#3 Fixed out of bounds heap read in function rtreenode()
Merged 4 years ago by pkubat. Opened 4 years ago by odubaj.
Unknown source f30  into  f30

@@ -0,0 +1,85 @@

+ From 01ecf717c040cbcd6c9ba1ae6b70d27229468019 Mon Sep 17 00:00:00 2001

+ From: SQLite Maintainers

+ Date: Tue, 9 Jul 2019 10:19:25 +0200

+ Subject: [PATCH] Enhance the rtreenode() function of rtree (used for testing)

+ so that it uses the newer sqlite3_str object for better performance and

+ improved error reporting.

+ 

+ Resolves: #1719121

+ ---

+  ext/rtree/rtree.c | 35 ++++++++++++++++-------------------

+  1 file changed, 16 insertions(+), 19 deletions(-)

+ 

+ diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c

+ index 4b044cb..87d0de0 100644

+ --- a/ext/rtree/rtree.c

+ +++ b/ext/rtree/rtree.c

+ @@ -3711,49 +3711,46 @@ rtreeInit_fail:

+  ** <num-dimension>*2 coordinates.

+  */

+  static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){

+ -  char *zText = 0;

+    RtreeNode node;

+    Rtree tree;

+    int ii;

+ +  int nData;

+ +  int errCode;

+ +  sqlite3_str *pOut;

+  

+    UNUSED_PARAMETER(nArg);

+    memset(&node, 0, sizeof(RtreeNode));

+    memset(&tree, 0, sizeof(Rtree));

+    tree.nDim = (u8)sqlite3_value_int(apArg[0]);

+ +  if( tree.nDim<1 || tree.nDim>5 ) return;

+    tree.nDim2 = tree.nDim*2;

+    tree.nBytesPerCell = 8 + 8 * tree.nDim;

+    node.zData = (u8 *)sqlite3_value_blob(apArg[1]);

+ +  nData = sqlite3_value_bytes(apArg[1]);

+ +  if( nData<4 ) return;

+ +  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;

+  

+ +  pOut = sqlite3_str_new(0);

+    for(ii=0; ii<NCELL(&node); ii++){

+ -    char zCell[512];

+ -    int nCell = 0;

+      RtreeCell cell;

+      int jj;

+  

+      nodeGetCell(&tree, &node, ii, &cell);

+ -    sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);

+ -    nCell = (int)strlen(zCell);

+ +    if( ii>0 ) sqlite3_str_append(pOut, " ", 1);

+ +    sqlite3_str_appendf(pOut, "{%lld", cell.iRowid);

+      for(jj=0; jj<tree.nDim2; jj++){

+  #ifndef SQLITE_RTREE_INT_ONLY

+ -      sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",

+ -                       (double)cell.aCoord[jj].f);

+ +      sqlite3_str_appendf(pOut, " %g", (double)cell.aCoord[jj].f);

+  #else

+ -      sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",

+ -                       cell.aCoord[jj].i);

+ +      sqlite3_str_appendf(pOut, " %d", cell.aCoord[jj].i);

+  #endif

+ -      nCell = (int)strlen(zCell);

+ -    }

+ -

+ -    if( zText ){

+ -      char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);

+ -      sqlite3_free(zText);

+ -      zText = zTextNew;

+ -    }else{

+ -      zText = sqlite3_mprintf("{%s}", zCell);

+      }

+ +    sqlite3_str_append(pOut, "}", 1);

+    }

+    

+ -  sqlite3_result_text(ctx, zText, -1, sqlite3_free);

+ +  errCode = sqlite3_str_errcode(pOut);

+ +  sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);

+ +  sqlite3_result_error_code(ctx, errCode);

+  }

+  

+  /* This routine implements an SQL function that returns the "depth" parameter

+ -- 

+ 2.19.1

+ 

file modified
+8 -1
@@ -10,7 +10,7 @@

  Summary: Library that implements an embeddable SQL database engine

  Name: sqlite

  Version: %{rpmver}

- Release: 5%{?dist}

+ Release: 6%{?dist}

  License: Public Domain

  URL: http://www.sqlite.org/

  
@@ -44,6 +44,9 @@

  # Fix for CVE-2019-9936 (rhbz#1692365)

  # https://sqlite.org/src/info/b3fa58dd7403dbd4

  Patch12: sqlite-3.28.0-fts5-buffer-overread.patch

+ # Fix for CVE-2019-8457 (rhbz#1719121)

+ # https://www.sqlite.org/src/info/90acdbfce9c08858

+ Patch13: sqlite-3.26.0-out-of-bounds-read.patch

  

  BuildRequires:  gcc

  BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -146,6 +149,7 @@

  %patch10 -p0

  %patch11 -p0

  %patch12 -p0

+ %patch13 -p1

  

  # Remove backup-file

  rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -250,6 +254,9 @@

  %endif

  

  %changelog

+ * Wed Jun 26 2019 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-6

+ - Fixed CVE-2019-8457 (#1719121)

+ 

  * Thu May 16 2019 Petr Kubat <pkubat@redhat.com> - 3.26.0-5

  - Fixed CVE-2019-9937 (#1692358)

  - Fixed CVE-2019-9936 (#1692366)

Enhance the rtreenode() function of rtree (used for
testing) so that it uses the newer sqlite3_str object
for better performance and improved error reporting.

Resolves: #1719121

Please do not add yourself as the author of the patch file if it is taken from upstream without change.

Thanks for the backport! I have just a few nitpicks, otherwise LGTM.

One more nitpick - please do not mention the "Test cases added to TH3." comment in the commit message.

I know it comes from the upstream change but it might cause some confusion that there is a test case for this in Fedora (TH3 is a proprietary sqlite test harness).

rebased onto 092b889

4 years ago

rebased onto c17c241

4 years ago

Pull-Request has been merged by pkubat

4 years ago