rpms / sqlite

Clone
Source Code
GIT

Blame SOURCES/sqlite-3.7.14-printf-overflow.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   sqlite-3.7.14-printf-overflow.patch
Blob History Raw
c0e712 
# Fix for stack buffer overflow in src/printf.c, backpotred from upstream
c0e712 
# Bugzilla: rhbz#1212357
c0e712 
# Original fix: https://www.sqlite.org/src/info/aeca95ac77f6f320
c0e712
c0e712 
diff -up sqlite-src-3071700/src/printf.c.old sqlite-src-3071700/src/printf.c
c0e712 
--- sqlite-src-3071700/src/printf.c.old	2015-07-03 10:54:17.644940587 +0200
c0e712 
+++ sqlite-src-3071700/src/printf.c	2015-07-03 11:52:50.704122467 +0200
c0e712 
@@ -233,14 +233,17 @@ void sqlite3VXPrintf(
c0e712 
       width = va_arg(ap,int);
c0e712 
       if( width<0 ){
c0e712 
         flag_leftjustify = 1;
c0e712 
-        width = -width;
c0e712 
+        width = width >= -2147483647 ? -width : 0;
c0e712 
       }
c0e712 
       c = *++fmt;
c0e712 
     }else{
c0e712 
+      unsigned wx = 0;
c0e712 
       while( c>='0' && c<='9' ){
c0e712 
-        width = width*10 + c - '0';
c0e712 
+        wx = wx*10 + c - '0';
c0e712 
         c = *++fmt;
c0e712 
       }
c0e712 
+      testcase( wx>0x7fffffff );
c0e712 
+      width = wx & 0x7fffffff;
c0e712 
     }
c0e712 
     /* Get the precision */
c0e712 
     if( c=='.' ){
c0e712 
@@ -248,13 +251,18 @@ void sqlite3VXPrintf(
c0e712 
       c = *++fmt;
c0e712 
       if( c=='*' ){
c0e712 
         precision = va_arg(ap,int);
c0e712 
-        if( precision<0 ) precision = -precision;
c0e712 
         c = *++fmt;
c0e712 
+        if( precision<0 ) {
c0e712 
+          precision = precision >= -2147483647 ? -precision : -1;
c0e712 
+        }
c0e712 
       }else{
c0e712 
+        unsigned px = 0;
c0e712 
         while( c>='0' && c<='9' ){
c0e712 
-          precision = precision*10 + c - '0';
c0e712 
+          px = px*10 + c - '0';
c0e712 
           c = *++fmt;
c0e712 
         }
c0e712 
+        testcase( px>0x7fffffff );
c0e712 
+        precision = px & 0x7fffffff;
c0e712 
       }
c0e712 
     }else{
c0e712 
       precision = -1;
c0e712 
@@ -418,7 +426,8 @@ void sqlite3VXPrintf(
c0e712 
         for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1);
c0e712 
 #else
c0e712 
         /* It makes more sense to use 0.5 */
c0e712 
-        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
c0e712 
+        testcase( precision>0xfff );
c0e712 
+        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
c0e712 
 #endif
c0e712 
         if( xtype==etFLOAT ) realvalue += rounder;
c0e712 
         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
c0e712 
@@ -474,8 +483,10 @@ void sqlite3VXPrintf(
c0e712 
         }else{
c0e712 
           e2 = exp;
c0e712 
         }
c0e712 
-        if( e2+precision+width > etBUFSIZE - 15 ){
c0e712 
-          bufpt = zExtra = sqlite3Malloc( e2+precision+width+15 );
c0e712 
+        if( e2+(i64)precision+(i64)width > etBUFSIZE - 15 ){
c0e712 
+          bufpt = zExtra = sqlite3Malloc(
c0e712 
+              e2+(i64)precision+(i64)width+15
c0e712 
+              );
c0e712 
           if( bufpt==0 ){
c0e712 
             pAccum->mallocFailed = 1;
c0e712 
             return;
c0e712
c0e712 
diff -up sqlite-src-3071700/test/printf.test.old sqlite-src-3071700/test/printf.test
c0e712 
--- sqlite-src-3071700/test/printf.test.old	2015-07-03 10:32:28.552140602 +0200
c0e712 
+++ sqlite-src-3071700/test/printf.test	2015-07-03 10:35:15.858079592 +0200
c0e712 
@@ -472,6 +472,18 @@ do_test printf-1.16.7 {
c0e712 
   sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\
c0e712 
        0xff676981 0xff676981 0xff676981
c0e712 
 } {abc: (-9999999) (0xff676981) (037731664601) :xyz}
c0e712 
+do_test printf-1.17.1 {
c0e712 
+  sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1
c0e712 
+} {}
c0e712 
+do_test printf-1.17.2 {
c0e712 
+  sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1
c0e712 
+} {}
c0e712 
+do_test printf-1.17.3 {
c0e712 
+  sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
c0e712 
+} {abd: 1 1}
c0e712 
+do_test printf-1.17.4 {
c0e712 
+  sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1
c0e712 
+} {/.*/}
c0e712 
 do_test printf-2.1.1.1 {
c0e712 
   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001
c0e712 
 } {abc: (0.0) :xyz}
c0e712 
@@ -526,6 +538,9 @@ do_test printf-2.1.2.8 {
c0e712 
 do_test printf-2.1.2.9 {
c0e712 
   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
c0e712 
 } {abc: 1 1 (1e-20) :xyz}
c0e712 
+do_test printf-2.1.2.10 {
c0e712 
+  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
c0e712 
+} {abc: }
c0e712 
 do_test printf-2.1.3.1 {
c0e712 
   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
c0e712 
 } {abc: (1.0) :xyz}
c0e712 
@@ -3466,6 +3481,15 @@ do_test printf-3.5 {
c0e712 
 do_test printf-3.6 {
c0e712 
   sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string}
c0e712 
 } [format {%d %d A String: (%-30s)} 1 2 {This is the string}]
c0e712 
+do_test printf-3.7 {
c0e712 
+  sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string}
c0e712 
+} []
c0e712 
+do_test printf-3.8 {
c0e712 
+  sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string}
c0e712 
+} {1 A String: (This is the string)}
c0e712 
+do_test printf-3.9 {
c0e712 
+  sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string}
c0e712 
+} {1 A String: (This is the string)}
c0e712 
 do_test snprintf-3.11 {
c0e712 
   sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
c0e712 
 } {x}
c0e712 
@@ -3685,6 +3709,9 @@ do_test printf-13.5 {
c0e712 
 do_test printf-13.6 {
c0e712 
   sqlite3_mprintf_hexdouble %.20f fff8000000000000
c0e712 
 } {NaN}
c0e712 
+do_test printf-13.7 {
c0e712 
+  sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17
c0e712 
+} {/100000000000000000000000000000000.00/}
c0e712
c0e712 
 do_test printf-14.1 {
c0e712 
   sqlite3_mprintf_str {abc-%y-123} 0 0 {not used}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation