diff options
author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-22 21:13:35 +0000 |
---|---|---|
committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-22 21:13:35 +0000 |
commit | f0e1d9fa17f7f2fd64d29b7c797baab0000b9125 (patch) | |
tree | e7aede07897eaf4ff02644376093b6cb72dfa363 | |
parent | a21ecf667e4b73294516efdb08958d1c02362d34 (diff) | |
download | chromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.zip chromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.tar.gz chromium_src-f0e1d9fa17f7f2fd64d29b7c797baab0000b9125.tar.bz2 |
Fix crash with "ATTACH 12345 as db". Believed to not have security impact.
BUG=38745
TEST="ATTACH 12345 as db"
Review URL: http://codereview.chromium.org/1108003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42255 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | third_party/sqlite/README.chromium | 4 | ||||
-rw-r--r-- | third_party/sqlite/attach-integer.patch | 15 | ||||
-rw-r--r-- | third_party/sqlite/src/attach.c | 6 |
3 files changed, 25 insertions, 0 deletions
diff --git a/third_party/sqlite/README.chromium b/third_party/sqlite/README.chromium index 6953e64..bb30588 100644 --- a/third_party/sqlite/README.chromium +++ b/third_party/sqlite/README.chromium @@ -55,6 +55,7 @@ safe-tolower.patch sqlite-poison.patch fts2.patch icu-regexp.patch +attach-integer.patch So, e.g. you could do this to apply all our patches to vanilla SQLite: @@ -65,6 +66,7 @@ patch -p0 < ../sqlite/safe-tolower.patch patch -p0 < ../sqlite/sqlite-poison.patch patch -p0 < ../sqlite/fts2.patch patch -p0 < ../sqlite/icu-regexp.patch +patch -p0 < ../sqlite/attach-integer.patch This will only be the case if all changes we make also update the corresponding patch files. Therefore please remember to do that whenever you make a change! @@ -99,6 +101,8 @@ Chris Evans <cevans@google.com>, Oct 1, 2009 As of Dec 16, 2009, these are our changes from sqlite_vendor: + - A fix for a crash passing an integer expression to ATTACH / DETACH. See + attach-integer.patch - A fix for a crash mis-calling the REGEXP() function of the ICU extension. See icu-regexp.patch - A large number of fts2 robustness fixes against corrupt data in its metadata diff --git a/third_party/sqlite/attach-integer.patch b/third_party/sqlite/attach-integer.patch new file mode 100644 index 0000000..aa74e2e --- /dev/null +++ b/third_party/sqlite/attach-integer.patch @@ -0,0 +1,15 @@ +--- src/attach.c.orig 2010-03-21 21:28:14.144127448 -0700 ++++ src/attach.c 2010-03-21 21:55:58.224754199 -0700 +@@ -313,6 +313,12 @@ + #ifndef SQLITE_OMIT_AUTHORIZATION + if( pAuthArg ){ + char *zAuthArg = pAuthArg->u.zToken; ++ int i; ++ char iBuf[32]; ++ if( sqlite3ExprIsInteger(pAuthArg, &i) ){ ++ sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue); ++ zAuthArg = iBuf; ++ } + if( NEVER(zAuthArg==0) ){ + goto attach_end; + } diff --git a/third_party/sqlite/src/attach.c b/third_party/sqlite/src/attach.c index d79f6e6..48e0a28 100644 --- a/third_party/sqlite/src/attach.c +++ b/third_party/sqlite/src/attach.c @@ -313,6 +313,12 @@ static void codeAttach( #ifndef SQLITE_OMIT_AUTHORIZATION if( pAuthArg ){ char *zAuthArg = pAuthArg->u.zToken; + int i; + char iBuf[32]; + if( sqlite3ExprIsInteger(pAuthArg, &i) ){ + sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue); + zAuthArg = iBuf; + } if( NEVER(zAuthArg==0) ){ goto attach_end; } |