Blame SOURCES/sqlite-3.26.0-CVE-2020-13632.patch

4bd5ce
Subject: [PATCH] Fix a null pointer deference that can occur on a strange
4bd5ce
 matchinfo() query.
4bd5ce
4bd5ce
---
4bd5ce
 ext/fts3/fts3_snippet.c  |  2 +-
4bd5ce
 test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
4bd5ce
 2 files changed, 36 insertions(+), 1 deletion(-)
4bd5ce
 create mode 100644 test/fts3matchinfo2.test
4bd5ce
4bd5ce
diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c
4bd5ce
index a0771c0..5778620 100644
4bd5ce
--- a/ext/fts3/fts3_snippet.c
4bd5ce
+++ b/ext/fts3/fts3_snippet.c
4bd5ce
@@ -869,7 +869,7 @@ static void fts3ExprLHits(
4bd5ce
     iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
4bd5ce
   }
4bd5ce
 
4bd5ce
-  while( 1 ){
4bd5ce
+  if( pIter ) while( 1 ){
4bd5ce
     int nHit = fts3ColumnlistCount(&pIter);
4bd5ce
     if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
4bd5ce
       if( p->flag==FTS3_MATCHINFO_LHITS ){
4bd5ce
diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test
4bd5ce
new file mode 100644
4bd5ce
index 0000000..d6b3ad0
4bd5ce
--- /dev/null
4bd5ce
+++ b/test/fts3matchinfo2.test
4bd5ce
@@ -0,0 +1,35 @@
4bd5ce
+# 2020-05-14
4bd5ce
+#
4bd5ce
+# The author disclaims copyright to this source code.  In place of
4bd5ce
+# a legal notice, here is a blessing:
4bd5ce
+#
4bd5ce
+#    May you do good and not evil.
4bd5ce
+#    May you find forgiveness for yourself and forgive others.
4bd5ce
+#    May you share freely, never taking more than you give.
4bd5ce
+#
4bd5ce
+#***********************************************************************
4bd5ce
+# This file implements regression tests for the FTS3 module. The focus
4bd5ce
+# of this file is tables created with the "matchinfo=fts3" option.
4bd5ce
+#
4bd5ce
+
4bd5ce
+set testdir [file dirname $argv0]
4bd5ce
+source $testdir/tester.tcl
4bd5ce
+
4bd5ce
+# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
4bd5ce
+ifcapable !fts3 { finish_test ; return }
4bd5ce
+
4bd5ce
+set sqlite_fts3_enable_parentheses 1
4bd5ce
+
4bd5ce
+# Crash case found by cyg0810 at gmail.com 2020-05-14.  Reported to
4bd5ce
+# chromium (which is not vulnerable) who kindly referred it to us.
4bd5ce
+#
4bd5ce
+do_execsql_test 1.0 {
4bd5ce
+  CREATE TABLE t_content(col0 INTEGER);
4bd5ce
+  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
4bd5ce
+  INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
4bd5ce
+  SELECT hex(matchinfo(t0,'yxy'))  FROM t0 WHERE t0 MATCH  x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
4bd5ce
+} {/000000.*0000000/}
4bd5ce
+
4bd5ce
+
4bd5ce
+set sqlite_fts3_enable_parentheses 0
4bd5ce
+finish_test
4bd5ce
\ No newline at end of file
4bd5ce
-- 
4bd5ce
2.24.1
4bd5ce