diff -Nru sqlite3-3.8.2/debian/changelog sqlite3-3.8.2/debian/changelog --- sqlite3-3.8.2/debian/changelog 2014-01-02 16:37:56.000000000 +0000 +++ sqlite3-3.8.2/debian/changelog 2019-02-21 16:14:11.000000000 +0000 @@ -1,3 +1,34 @@ +sqlite3 (3.8.2-1ubuntu2.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Avoid segmentation fault while using a corrupted file. + - d/p/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch: + Check if parser is busy before using it and raise an error if positive. + (LP: #1814869) + - d/p/0002-Better-error-message-text-when-the-schema-is-corrupt.patch: + Better message and additional checks. + - No CVE associated. + + -- Paulo Flabiano Smorigo Thu, 21 Feb 2019 17:13:40 +0100 + +sqlite3 (3.8.2-1ubuntu2.1) trusty-security; urgency=medium + + * SECURITY UPDATE: array overrun in the skip-scan optimization + (LP: #1448758) + - debian/patches/CVE-2013-7443.patch: make sure array is large enough + in src/where.c, added test to test/skipscan1.test. + - CVE-2013-7443 + * SECURITY UPDATE: improper dequoting of collation-sequence names + - debian/patches/CVE-2015-3414.patch: handle dequoting in src/expr.c, + src/parse.y, src/sqliteInt.h, src/where.c, added tests to + test/collate1.test. + - CVE-2015-3414 + * SECURITY UPDATE: improper large integers handling in printf function + - debian/patches/CVE-2015-3416.patch: handle large integers in + src/printf.c, added tests to test/printf.test. + - CVE-2015-3416 + + -- Marc Deslauriers Tue, 14 Jul 2015 13:26:04 -0400 + sqlite3 (3.8.2-1ubuntu2) trusty; urgency=medium * Build for Tcl 8.6. diff -Nru sqlite3-3.8.2/debian/patches/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch sqlite3-3.8.2/debian/patches/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch --- sqlite3-3.8.2/debian/patches/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch 2019-02-21 16:14:31.000000000 +0000 @@ -0,0 +1,27 @@ +From: Joe Mistachkin +Date: Fri, 16 Mar 2018 19:10:05 +0000 +Subject: [PATCH] Fix a parsing issue associated with a corrupt sqlite_master + table. + +--- + src/parse.y | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- sqlite3-3.8.2.orig/src/parse.y ++++ sqlite3-3.8.2/src/parse.y +@@ -167,8 +167,13 @@ create_table_args ::= LP columnlist cons + sqlite3EndTable(pParse,&X,&E,F,0); + } + create_table_args ::= AS select(S). { +- sqlite3EndTable(pParse,0,0,0,S); +- sqlite3SelectDelete(pParse->db, S); ++ if( pParse->db->init.busy==0 ){ ++ sqlite3EndTable(pParse,0,0,0,S); ++ sqlite3SelectDelete(pParse->db, S); ++ }else{ ++ sqlite3SelectDelete(pParse->db, S); ++ sqlite3ErrorMsg(pParse, "corrupt schema"); ++ } + } + %type table_options {u8} + table_options(A) ::= . {A = 0;} diff -Nru sqlite3-3.8.2/debian/patches/0002-Better-error-message-text-when-the-schema-is-corrupt.patch sqlite3-3.8.2/debian/patches/0002-Better-error-message-text-when-the-schema-is-corrupt.patch --- sqlite3-3.8.2/debian/patches/0002-Better-error-message-text-when-the-schema-is-corrupt.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/0002-Better-error-message-text-when-the-schema-is-corrupt.patch 2019-02-21 16:14:45.000000000 +0000 @@ -0,0 +1,62 @@ +From: "D. Richard Hipp" +Date: Fri, 16 Mar 2018 20:15:58 +0000 +Subject: [PATCH] Better error message text when the schema is corrupted by a + CREATE TABLE AS entry. + +--- + src/build.c | 6 ++++-- + src/parse.y | 9 ++------- + src/prepare.c | 2 +- + 3 files changed, 7 insertions(+), 10 deletions(-) + +--- sqlite3-3.8.2.orig/src/build.c ++++ sqlite3-3.8.2/src/build.c +@@ -1758,8 +1758,6 @@ void sqlite3EndTable( + p = pParse->pNewTable; + if( p==0 ) return; + +- assert( !db->init.busy || !pSelect ); +- + /* If the db->init.busy is 1 it means we are reading the SQL off the + ** "sqlite_master" or "sqlite_temp_master" table on the disk. + ** So do not write to the disk again. Extract the root page number +@@ -1767,6 +1765,10 @@ void sqlite3EndTable( + ** should have been put there by the sqliteOpenCb routine.) + */ + if( db->init.busy ){ ++ if( pSelect ){ ++ sqlite3ErrorMsg(pParse, ""); ++ return; ++ } + p->tnum = db->init.newTnum; + } + +--- sqlite3-3.8.2.orig/src/parse.y ++++ sqlite3-3.8.2/src/parse.y +@@ -167,13 +167,8 @@ create_table_args ::= LP columnlist cons + sqlite3EndTable(pParse,&X,&E,F,0); + } + create_table_args ::= AS select(S). { +- if( pParse->db->init.busy==0 ){ +- sqlite3EndTable(pParse,0,0,0,S); +- sqlite3SelectDelete(pParse->db, S); +- }else{ +- sqlite3SelectDelete(pParse->db, S); +- sqlite3ErrorMsg(pParse, "corrupt schema"); +- } ++ sqlite3EndTable(pParse,0,0,0,S); ++ sqlite3SelectDelete(pParse->db, S); + } + %type table_options {u8} + table_options(A) ::= . {A = 0;} +--- sqlite3-3.8.2.orig/src/prepare.c ++++ sqlite3-3.8.2/src/prepare.c +@@ -29,7 +29,7 @@ static void corruptSchema( + if( zObj==0 ) zObj = "?"; + sqlite3SetString(pData->pzErrMsg, db, + "malformed database schema (%s)", zObj); +- if( zExtra ){ ++ if( zExtra && zExtra[0] ) { + *pData->pzErrMsg = sqlite3MAppendf(db, *pData->pzErrMsg, + "%s - %s", *pData->pzErrMsg, zExtra); + } diff -Nru sqlite3-3.8.2/debian/patches/CVE-2013-7443.patch sqlite3-3.8.2/debian/patches/CVE-2013-7443.patch --- sqlite3-3.8.2/debian/patches/CVE-2013-7443.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/CVE-2013-7443.patch 2015-07-14 17:28:21.000000000 +0000 @@ -0,0 +1,48 @@ +Decription: fix array overrun in the skip-scan optimization +Origin: upstream, https://www.sqlite.org/src/info/ac5852d6403c9c96 +Bug: https://www.sqlite.org/src/info/520070ec7fbaac +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1448758 + +Index: sqlite3-3.8.2/src/where.c +=================================================================== +--- sqlite3-3.8.2.orig/src/where.c 2013-12-06 16:05:14.000000000 -0500 ++++ sqlite3-3.8.2/src/where.c 2015-07-14 10:39:19.636567191 -0400 +@@ -3928,6 +3928,7 @@ + && saved_nEq==saved_nSkip + && saved_nEq+1nKeyCol + && pProbe->aiRowEst[saved_nEq+1]>=18 /* TUNING: Minimum for skip-scan */ ++ && (rc = whereLoopResize(db, pNew, pNew->nLTerm+1))==SQLITE_OK + ){ + LogEst nIter; + pNew->u.btree.nEq++; +Index: sqlite3-3.8.2/test/skipscan1.test +=================================================================== +--- sqlite3-3.8.2.orig/test/skipscan1.test 2013-12-06 16:05:14.000000000 -0500 ++++ sqlite3-3.8.2/test/skipscan1.test 2015-07-14 10:39:19.636567191 -0400 +@@ -187,4 +187,26 @@ + SELECT a,b,c,d,'|' FROM t3 WHERE b=345 ORDER BY a; + } {~/*ORDER BY*/} + ++# Ticket 520070ec7fbaac: Array overrun in the skip-scan optimization ++# 2013-12-22 ++# ++do_execsql_test skipscan1-4.1 { ++ CREATE TABLE t4(a,b,c,d,e,f,g,h,i); ++ CREATE INDEX t4all ON t4(a,b,c,d,e,f,g,h); ++ INSERT INTO t4 VALUES(1,2,3,4,5,6,7,8,9); ++ ANALYZE; ++ DELETE FROM sqlite_stat1; ++ INSERT INTO sqlite_stat1 ++ VALUES('t4','t4all','655360 163840 40960 10240 2560 640 160 40 10'); ++ ANALYZE sqlite_master; ++ SELECT i FROM t4 WHERE a=1; ++ SELECT i FROM t4 WHERE b=2; ++ SELECT i FROM t4 WHERE c=3; ++ SELECT i FROM t4 WHERE d=4; ++ SELECT i FROM t4 WHERE e=5; ++ SELECT i FROM t4 WHERE f=6; ++ SELECT i FROM t4 WHERE g=7; ++ SELECT i FROM t4 WHERE h=8; ++} {9 9 9 9 9 9 9 9} ++ + finish_test diff -Nru sqlite3-3.8.2/debian/patches/CVE-2015-3414.patch sqlite3-3.8.2/debian/patches/CVE-2015-3414.patch --- sqlite3-3.8.2/debian/patches/CVE-2015-3414.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/CVE-2015-3414.patch 2015-07-14 17:23:00.000000000 +0000 @@ -0,0 +1,186 @@ +Description: fix improper dequoting of collation-sequence names +Origin: backport, https://www.sqlite.org/src/info/eddc05e7bb31fae7 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783968 + +Index: sqlite3-3.8.2/src/expr.c +=================================================================== +--- sqlite3-3.8.2.orig/src/expr.c 2015-07-14 13:21:33.315441659 -0400 ++++ sqlite3-3.8.2/src/expr.c 2015-07-14 13:22:27.224092310 -0400 +@@ -65,9 +65,9 @@ + ** If a memory allocation error occurs, that fact is recorded in pParse->db + ** and the pExpr parameter is returned unchanged. + */ +-Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr *pExpr, Token *pCollName){ ++Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr *pExpr, Token *pCollName, int dequote){ + if( pCollName->n>0 ){ +- Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, 1); ++ Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, dequote); + if( pNew ){ + pNew->pLeft = pExpr; + pNew->flags |= EP_Collate|EP_Skip; +@@ -81,7 +81,7 @@ + assert( zC!=0 ); + s.z = zC; + s.n = sqlite3Strlen30(s.z); +- return sqlite3ExprAddCollateToken(pParse, pExpr, &s); ++ return sqlite3ExprAddCollateToken(pParse, pExpr, &s, 0); + } + + /* +Index: sqlite3-3.8.2/src/parse.y +=================================================================== +--- sqlite3-3.8.2.orig/src/parse.y 2015-07-14 13:21:33.315441659 -0400 ++++ sqlite3-3.8.2/src/parse.y 2015-07-14 13:21:33.311441610 -0400 +@@ -829,7 +829,7 @@ + spanSet(&A, &X, &X); + } + expr(A) ::= expr(E) COLLATE ids(C). { +- A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C); ++ A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C, 1); + A.zStart = E.zStart; + A.zEnd = &C.z[C.n]; + } +@@ -1150,14 +1150,14 @@ + idxlist_opt(A) ::= . {A = 0;} + idxlist_opt(A) ::= LP idxlist(X) RP. {A = X;} + idxlist(A) ::= idxlist(X) COMMA nm(Y) collate(C) sortorder(Z). { +- Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C); ++ Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1); + A = sqlite3ExprListAppend(pParse,X, p); + sqlite3ExprListSetName(pParse,A,&Y,1); + sqlite3ExprListCheckLength(pParse, A, "index"); + if( A ) A->a[A->nExpr-1].sortOrder = (u8)Z; + } + idxlist(A) ::= nm(Y) collate(C) sortorder(Z). { +- Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C); ++ Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1); + A = sqlite3ExprListAppend(pParse,0, p); + sqlite3ExprListSetName(pParse, A, &Y, 1); + sqlite3ExprListCheckLength(pParse, A, "index"); +Index: sqlite3-3.8.2/src/sqliteInt.h +=================================================================== +--- sqlite3-3.8.2.orig/src/sqliteInt.h 2015-07-14 13:21:33.315441659 -0400 ++++ sqlite3-3.8.2/src/sqliteInt.h 2015-07-14 13:22:47.552337483 -0400 +@@ -3136,7 +3136,7 @@ + CollSeq *sqlite3FindCollSeq(sqlite3*,u8 enc, const char*,int); + CollSeq *sqlite3LocateCollSeq(Parse *pParse, const char*zName); + CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr); +-Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, Token*); ++Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, Token*, int); + Expr *sqlite3ExprAddCollateString(Parse*,Expr*,const char*); + Expr *sqlite3ExprSkipCollate(Expr*); + int sqlite3CheckCollSeq(Parse *, CollSeq *); +Index: sqlite3-3.8.2/src/where.c +=================================================================== +--- sqlite3-3.8.2.orig/src/where.c 2015-07-14 13:21:33.315441659 -0400 ++++ sqlite3-3.8.2/src/where.c 2015-07-14 13:21:33.311441610 -0400 +@@ -1256,7 +1256,7 @@ + Expr *pNewExpr2; + int idxNew1; + int idxNew2; +- Token sCollSeqName; /* Name of collating sequence */ ++ const char *zCollSeqName; /* Name of collating sequence */ + + pLeft = pExpr->x.pList->a[1].pExpr; + pStr2 = sqlite3ExprDup(db, pStr1, 0); +@@ -1276,11 +1276,10 @@ + } + *pC = c + 1; + } +- sCollSeqName.z = noCase ? "NOCASE" : "BINARY"; +- sCollSeqName.n = 6; ++ zCollSeqName = noCase ? "NOCASE" : "BINARY"; + pNewExpr1 = sqlite3ExprDup(db, pLeft, 0); + pNewExpr1 = sqlite3PExpr(pParse, TK_GE, +- sqlite3ExprAddCollateToken(pParse,pNewExpr1,&sCollSeqName), ++ sqlite3ExprAddCollateString(pParse,pNewExpr1,zCollSeqName), + pStr1, 0); + transferJoinMarkings(pNewExpr1, pExpr); + idxNew1 = whereClauseInsert(pWC, pNewExpr1, TERM_VIRTUAL|TERM_DYNAMIC); +@@ -1288,7 +1287,7 @@ + exprAnalyze(pSrc, pWC, idxNew1); + pNewExpr2 = sqlite3ExprDup(db, pLeft, 0); + pNewExpr2 = sqlite3PExpr(pParse, TK_LT, +- sqlite3ExprAddCollateToken(pParse,pNewExpr2,&sCollSeqName), ++ sqlite3ExprAddCollateString(pParse,pNewExpr2,zCollSeqName), + pStr2, 0); + transferJoinMarkings(pNewExpr2, pExpr); + idxNew2 = whereClauseInsert(pWC, pNewExpr2, TERM_VIRTUAL|TERM_DYNAMIC); +Index: sqlite3-3.8.2/test/collate1.test +=================================================================== +--- sqlite3-3.8.2.orig/test/collate1.test 2015-07-14 13:21:33.315441659 -0400 ++++ sqlite3-3.8.2/test/collate1.test 2015-07-14 13:21:33.315441659 -0400 +@@ -10,12 +10,12 @@ + # + #*********************************************************************** + # This file implements regression tests for SQLite library. The +-# focus of this script is page cache subsystem. ++# focus of this script is testing collation sequences. + # +-# $Id: collate1.test,v 1.5 2007/02/01 23:02:46 drh Exp $ + + set testdir [file dirname $argv0] + source $testdir/tester.tcl ++set testprefix collate1 + + # + # Tests are roughly organised as follows: +@@ -334,4 +334,58 @@ + } + } {1 2} + ++ ++ ++#------------------------------------------------------------------------- ++# Fix problems with handling collation sequences named '"""'. ++# ++do_execsql_test 6.1 { ++ SELECT """"""""; ++} {\"\"\"} ++ ++do_catchsql_test 6.2 { ++ CREATE TABLE x1(a); ++ SELECT a FROM x1 ORDER BY a COLLATE """"""""; ++} {1 {no such collation sequence: """}} ++ ++do_catchsql_test 6.3 { ++ SELECT a FROM x1 ORDER BY 1 COLLATE """"""""; ++} {1 {no such collation sequence: """}} ++ ++do_catchsql_test 6.4 { ++ SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE """"""""; ++} {1 {no such collation sequence: """}} ++ ++db collate {"""} [list string compare -nocase] ++ ++do_execsql_test 6.5 { ++ PRAGMA foreign_keys = ON; ++ CREATE TABLE p1(a PRIMARY KEY COLLATE '"""'); ++ CREATE TABLE c1(x, y REFERENCES p1); ++} {} ++ ++do_execsql_test 6.6 { ++ INSERT INTO p1 VALUES('abc'); ++ INSERT INTO c1 VALUES(1, 'ABC'); ++} ++ ++ifcapable foreignkey { ++ do_catchsql_test 6.7 { ++ DELETE FROM p1 WHERE rowid = 1 ++ } {1 {FOREIGN KEY constraint failed}} ++} ++ ++do_execsql_test 6.8 { ++ INSERT INTO p1 VALUES('abb'); ++ INSERT INTO p1 VALUES('wxz'); ++ INSERT INTO p1 VALUES('wxy'); ++ ++ INSERT INTO c1 VALUES(2, 'abb'); ++ INSERT INTO c1 VALUES(3, 'wxz'); ++ INSERT INTO c1 VALUES(4, 'WXY'); ++ SELECT x, y FROM c1 ORDER BY y COLLATE """"""""; ++} {2 abb 1 ABC 4 WXY 3 wxz} ++ + finish_test ++ ++ diff -Nru sqlite3-3.8.2/debian/patches/CVE-2015-3416.patch sqlite3-3.8.2/debian/patches/CVE-2015-3416.patch --- sqlite3-3.8.2/debian/patches/CVE-2015-3416.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/CVE-2015-3416.patch 2015-07-14 17:25:53.000000000 +0000 @@ -0,0 +1,131 @@ +Decription: fix improper large integers handling in printf function +Origin: backport, https://www.sqlite.org/src/info/aeca95ac77f6f320 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783968 + +Index: sqlite3-3.8.2/src/printf.c +=================================================================== +--- sqlite3-3.8.2.orig/src/printf.c 2015-07-14 13:23:13.420649333 -0400 ++++ sqlite3-3.8.2/src/printf.c 2015-07-14 13:24:27.477541246 -0400 +@@ -233,28 +233,37 @@ + width = va_arg(ap,int); + if( width<0 ){ + flag_leftjustify = 1; +- width = -width; ++ width = width >= -2147483647 ? -width : 0; + } + c = *++fmt; + }else{ ++ unsigned wx = 0; + while( c>='0' && c<='9' ){ +- width = width*10 + c - '0'; ++ wx = wx*10 + c - '0'; + c = *++fmt; + } ++ testcase( wx>0x7fffffff ); ++ width = wx & 0x7fffffff; + } ++ + /* Get the precision */ + if( c=='.' ){ + precision = 0; + c = *++fmt; + if( c=='*' ){ + precision = va_arg(ap,int); +- if( precision<0 ) precision = -precision; + c = *++fmt; ++ if( precision<0 ){ ++ precision = precision >= -2147483647 ? -precision : -1; ++ } + }else{ ++ unsigned px = 0; + while( c>='0' && c<='9' ){ +- precision = precision*10 + c - '0'; ++ px = px*10 + c - '0'; + c = *++fmt; + } ++ testcase( px>0x7fffffff ); ++ precision = px & 0x7fffffff; + } + }else{ + precision = -1; +@@ -413,7 +422,8 @@ + else prefix = 0; + } + if( xtype==etGENERIC && precision>0 ) precision--; +- for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){} ++ testcase( precision>0xfff ); ++ for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){} + if( xtype==etFLOAT ) realvalue += rounder; + /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */ + exp = 0; +@@ -468,8 +478,9 @@ + }else{ + e2 = exp; + } +- if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){ +- bufpt = zExtra = sqlite3Malloc( MAX(e2,0)+precision+width+15 ); ++ if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){ ++ bufpt = zExtra ++ = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 ); + if( bufpt==0 ){ + pAccum->accError = STRACCUM_NOMEM; + return; +Index: sqlite3-3.8.2/test/printf.test +=================================================================== +--- sqlite3-3.8.2.orig/test/printf.test 2015-07-14 13:23:13.420649333 -0400 ++++ sqlite3-3.8.2/test/printf.test 2015-07-14 13:23:13.416649284 -0400 +@@ -472,6 +472,18 @@ + sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\ + 0xff676981 0xff676981 0xff676981 + } {abc: (-9999999) (0xff676981) (037731664601) :xyz} ++do_test printf-1.17.1 { ++ sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1 ++} {} ++do_test printf-1.17.2 { ++ sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1 ++} {} ++do_test printf-1.17.3 { ++ sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1 ++} {abd: 1 1} ++do_test printf-1.17.4 { ++ sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1 ++} {/.*/} + do_test printf-2.1.1.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001 + } {abc: (0.0) :xyz} +@@ -526,6 +538,9 @@ + do_test printf-2.1.2.9 { + sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 + } {abc: 1 1 (1e-20) :xyz} ++do_test printf-2.1.2.10 { ++ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 ++} {abc: } + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} +@@ -3466,6 +3481,15 @@ + do_test printf-3.6 { + sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string} + } [format {%d %d A String: (%-30s)} 1 2 {This is the string}] ++do_test printf-3.7 { ++ sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string} ++} [] ++do_test printf-3.8 { ++ sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string} ++} {1 A String: (This is the string)} ++do_test printf-3.9 { ++ sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string} ++} {1 A String: (This is the string)} + do_test snprintf-3.11 { + sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string} + } {x} +@@ -3685,6 +3709,9 @@ + do_test printf-13.6 { + sqlite3_mprintf_hexdouble %.20f fff8000000000000 + } {NaN} ++do_test printf-13.7 { ++ sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17 ++} {/100000000000000000000000000000000.00/} + + do_test printf-14.1 { + sqlite3_mprintf_str {abc-%y-123} 0 0 {not used} diff -Nru sqlite3-3.8.2/debian/patches/series sqlite3-3.8.2/debian/patches/series --- sqlite3-3.8.2/debian/patches/series 2013-12-08 09:48:00.000000000 +0000 +++ sqlite3-3.8.2/debian/patches/series 2019-02-21 16:14:45.000000000 +0000 @@ -6,3 +6,8 @@ 30-cross.patch 10-665363-disable-malloc-usable-size.patch 31-increase_SQLITE_MAX_DEFAULT_PAGE_SIZE_to_32k.patch +CVE-2013-7443.patch +CVE-2015-3414.patch +CVE-2015-3416.patch +0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch +0002-Better-error-message-text-when-the-schema-is-corrupt.patch