From 45667c125ab66642489b4c156e1abd694296359a Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Jul 09 2019 08:31:03 +0000
Subject: Fixed out of bounds heap read in function rtreenode()


Enhance the rtreenode() function of rtree (used for
testing) so that it uses the newer sqlite3_str object
for better performance and improved error reporting.

Resolves: #1719121

---

diff --git a/sqlite-3.26.0-out-of-bounds-read.patch b/sqlite-3.26.0-out-of-bounds-read.patch
new file mode 100644
index 0000000..99f47b9
--- /dev/null
+++ b/sqlite-3.26.0-out-of-bounds-read.patch
@@ -0,0 +1,85 @@
+From 01ecf717c040cbcd6c9ba1ae6b70d27220043791 Mon Sep 17 00:00:00 2001
+From: SQLite Maintainers
+Date: Tue, 9 Jul 2019 10:19:25 +0200
+Subject: [PATCH] Enhance the rtreenode() function of rtree (used for testing)
+so that it uses the newer sqlite3_str object for better performance and
+improved error reporting.
+
+Resolves: #1719121
+---
+ ext/rtree/rtree.c | 35 ++++++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 19 deletions(-)
+
+diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
+index 4b044cb..0043791 100644
+--- a/ext/rtree/rtree.c
++++ b/ext/rtree/rtree.c
+@@ -3711,49 +3711,46 @@ rtreeInit_fail:
+ ** <num-dimension>*2 coordinates.
+ */
+ static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
+-  char *zText = 0;
+   RtreeNode node;
+   Rtree tree;
+   int ii;
++  int nData;
++  int errCode;
++  sqlite3_str *pOut;
+ 
+   UNUSED_PARAMETER(nArg);
+   memset(&node, 0, sizeof(RtreeNode));
+   memset(&tree, 0, sizeof(Rtree));
+   tree.nDim = (u8)sqlite3_value_int(apArg[0]);
++  if( tree.nDim<1 || tree.nDim>5 ) return;
+   tree.nDim2 = tree.nDim*2;
+   tree.nBytesPerCell = 8 + 8 * tree.nDim;
+   node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
++  nData = sqlite3_value_bytes(apArg[1]);
++  if( nData<4 ) return;
++  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+ 
++  pOut = sqlite3_str_new(0);
+   for(ii=0; ii<NCELL(&node); ii++){
+-    char zCell[512];
+-    int nCell = 0;
+     RtreeCell cell;
+     int jj;
+ 
+     nodeGetCell(&tree, &node, ii, &cell);
+-    sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
+-    nCell = (int)strlen(zCell);
++    if( ii>0 ) sqlite3_str_append(pOut, " ", 1);
++    sqlite3_str_appendf(pOut, "{%lld", cell.iRowid);
+     for(jj=0; jj<tree.nDim2; jj++){
+ #ifndef SQLITE_RTREE_INT_ONLY
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
+-                       (double)cell.aCoord[jj].f);
++      sqlite3_str_appendf(pOut, " %g", (double)cell.aCoord[jj].f);
+ #else
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
+-                       cell.aCoord[jj].i);
++      sqlite3_str_appendf(pOut, " %d", cell.aCoord[jj].i);
+ #endif
+-      nCell = (int)strlen(zCell);
+-    }
+-
+-    if( zText ){
+-      char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
+-      sqlite3_free(zText);
+-      zText = zTextNew;
+-    }else{
+-      zText = sqlite3_mprintf("{%s}", zCell);
+     }
++    sqlite3_str_append(pOut, "}", 1);
+   }
+   
+-  sqlite3_result_text(ctx, zText, -1, sqlite3_free);
++  errCode = sqlite3_str_errcode(pOut);
++  sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
++  sqlite3_result_error_code(ctx, errCode);
+ }
+ 
+ /* This routine implements an SQL function that returns the "depth" parameter
+-- 
+2.19.1
+
diff --git a/sqlite.spec b/sqlite.spec
index f4bbd5a..eda737c 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -45,6 +45,9 @@ Patch11: sqlite-3.28.0-fts5-interleaving-writes-reads.patch
 # Fix for CVE-2019-9936 (rhbz#1692365)
 # https://sqlite.org/src/info/b3fa58dd7403dbd4
 Patch12: sqlite-3.28.0-fts5-buffer-overread.patch
+# Fix for CVE-2019-8457 (rhbz#1719121)
+# https://www.sqlite.org/src/info/90acdbfce9c08858
+Patch13: sqlite-3.26.0-out-of-bounds-read.patch
 
 BuildRequires:  gcc
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -153,6 +156,7 @@ This package contains the analysis program for %{name}.
 %patch10 -p0
 %patch11 -p0
 %patch12 -p0
+%patch13 -p1
 
 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -257,6 +261,9 @@ make test
 %endif
 
 %changelog
+* Wed Jun 26 2019 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-4
+- Fixed CVE-2019-8457 (#1719121) 
+
 * Thu May 16 2019 Petr Kubat <pkubat@redhat.com> - 3.26.0-3
 - Fixed CVE-2019-9937 (#1692358)
 - Fixed CVE-2019-9936 (#1692366)