From f0e1d9fa17f7f2fd64d29b7c797baab0000b9125 Mon Sep 17 00:00:00 2001 From: "cevans@chromium.org" <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Date: Mon, 22 Mar 2010 21:13:35 +0000 Subject: Fix crash with "ATTACH 12345 as db". Believed to not have security impact. BUG=38745 TEST="ATTACH 12345 as db" Review URL: http://codereview.chromium.org/1108003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42255 0039d316-1c4b-4281-b951-d872f2087c98 --- third_party/sqlite/README.chromium | 4 ++++ third_party/sqlite/attach-integer.patch | 15 +++++++++++++++ third_party/sqlite/src/attach.c | 6 ++++++ 3 files changed, 25 insertions(+) create mode 100644 third_party/sqlite/attach-integer.patch (limited to 'third_party') diff --git a/third_party/sqlite/README.chromium b/third_party/sqlite/README.chromium index 6953e64..bb30588 100644 --- a/third_party/sqlite/README.chromium +++ b/third_party/sqlite/README.chromium @@ -55,6 +55,7 @@ safe-tolower.patch sqlite-poison.patch fts2.patch icu-regexp.patch +attach-integer.patch So, e.g. you could do this to apply all our patches to vanilla SQLite: @@ -65,6 +66,7 @@ patch -p0 < ../sqlite/safe-tolower.patch patch -p0 < ../sqlite/sqlite-poison.patch patch -p0 < ../sqlite/fts2.patch patch -p0 < ../sqlite/icu-regexp.patch +patch -p0 < ../sqlite/attach-integer.patch This will only be the case if all changes we make also update the corresponding patch files. Therefore please remember to do that whenever you make a change! @@ -99,6 +101,8 @@ Chris Evans <cevans@google.com>, Oct 1, 2009 As of Dec 16, 2009, these are our changes from sqlite_vendor: + - A fix for a crash passing an integer expression to ATTACH / DETACH. See + attach-integer.patch - A fix for a crash mis-calling the REGEXP() function of the ICU extension. See icu-regexp.patch - A large number of fts2 robustness fixes against corrupt data in its metadata diff --git a/third_party/sqlite/attach-integer.patch b/third_party/sqlite/attach-integer.patch new file mode 100644 index 0000000..aa74e2e --- /dev/null +++ b/third_party/sqlite/attach-integer.patch @@ -0,0 +1,15 @@ +--- src/attach.c.orig 2010-03-21 21:28:14.144127448 -0700 ++++ src/attach.c 2010-03-21 21:55:58.224754199 -0700 +@@ -313,6 +313,12 @@ + #ifndef SQLITE_OMIT_AUTHORIZATION + if( pAuthArg ){ + char *zAuthArg = pAuthArg->u.zToken; ++ int i; ++ char iBuf[32]; ++ if( sqlite3ExprIsInteger(pAuthArg, &i) ){ ++ sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue); ++ zAuthArg = iBuf; ++ } + if( NEVER(zAuthArg==0) ){ + goto attach_end; + } diff --git a/third_party/sqlite/src/attach.c b/third_party/sqlite/src/attach.c index d79f6e6..48e0a28 100644 --- a/third_party/sqlite/src/attach.c +++ b/third_party/sqlite/src/attach.c @@ -313,6 +313,12 @@ static void codeAttach( #ifndef SQLITE_OMIT_AUTHORIZATION if( pAuthArg ){ char *zAuthArg = pAuthArg->u.zToken; + int i; + char iBuf[32]; + if( sqlite3ExprIsInteger(pAuthArg, &i) ){ + sqlite3_snprintf(sizeof(iBuf), iBuf, "%d", pAuthArg->u.iValue); + zAuthArg = iBuf; + } if( NEVER(zAuthArg==0) ){ goto attach_end; } -- cgit v1.1