144127448 -0700
++++ src/attach.c 2010-03-21 21:55:58.224754199 -0700
+@@ -313,6 +313,12 @@
+ #ifndef SQLITE_OMIT_AUTHORIZATION
+ if( pAuthArg ){
+ char *zAuthArg = pAuthArg->u.zToken;
++ int i;
++ char iBuf[32];
++ if( sqlite3ExprIsInteger(pAuthArg, &i) ){
++ sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue);
++ zAuthArg = iBuf;
++ }
+ if( NEVER(zAuthArg==0) ){
+ goto attach_end;
+ }
diff --git a/third_party/sqlite/src/attach.c b/third_party/sqlite/src/attach.c
index d79f6e6..48e0a28 100644
--- a/third_party/sqlite/src/attach.c
+++ b/third_party/sqlite/src/attach.c
@@ -313,6 +313,12 @@ static void codeAttach(
#ifndef SQLITE_OMIT_AUTHORIZATION
if( pAuthArg ){
char *zAuthArg = pAuthArg->u.zToken;
+ int i;
+ char iBuf[32];
+ if( sqlite3ExprIsInteger(pAuthArg, &i) ){
+ sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue);
+ zAuthArg = iBuf;
+ }
if( NEVER(zAuthArg==0) ){
goto attach_end;
}