From 16c5290d72cb8059e9dfe545613183b850fc44e4 Mon Sep 17 00:00:00 2001

From: Ondrej Dubaj <odubaj@redhat.com>

Date: Mon, 20 Jan 2020 10:26:35 +0100

Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that

 it is able to

deal with goofy filenames that contain embedded zeros.

---

 ext/misc/zipfile.c |  4 ++--

 test/zipfile.test  | 13 +++++++++++++

 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c

index 6f48d0f..e6141ef 100644

--- a/ext/misc/zipfile.c

+++ b/ext/misc/zipfile.c

@@ -1632,7 +1632,7 @@ static int zipfileUpdate(

         zFree = sqlite3_mprintf("%s/", zPath);

         if( zFree==0 ){ rc = SQLITE_NOMEM; }

         zPath = (const char*)zFree;

-        nPath++;

+        nPath = (int)strlen(zPath);

       }

     }

@@ -2033,11 +2033,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){

   }else{

     if( zName[nName-1]!='/' ){

       zName = zFree = sqlite3_mprintf("%s/", zName);

-      nName++;

       if( zName==0 ){

         rc = SQLITE_NOMEM;

         goto zipfile_step_out;

       }

+      nName = (int)strlen(zName);

     }else{

       while( nName>1 && zName[nName-2]=='/' ) nName--;

     }

diff --git a/test/zipfile.test b/test/zipfile.test

index 5bca10b..e4b8088 100644

--- a/test/zipfile.test

+++ b/test/zipfile.test

@@ -808,4 +808,17 @@ do_execsql_test 13.10 {

          quote(data),quote(method) FROM t1;

 } {'' 10 10 2 X'3130' X'3130' 0}

+# 2019-12-23 Yongheng and Rui fuzzer

+# Run using valgrind to see the problem.

+#

+do_execsql_test 14.10 {

+  DROP TABLE t1;

+  CREATE TABLE t1(x char);

+  INSERT INTO t1(x) VALUES('1');

+  INSERT INTO t1(x) SELECT zipfile(x, 'xyz') FROM t1;

+  INSERT INTO t1(x) SELECT zipfile(x, 'uvw') FROM t1;

+  SELECT count(*) FROM t1;

+  PRAGMA integrity_check;

+} {3 ok}

+

 finish_test

-- 

2.19.1