diff -Nru sqlite3-3.27.2/debian/changelog sqlite3-3.27.2/debian/changelog --- sqlite3-3.27.2/debian/changelog 2019-06-13 14:28:02.000000000 +0000 +++ sqlite3-3.27.2/debian/changelog 2019-11-27 14:40:05.000000000 +0000 @@ -1,3 +1,31 @@ +sqlite3 (3.27.2-2ubuntu0.2) disco-security; urgency=medium + + * SECURITY UPDATE: Severe division by zero + - debian/patches/CVE-2019-16168.patch: fix in + src/analyze.c, src/where.c, test/analyzeC.test. + - CVE-2019-16168 + * SECURITY UPDATE: Use after free + - debian/patches/CVE-2019-5018.patch: fix in + src/resolve.c, src/sqliteInt.h. + - CVE-2019-5018 + * SECURITY UPDATE: Heap corruption exploit + - debian/patches/CVE-2019-5827-*.patch: fix in + ext/fts3*, ext/rtree/geopoly.c, src/build.c, + src/expr.c, src/main.c, src/test_fs.c, src/util.c, + src/vdbeaux.c, src/vdbesort.c, src/vtab.c. + - CVE-2019-5827 + * SECURITY UPDATE: Mishandle pExpr + - debian/patches/CVE-2019-19242.patch: correctly handled + pExpr in src/expr.c. + - CVE-2019-19242 + * SECURITY UPDATE: Denial of service (crash) + - debian/patches/CVE-2019-19244.patch: fix the crash + that happens if no check p->Win == 0 in src/select.c, + test1/window1.test. + - CVE-2019-19244 + + -- Leonidas S. Barbosa Wed, 27 Nov 2019 11:40:05 -0300 + sqlite3 (3.27.2-2ubuntu0.1) disco-security; urgency=medium * SECURITY UPDATE: heap out-of-bound read diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 2019-11-27 14:39:04.000000000 +0000 @@ -0,0 +1,57 @@ +Description: Ensure that the optional "sz=N" parameter that can be manually added to the end of an sqlite_stat1 entry does not have an N value that is too small +Origin: https://www.sqlite.org/src/info/98357d8c1263920b + + + +diff --git a/src/analyze.c b/src/analyze.c +index e6b27aa..2025d7f 100644 +--- a/src/analyze.c ++++ b/src/analyze.c +@@ -1497,7 +1497,9 @@ static void decodeIntArray( + if( sqlite3_strglob("unordered*", z)==0 ){ + pIndex->bUnordered = 1; + }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ +- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); ++ int sz = sqlite3Atoi(z+3); ++ if( sz<2 ) sz = 2; ++ pIndex->szIdxRow = sqlite3LogEst(sz); + }else if( sqlite3_strglob("noskipscan*", z)==0 ){ + pIndex->noSkipScan = 1; + } +diff --git a/src/where.c b/src/where.c +index a09f762..deba6ef 100644 +--- a/src/where.c ++++ b/src/where.c +@@ -2669,6 +2669,7 @@ static int whereLoopAddBtreeIndex( + ** it to pNew->rRun, which is currently set to the cost of the index + ** seek only. Then, if this is a non-covering index, add the cost of + ** visiting the rows in the main table. */ ++ assert( pSrc->pTab->szTabRow>0 ); + rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; + pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); + if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ +diff --git a/test/analyzeC.test b/test/analyzeC.test +index 02faa9c..2a0a897 100644 +--- a/test/analyzeC.test ++++ b/test/analyzeC.test +@@ -132,6 +132,20 @@ do_execsql_test 4.3 { + SELECT count(a) FROM t1; + } {/.*INDEX t1ca.*/} + ++# 2019-08-15. ++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901 ++# The sz=N parameter in the sqlite_stat1 table needs to have a value of ++# 2 or more to avoid a division by zero in the query planner. ++# ++do_execsql_test 4.4 { ++ DROP TABLE IF EXISTS t44; ++ CREATE TABLE t44(a PRIMARY KEY); ++ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0'); ++ ANALYZE sqlite_master; ++ SELECT 0 FROM t44 WHERE a IN(1,2,3); ++} {} ++ ++ + + # The sz=NNN parameter works even if there is other extraneous text + # in the sqlite_stat1.stat column. diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19242.patch sqlite3-3.27.2/debian/patches/CVE-2019-19242.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-19242.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-19242.patch 2019-11-27 14:39:30.000000000 +0000 @@ -0,0 +1,28 @@ +Backported of: + +From 57f7ece78410a8aae86aa4625fb7556897db384c Mon Sep 17 00:00:00 2001 +From: drh +Date: Thu, 21 Nov 2019 18:28:44 +0000 +Subject: [PATCH] Fix a problem that comes up when using generated columns that + evaluate to a constant in an index and then making use of that index in a + join. + +FossilOrigin-Name: 8b12e95fec7ce6e0de82a04ca3dfcf1a8e62e233b7382aa28a8a9be6e862b1af +diff --git a/src/expr.c b/src/expr.c +index e39b640..48ce35f 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -3476,7 +3476,12 @@ expr_code_doover: + ** constant. + */ + int iReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft,target); +- int aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn); ++ int aff; ++ if( pExpr->y.pTab ){ ++ aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn); ++ }else{ ++ aff = pExpr->affinity; ++ } + if( aff!=SQLITE_AFF_BLOB ){ + static const char zAff[] = "B\000C\000D\000E"; + assert( SQLITE_AFF_BLOB=='A' ); diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19244.patch sqlite3-3.27.2/debian/patches/CVE-2019-19244.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-19244.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-19244.patch 2019-11-27 14:39:35.000000000 +0000 @@ -0,0 +1,45 @@ +Backported of: + +From e59c562b3f6894f84c715772c4b116d7b5c01348 Mon Sep 17 00:00:00 2001 +From: dan +Date: Fri, 22 Nov 2019 10:14:01 +0000 +Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both + DISTINCT and window functions also used an ORDER BY that is the same as its + select list. + +FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba +diff --git a/src/select.c b/src/select.c +index f30cea5..cda3a09 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -5986,6 +5986,7 @@ int sqlite3Select( + */ + if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct + && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0 ++ && p->pWin==0 + ){ + p->selFlags &= ~SF_Distinct; + pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0); +diff --git a/test/window1.test b/test/window1.test +index 0098ca3..b4a06ba 100644 +--- a/test/window1.test ++++ b/test/window1.test +@@ -747,5 +747,18 @@ do_execsql_test 18.2 { + ) + } {3} + ++reset_db ++do_execsql_test 33.1 { ++ CREATE TABLE t1(aa, bb); ++ INSERT INTO t1 VALUES(1, 2); ++ INSERT INTO t1 VALUES(5, 6); ++ CREATE TABLE t2(x); ++ INSERT INTO t2 VALUES(1); ++} ++do_execsql_test 33.2 { ++ SELECT (SELECT DISTINCT sum(aa) OVER() FROM t1 ORDER BY 1), x FROM t2 ++ ORDER BY 1; ++} {6 1} ++ + + finish_test diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-5018.patch sqlite3-3.27.2/debian/patches/CVE-2019-5018.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-5018.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-5018.patch 2019-11-27 14:39:48.000000000 +0000 @@ -0,0 +1,98 @@ +Description: An exploitable use after free vulnerability exists in the window function +Origin: https://www.sqlite.org/src/vpatch?from=1ae70ad2ffd36c27&to=1e16d3e8fc60d39c +diff --git a/src/resolve.c b/src/resolve.c +index fd9ab84..59608e7 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -435,6 +435,10 @@ static int lookupName( + sqlite3ErrorMsg(pParse, "misuse of aliased aggregate %s", zAs); + return WRC_Abort; + } ++ if( (pNC->ncFlags&NC_AllowWin)==0 && ExprHasProperty(pOrig, EP_Win) ){ ++ sqlite3ErrorMsg(pParse, "misuse of aliased window function %s",zAs); ++ return WRC_Abort; ++ } + if( sqlite3ExprVectorSize(pOrig)!=1 ){ + sqlite3ErrorMsg(pParse, "row value misused"); + return WRC_Abort; +@@ -725,6 +729,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + const char *zId; /* The function name. */ + FuncDef *pDef; /* Information about the function */ + u8 enc = ENC(pParse->db); /* The database encoding */ ++ int savedAllowFlags = (pNC->ncFlags & (NC_AllowAgg | NC_AllowWin)); + + assert( !ExprHasProperty(pExpr, EP_xIsSelect) ); + zId = pExpr->u.zToken; +@@ -846,8 +851,11 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pNC->nErr++; + } + if( is_agg ){ ++ /* Window functions may not be arguments of aggregate functions. ++ ** Or arguments of other window functions. But aggregate functions ++ ** may be arguments for window functions. */ + #ifndef SQLITE_OMIT_WINDOWFUNC +- pNC->ncFlags &= ~(pExpr->y.pWin ? NC_AllowWin : NC_AllowAgg); ++ pNC->ncFlags &= ~(NC_AllowWin | (!pExpr->y.pWin ? NC_AllowAgg : 0)); + #else + pNC->ncFlags &= ~NC_AllowAgg; + #endif +@@ -868,7 +876,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pExpr->y.pWin->pNextWin = pSel->pWin; + pSel->pWin = pExpr->y.pWin; + } +- pNC->ncFlags |= NC_AllowWin; ++ pNC->ncFlags |= NC_HasWin; + }else + #endif /* SQLITE_OMIT_WINDOWFUNC */ + { +@@ -886,8 +894,8 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pNC2->ncFlags |= NC_HasAgg | (pDef->funcFlags & SQLITE_FUNC_MINMAX); + + } +- pNC->ncFlags |= NC_AllowAgg; + } ++ pNC->ncFlags |= savedAllowFlags; + } + /* FIX ME: Compute pExpr->affinity based on the expected return + ** type of the function +@@ -1646,8 +1654,8 @@ int sqlite3ResolveExprNames( + Walker w; + + if( pExpr==0 ) return SQLITE_OK; +- savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg); +- pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg); ++ savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg|NC_HasWin); ++ pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg|NC_HasWin); + w.pParse = pNC->pParse; + w.xExprCallback = resolveExprStep; + w.xSelectCallback = resolveSelectStep; +@@ -1666,6 +1674,9 @@ int sqlite3ResolveExprNames( + if( pNC->ncFlags & NC_HasAgg ){ + ExprSetProperty(pExpr, EP_Agg); + } ++ if( pNC->ncFlags & NC_HasWin ){ ++ ExprSetProperty(pExpr, EP_Win); ++ } + pNC->ncFlags |= savedHasAgg; + return pNC->nErr>0 || w.pParse->nErr>0; + } +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 4940511..e02d651 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2524,6 +2524,7 @@ struct Expr { + #define EP_WinFunc 0x1000000 /* TK_FUNCTION with Expr.y.pWin set */ + #define EP_Subrtn 0x2000000 /* Uses Expr.y.sub. TK_IN, _SELECT, or _EXISTS */ + #define EP_Quoted 0x4000000 /* TK_ID was originally quoted */ ++#define EP_Win 0x8000000 /* Contains window functions */ + + /* + ** The EP_Propagate mask is a set of properties that automatically propagate +@@ -2780,6 +2781,7 @@ struct NameContext { + #define NC_MinMaxAgg 0x1000 /* min/max aggregates seen. See note above */ + #define NC_Complex 0x2000 /* True if a function or subquery seen */ + #define NC_AllowWin 0x4000 /* Window functions are allowed here */ ++#define NC_HasWin 0x8000 /* One or more window functions seen */ + + /* + ** An instance of the following object describes a single ON CONFLICT diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-5827-1.patch sqlite3-3.27.2/debian/patches/CVE-2019-5827-1.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-5827-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-5827-1.patch 2019-11-27 14:39:54.000000000 +0000 @@ -0,0 +1,222 @@ +Description: Integer overflow in SQLite via WebSQL +Origin: https://www.sqlite.org/src/info/07ee06fd390bfebe AND https://www.sqlite.org/src/info/0b6ae032c28e7fe3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928770 + +diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c +index 115e98a..c8516f5 100644 +--- a/ext/fts3/fts3_snippet.c ++++ b/ext/fts3/fts3_snippet.c +@@ -130,10 +130,11 @@ struct StrBuffer { + */ + static MatchinfoBuffer *fts3MIBufferNew(int nElem, const char *zMatchinfo){ + MatchinfoBuffer *pRet; +- int nByte = sizeof(u32) * (2*nElem + 1) + sizeof(MatchinfoBuffer); +- int nStr = (int)strlen(zMatchinfo); ++ sqlite3_int64 nByte = sizeof(u32) * (2*(sqlite3_int64)nElem + 1) ++ + sizeof(MatchinfoBuffer); ++ sqlite3_int64 nStr = strlen(zMatchinfo); + +- pRet = sqlite3_malloc(nByte + nStr+1); ++ pRet = sqlite3_malloc64(nByte + nStr+1); + if( pRet ){ + memset(pRet, 0, nByte); + pRet->aMatchinfo[0] = (u8*)(&pRet->aMatchinfo[1]) - (u8*)pRet; +diff --git a/ext/fts3/fts3_test.c b/ext/fts3/fts3_test.c +index 8bf7804..f6c11bb 100644 +--- a/ext/fts3/fts3_test.c ++++ b/ext/fts3/fts3_test.c +@@ -448,14 +448,14 @@ static int testTokenizerNext( + }else{ + /* Advance to the end of the token */ + const char *pToken = p; +- int nToken; ++ sqlite3_int64 nToken; + while( ppCsr->nBuffer ){ + sqlite3_free(pCsr->aBuffer); +- pCsr->aBuffer = sqlite3_malloc(nToken); ++ pCsr->aBuffer = sqlite3_malloc64(nToken); + } + if( pCsr->aBuffer==0 ){ + rc = SQLITE_NOMEM; +diff --git a/ext/fts3/fts3_tokenize_vtab.c b/ext/fts3/fts3_tokenize_vtab.c +index b5bf8ad..313a3c0 100644 +--- a/ext/fts3/fts3_tokenize_vtab.c ++++ b/ext/fts3/fts3_tokenize_vtab.c +@@ -346,7 +346,7 @@ static int fts3tokFilterMethod( + if( idxNum==1 ){ + const char *zByte = (const char *)sqlite3_value_text(apVal[0]); + int nByte = sqlite3_value_bytes(apVal[0]); +- pCsr->zInput = sqlite3_malloc(nByte+1); ++ pCsr->zInput = sqlite3_malloc64(nByte+1); + if( pCsr->zInput==0 ){ + rc = SQLITE_NOMEM; + }else{ +diff --git a/ext/fts3/fts3_tokenizer.c b/ext/fts3/fts3_tokenizer.c +index bfc36af..fe2003e 100644 +--- a/ext/fts3/fts3_tokenizer.c ++++ b/ext/fts3/fts3_tokenizer.c +@@ -194,8 +194,8 @@ int sqlite3Fts3InitTokenizer( + int iArg = 0; + z = &z[n+1]; + while( z0 ){ +- int nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); +- pReader = (Fts3SegReader *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte; ++ nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); ++ pReader = (Fts3SegReader *)sqlite3_malloc64(nByte); + if( !pReader ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3363,7 +3364,7 @@ static void fts3InsertDocsize( + int rc; /* Result code from subfunctions */ + + if( *pRC ) return; +- pBlob = sqlite3_malloc( 10*p->nColumn ); ++ pBlob = sqlite3_malloc64( 10*(sqlite3_int64)p->nColumn ); + if( pBlob==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3413,7 +3414,7 @@ static void fts3UpdateDocTotals( + const int nStat = p->nColumn+2; + + if( *pRC ) return; +- a = sqlite3_malloc( (sizeof(u32)+10)*nStat ); ++ a = sqlite3_malloc64( (sizeof(u32)+10)*(sqlite3_int64)nStat ); + if( a==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3534,8 +3535,8 @@ static int fts3DoRebuild(Fts3Table *p){ + } + + if( rc==SQLITE_OK ){ +- int nByte = sizeof(u32) * (p->nColumn+1)*3; +- aSz = (u32 *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte = sizeof(u32) * ((sqlite3_int64)p->nColumn+1)*3; ++ aSz = (u32 *)sqlite3_malloc64(nByte); + if( aSz==0 ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3601,12 +3602,12 @@ static int fts3IncrmergeCsr( + ){ + int rc; /* Return Code */ + sqlite3_stmt *pStmt = 0; /* Statement used to read %_segdir entry */ +- int nByte; /* Bytes allocated at pCsr->apSegment[] */ ++ sqlite3_int64 nByte; /* Bytes allocated at pCsr->apSegment[] */ + + /* Allocate space for the Fts3MultiSegReader.aCsr[] array */ + memset(pCsr, 0, sizeof(*pCsr)); + nByte = sizeof(Fts3SegReader *) * nSeg; +- pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc(nByte); ++ pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc64(nByte); + + if( pCsr->apSegment==0 ){ + rc = SQLITE_NOMEM; +@@ -5586,7 +5587,7 @@ int sqlite3Fts3UpdateMethod( + } + + /* Allocate space to hold the change in document sizes */ +- aSzDel = sqlite3_malloc( sizeof(aSzDel[0])*(p->nColumn+1)*2 ); ++ aSzDel = sqlite3_malloc64(sizeof(aSzDel[0])*((sqlite3_int64)p->nColumn+1)*2); + if( aSzDel==0 ){ + rc = SQLITE_NOMEM; + goto update_out; +diff --git a/ext/fts5/fts5_tokenize.c b/ext/fts5/fts5_tokenize.c +index 9fced72..93edcee 100644 +--- a/ext/fts5/fts5_tokenize.c ++++ b/ext/fts5/fts5_tokenize.c +@@ -369,7 +369,7 @@ static int fts5UnicodeCreate( + + p->eRemoveDiacritic = FTS5_REMOVE_DIACRITICS_SIMPLE; + p->nFold = 64; +- p->aFold = sqlite3_malloc(p->nFold * sizeof(char)); ++ p->aFold = sqlite3_malloc64(p->nFold * sizeof(char)); + if( p->aFold==0 ){ + rc = SQLITE_NOMEM; + } +diff --git a/ext/rtree/geopoly.c b/ext/rtree/geopoly.c +index d93eca2..fa58838 100644 +--- a/ext/rtree/geopoly.c ++++ b/ext/rtree/geopoly.c +@@ -269,7 +269,7 @@ static GeoPoly *geopolyParseJson(const unsigned char *z, int *pRc){ + GeoPoly *pOut; + int x = 1; + s.nVertex--; /* Remove the redundant vertex at the end */ +- pOut = sqlite3_malloc64( GEOPOLY_SZ(s.nVertex) ); ++ pOut = sqlite3_malloc64( GEOPOLY_SZ((sqlite3_int64)s.nVertex) ); + x = 1; + if( pOut==0 ) goto parse_json_err; + pOut->nVertex = s.nVertex; +@@ -655,7 +655,7 @@ static GeoPoly *geopolyBBox( + if( pRc ) *pRc = SQLITE_OK; + if( aCoord==0 ){ + geopolyBboxFill: +- pOut = sqlite3_realloc(p, GEOPOLY_SZ(4)); ++ pOut = sqlite3_realloc64(p, GEOPOLY_SZ(4)); + if( pOut==0 ){ + sqlite3_free(p); + if( context ) sqlite3_result_error_nomem(context); +@@ -1051,9 +1051,9 @@ static GeoSegment *geopolySortSegmentsByYAndC(GeoSegment *pList){ + ** Determine the overlap between two polygons + */ + static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ +- int nVertex = p1->nVertex + p2->nVertex + 2; ++ sqlite3_int64 nVertex = p1->nVertex + p2->nVertex + 2; + GeoOverlap *p; +- int nByte; ++ sqlite3_int64 nByte; + GeoEvent *pThisEvent; + double rX; + int rc = 0; +@@ -1065,7 +1065,7 @@ static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ + nByte = sizeof(GeoEvent)*nVertex*2 + + sizeof(GeoSegment)*nVertex + + sizeof(GeoOverlap); +- p = sqlite3_malloc( nByte ); ++ p = sqlite3_malloc64( nByte ); + if( p==0 ) return -1; + p->aEvent = (GeoEvent*)&p[1]; + p->aSegment = (GeoSegment*)&p->aEvent[nVertex*2]; +@@ -1224,8 +1224,8 @@ static int geopolyInit( + ){ + int rc = SQLITE_OK; + Rtree *pRtree; +- int nDb; /* Length of string argv[1] */ +- int nName; /* Length of string argv[2] */ ++ sqlite3_int64 nDb; /* Length of string argv[1] */ ++ sqlite3_int64 nName; /* Length of string argv[2] */ + sqlite3_str *pSql; + char *zSql; + int ii; +@@ -1233,9 +1233,9 @@ static int geopolyInit( + sqlite3_vtab_config(db, SQLITE_VTAB_CONSTRAINT_SUPPORT, 1); + + /* Allocate the sqlite3_vtab structure */ +- nDb = (int)strlen(argv[1]); +- nName = (int)strlen(argv[2]); +- pRtree = (Rtree *)sqlite3_malloc(sizeof(Rtree)+nDb+nName+2); ++ nDb = strlen(argv[1]); ++ nName = strlen(argv[2]); ++ pRtree = (Rtree *)sqlite3_malloc64(sizeof(Rtree)+nDb+nName+2); + if( !pRtree ){ + return SQLITE_NOMEM; + } diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-5827-2.patch sqlite3-3.27.2/debian/patches/CVE-2019-5827-2.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-5827-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/CVE-2019-5827-2.patch 2019-11-27 14:40:05.000000000 +0000 @@ -0,0 +1,203 @@ +Description: Integer overflow in SQLite via WebSQL +Origin: https://www.sqlite.org/src/info/0b6ae032c28e7fe3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928770 +diff --git a/src/build.c b/src/build.c +index 3daa677..9a57626 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -3754,9 +3754,9 @@ void *sqlite3ArrayAllocate( + int *pIdx /* Write the index of a new slot here */ + ){ + char *z; +- int n = *pnEntry; ++ sqlite3_int64 n = *pnEntry; + if( (n & (n-1))==0 ){ +- int sz = (n==0) ? 1 : 2*n; ++ sqlite3_int64 sz = (n==0) ? 1 : 2*n; + void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry); + if( pNew==0 ){ + *pIdx = -1; +@@ -3877,7 +3877,7 @@ SrcList *sqlite3SrcListEnlarge( + /* Allocate additional space if needed */ + if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){ + SrcList *pNew; +- int nAlloc = pSrc->nSrc*2+nExtra; ++ sqlite3_int64 nAlloc = 2*(sqlite3_int64)pSrc->nSrc+nExtra; + sqlite3 *db = pParse->db; + + if( pSrc->nSrc+nExtra>=SQLITE_MAX_SRCLIST ){ +@@ -4633,7 +4633,7 @@ With *sqlite3WithAdd( + } + + if( pWith ){ +- int nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); ++ sqlite3_int64 nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); + pNew = sqlite3DbRealloc(db, pWith, nByte); + }else{ + pNew = sqlite3DbMallocZero(db, sizeof(*pWith)); +diff --git a/src/expr.c b/src/expr.c +index 48ce35f..41f0196 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -1587,7 +1587,7 @@ ExprList *sqlite3ExprListAppend( + }else if( (pList->nExpr & (pList->nExpr-1))==0 ){ + ExprList *pNew; + pNew = sqlite3DbRealloc(db, pList, +- sizeof(*pList)+(2*pList->nExpr - 1)*sizeof(pList->a[0])); ++ sizeof(*pList)+(2*(sqlite3_int64)pList->nExpr-1)*sizeof(pList->a[0])); + if( pNew==0 ){ + goto no_mem; + } +diff --git a/src/main.c b/src/main.c +index 41e0245..ec490d4 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -705,7 +705,7 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + pStart = 0; + }else if( pBuf==0 ){ + sqlite3BeginBenignMalloc(); +- pStart = sqlite3Malloc( sz*cnt ); /* IMP: R-61949-35727 */ ++ pStart = sqlite3Malloc( sz*(sqlite3_int64)cnt ); /* IMP: R-61949-35727 */ + sqlite3EndBenignMalloc(); + if( pStart ) cnt = sqlite3MallocSize(pStart)/sz; + }else{ +diff --git a/src/test_fs.c b/src/test_fs.c +index 8192beb..1feea46 100644 +--- a/src/test_fs.c ++++ b/src/test_fs.c +@@ -744,7 +744,7 @@ static int fsColumn(sqlite3_vtab_cursor *cur, sqlite3_context *ctx, int i){ + fstat(fd, &sbuf); + + if( sbuf.st_size>=pCur->nAlloc ){ +- int nNew = sbuf.st_size*2; ++ sqlite3_int64 nNew = sbuf.st_size*2; + char *zNew; + if( nNew<1024 ) nNew = 1024; + +diff --git a/src/util.c b/src/util.c +index 8432d89..6864181 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1576,7 +1576,7 @@ VList *sqlite3VListAdd( + assert( pIn==0 || pIn[0]>=3 ); /* Verify ok to add new elements */ + if( pIn==0 || pIn[1]+nInt > pIn[0] ){ + /* Enlarge the allocation */ +- int nAlloc = (pIn ? pIn[0]*2 : 10) + nInt; ++ sqlite3_int64 nAlloc = (pIn ? 2*(sqlite3_int64)pIn[0] : 10) + nInt; + VList *pOut = sqlite3DbRealloc(db, pIn, nAlloc*sizeof(int)); + if( pOut==0 ) return pIn; + if( pIn==0 ) pOut[1] = 2; +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index 1ba015f..6967481 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -155,9 +155,11 @@ static int growOpArray(Vdbe *v, int nOp){ + ** operation (without SQLITE_TEST_REALLOC_STRESS) is to double the current + ** size of the op array or add 1KB of space, whichever is smaller. */ + #ifdef SQLITE_TEST_REALLOC_STRESS +- int nNew = (v->nOpAlloc>=512 ? v->nOpAlloc*2 : v->nOpAlloc+nOp); ++ sqlite3_int64 nNew = (v->nOpAlloc>=512 ? 2*(sqlite3_int64)v->nOpAlloc ++ : (sqlite3_int64)v->nOpAlloc+nOp); + #else +- int nNew = (v->nOpAlloc ? v->nOpAlloc*2 : (int)(1024/sizeof(Op))); ++ sqlite3_int64 nNew = (v->nOpAlloc ? 2*(sqlite3_int64)v->nOpAlloc ++ : (sqlite3_int64)1024/sizeof(Op)); + UNUSED_PARAMETER(nOp); + #endif + +@@ -945,7 +947,7 @@ void sqlite3VdbeScanStatus( + LogEst nEst, /* Estimated number of output rows */ + const char *zName /* Name of table or index being scanned */ + ){ +- int nByte = (p->nScan+1) * sizeof(ScanStatus); ++ sqlite3_int64 nByte = (p->nScan+1) * sizeof(ScanStatus); + ScanStatus *aNew; + aNew = (ScanStatus*)sqlite3DbRealloc(p->db, p->aScan, nByte); + if( aNew ){ +diff --git a/src/vdbesort.c b/src/vdbesort.c +index b30bc4e..d84a411 100644 +--- a/src/vdbesort.c ++++ b/src/vdbesort.c +@@ -537,7 +537,7 @@ static int vdbePmaReadBlob( + /* Extend the p->aAlloc[] allocation if required. */ + if( p->nAllocnAlloc*2); ++ sqlite3_int64 nNew = MAX(128, 2*(sqlite3_int64)p->nAlloc); + while( nByte>nNew ) nNew = nNew*2; + aNew = sqlite3Realloc(p->aAlloc, nNew); + if( !aNew ) return SQLITE_NOMEM_BKPT; +@@ -1829,7 +1829,7 @@ int sqlite3VdbeSorterWrite( + if( nMin>pSorter->nMemory ){ + u8 *aNew; + int iListOff = (u8*)pSorter->list.pList - pSorter->list.aMemory; +- int nNew = pSorter->nMemory * 2; ++ sqlite3_int64 nNew = 2 * (sqlite3_int64)pSorter->nMemory; + while( nNew < nMin ) nNew = nNew*2; + if( nNew > pSorter->mxPmaSize ) nNew = pSorter->mxPmaSize; + if( nNew < nMin ) nNew = nMin; +diff --git a/src/vtab.c b/src/vtab.c +index 8814b5f..7806eb9 100644 +--- a/src/vtab.c ++++ b/src/vtab.c +@@ -302,9 +302,13 @@ void sqlite3VtabClear(sqlite3 *db, Table *p){ + ** string will be freed automatically when the table is + ** deleted. + */ +-static void addModuleArgument(sqlite3 *db, Table *pTable, char *zArg){ +- int nBytes = sizeof(char *)*(2+pTable->nModuleArg); ++static void addModuleArgument(Parse *pParse, Table *pTable, char *zArg){ ++ sqlite3_int64 nBytes = sizeof(char *)*(2+pTable->nModuleArg); + char **azModuleArg; ++ sqlite3 *db = pParse->db; ++ if( pTable->nModuleArg+3>=db->aLimit[SQLITE_LIMIT_COLUMN] ){ ++ sqlite3ErrorMsg(pParse, "too many columns on %s", pTable->zName); ++ } + azModuleArg = sqlite3DbRealloc(db, pTable->azModuleArg, nBytes); + if( azModuleArg==0 ){ + sqlite3DbFree(db, zArg); +@@ -339,9 +343,9 @@ void sqlite3VtabBeginParse( + db = pParse->db; + + assert( pTable->nModuleArg==0 ); +- addModuleArgument(db, pTable, sqlite3NameFromToken(db, pModuleName)); +- addModuleArgument(db, pTable, 0); +- addModuleArgument(db, pTable, sqlite3DbStrDup(db, pTable->zName)); ++ addModuleArgument(pParse, pTable, sqlite3NameFromToken(db, pModuleName)); ++ addModuleArgument(pParse, pTable, 0); ++ addModuleArgument(pParse, pTable, sqlite3DbStrDup(db, pTable->zName)); + assert( (pParse->sNameToken.z==pName2->z && pName2->z!=0) + || (pParse->sNameToken.z==pName1->z && pName2->z==0) + ); +@@ -374,7 +378,7 @@ static void addArgumentToVtab(Parse *pParse){ + const char *z = (const char*)pParse->sArg.z; + int n = pParse->sArg.n; + sqlite3 *db = pParse->db; +- addModuleArgument(db, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); ++ addModuleArgument(pParse, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); + } + } + +@@ -663,7 +667,8 @@ static int growVTrans(sqlite3 *db){ + /* Grow the sqlite3.aVTrans array if required */ + if( (db->nVTrans%ARRAY_INCR)==0 ){ + VTable **aVTrans; +- int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR); ++ sqlite3_int64 nBytes = sizeof(sqlite3_vtab*)* ++ ((sqlite3_int64)db->nVTrans + ARRAY_INCR); + aVTrans = sqlite3DbRealloc(db, (void *)db->aVTrans, nBytes); + if( !aVTrans ){ + return SQLITE_NOMEM_BKPT; +@@ -1159,9 +1164,9 @@ int sqlite3VtabEponymousTableInit(Parse *pParse, Module *pMod){ + pTab->pSchema = db->aDb[0].pSchema; + assert( pTab->nModuleArg==0 ); + pTab->iPKey = -1; +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); +- addModuleArgument(db, pTab, 0); +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, 0); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); + rc = vtabCallConstructor(db, pTab, pMod, pModule->xConnect, &zErr); + if( rc ){ + sqlite3ErrorMsg(pParse, "%s", zErr); diff -Nru sqlite3-3.27.2/debian/patches/series sqlite3-3.27.2/debian/patches/series --- sqlite3-3.27.2/debian/patches/series 2019-06-13 14:27:49.000000000 +0000 +++ sqlite3-3.27.2/debian/patches/series 2019-11-27 14:39:59.000000000 +0000 @@ -11,3 +11,9 @@ 43-fix_an_fts5_problem_with_interleaving.patch 44-fix_a_buffer_overread_when_running_fts5_prefix_queries.patch CVE-2019-8457.patch +CVE-2019-16168.patch +CVE-2019-19242.patch +CVE-2019-19244.patch +CVE-2019-5018.patch +CVE-2019-5827-1.patch +CVE-2019-5827-2.patch