File: 51-CVE-2017-10989.patch

package info (click to toggle)
sqlite3 3.16.2-5+deb9u1
  • links: PTS
  • area: main
  • in suites: stretch
  • size: 88,416 kB
  • sloc: ansic: 195,593; tcl: 14,245; sh: 10,163; yacc: 1,246; makefile: 1,058; cs: 299; cpp: 128
file content (47 lines) | stat: -rw-r--r-- 1,337 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Index: sqlite3/ext/rtree/rtree.c
==================================================================
--- sqlite3/ext/rtree/rtree.c
+++ sqlite3/ext/rtree/rtree.c
@@ -3207,10 +3207,14 @@
         pRtree->zDb, pRtree->zName
     );
     rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
     if( rc!=SQLITE_OK ){
       *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
+    }else if( pRtree->iNodeSize<(512-64) ){
+      rc = SQLITE_CORRUPT;
+      *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
+                               pRtree->zName);
     }
   }
 
   sqlite3_free(zSql);
   return rc;

Index: sqlite3/ext/rtree/rtreeA.test
==================================================================
--- sqlite3/ext/rtree/rtreeA.test
+++ sqlite3/ext/rtree/rtreeA.test
@@ -213,8 +213,21 @@
 } {}
 do_corruption_tests rtreeA-6.1 {
   1   "DELETE FROM t1 WHERE rowid = 5"
   2   "UPDATE t1 SET x1=x1+1, x2=x2+1"
 }
+
+#-------------------------------------------------------------------------
+# Truncated blobs in the _node table.
+#
+create_t1
+populate_t1
+sqlite3 db test.db
+do_execsql_test rtreeA-7.100 { 
+  UPDATE t1_node SET data=x'' WHERE rowid=1;
+} {}
+do_catchsql_test rtreeA-7.110 {
+  SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
+} {1 {undersize RTree blobs in "t1_node"}}
 
 
 finish_test