From f0e1d9fa17f7f2fd64d29b7c797baab0000b9125 Mon Sep 17 00:00:00 2001
From: "cevans@chromium.org"
 <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 22 Mar 2010 21:13:35 +0000
Subject: Fix crash with "ATTACH 12345 as db". Believed to not have security
 impact.

BUG=38745
TEST="ATTACH 12345 as db"

Review URL: http://codereview.chromium.org/1108003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42255 0039d316-1c4b-4281-b951-d872f2087c98
---
 third_party/sqlite/README.chromium      |  4 ++++
 third_party/sqlite/attach-integer.patch | 15 +++++++++++++++
 third_party/sqlite/src/attach.c         |  6 ++++++
 3 files changed, 25 insertions(+)
 create mode 100644 third_party/sqlite/attach-integer.patch

(limited to 'third_party')

diff --git a/third_party/sqlite/README.chromium b/third_party/sqlite/README.chromium
index 6953e64..bb30588 100644
--- a/third_party/sqlite/README.chromium
+++ b/third_party/sqlite/README.chromium
@@ -55,6 +55,7 @@ safe-tolower.patch
 sqlite-poison.patch
 fts2.patch
 icu-regexp.patch
+attach-integer.patch
 
 So, e.g. you could do this to apply all our patches to vanilla SQLite:
 
@@ -65,6 +66,7 @@ patch -p0 < ../sqlite/safe-tolower.patch
 patch -p0 < ../sqlite/sqlite-poison.patch
 patch -p0 < ../sqlite/fts2.patch
 patch -p0 < ../sqlite/icu-regexp.patch
+patch -p0 < ../sqlite/attach-integer.patch
 
 This will only be the case if all changes we make also update the corresponding
 patch files. Therefore please remember to do that whenever you make a change!
@@ -99,6 +101,8 @@ Chris Evans <cevans@google.com>, Oct 1, 2009
 
 As of Dec 16, 2009, these are our changes from sqlite_vendor:
 
+ - A fix for a crash passing an integer expression to ATTACH / DETACH. See
+ attach-integer.patch
  - A fix for a crash mis-calling the REGEXP() function of the ICU extension.
  See icu-regexp.patch
  - A large number of fts2 robustness fixes against corrupt data in its metadata
diff --git a/third_party/sqlite/attach-integer.patch b/third_party/sqlite/attach-integer.patch
new file mode 100644
index 0000000..aa74e2e
--- /dev/null
+++ b/third_party/sqlite/attach-integer.patch
@@ -0,0 +1,15 @@
+--- src/attach.c.orig	2010-03-21 21:28:14.144127448 -0700
++++ src/attach.c	2010-03-21 21:55:58.224754199 -0700
+@@ -313,6 +313,12 @@
+ #ifndef SQLITE_OMIT_AUTHORIZATION
+   if( pAuthArg ){
+     char *zAuthArg = pAuthArg->u.zToken;
++    int i;
++    char iBuf[32];
++    if( sqlite3ExprIsInteger(pAuthArg, &i) ){
++      sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue);
++      zAuthArg = iBuf;
++    }
+     if( NEVER(zAuthArg==0) ){
+       goto attach_end;
+     }
diff --git a/third_party/sqlite/src/attach.c b/third_party/sqlite/src/attach.c
index d79f6e6..48e0a28 100644
--- a/third_party/sqlite/src/attach.c
+++ b/third_party/sqlite/src/attach.c
@@ -313,6 +313,12 @@ static void codeAttach(
 #ifndef SQLITE_OMIT_AUTHORIZATION
   if( pAuthArg ){
     char *zAuthArg = pAuthArg->u.zToken;
+    int i;
+    char iBuf[32];
+    if( sqlite3ExprIsInteger(pAuthArg, &i) ){
+      sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue);
+      zAuthArg = iBuf;
+    }
     if( NEVER(zAuthArg==0) ){
       goto attach_end;
     }
-- 
cgit v1.1