diff options
author | Darwin Huang <huangdarwin@chromium.org> | 2021-03-02 18:42:25 -0800 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:27:41 +0000 |
commit | 2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05 (patch) | |
tree | 7c1f996d7037888fc2c65d5249a2f1cd6af8431b | |
parent | 1fec1bec9bc17067a5128eb6d8bcdb822928acd5 (diff) | |
download | qtwebengine-chromium-2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05.tar.gz |
[Backport] Security bugs 1175522 and 1181276
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/2730249:
Fix a couple of memory-sanitizer complaints that could be triggered by a corrupt database.
Cherry-picking from https://www.sqlite.org/src/info/39c8686cabe6c437
FossilOrigin-Name:
9c8686cabe6c437ba4860aade49a701c4f5772b97d9fbe6cb9a394e85b9c092
Bug: 1181276, 1175522
Change-Id: Icc7e115ec54789fab59c03071dccf97987d5ac7f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.c | 15 | ||||
-rw-r--r-- | chromium/third_party/sqlite/src/src/btree.c | 12 | ||||
-rw-r--r-- | chromium/third_party/sqlite/src/src/pcache1.c | 1 |
3 files changed, 15 insertions, 13 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c index 6b4a7899d33..f22c51cd758 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.c +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c @@ -50422,6 +50422,7 @@ static PgHdr1 *pcache1AllocPage(PCache1 *pCache, int benignMalloc){ p->page.pExtra = &p[1]; p->isBulkLocal = 0; p->isAnchor = 0; + p->pLruPrev = 0; /* Initializing this saves a valgrind error */ } (*pCache->pnPurgeable)++; return p; @@ -72324,7 +72325,9 @@ static int balance_nonroot( } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + if( rc==SQLITE_OK ){ + rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + } if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -72363,12 +72366,10 @@ static int balance_nonroot( if( pBt->btsFlags & BTS_FAST_SECURE ){ int iOff; + /* If the following if() condition is not true, the db is corrupted. + ** The call to dropCell() below will detect this. */ iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData); - if( (iOff+szNew[i])>(int)pBt->usableSize ){ - rc = SQLITE_CORRUPT_BKPT; - memset(apOld, 0, (i+1)*sizeof(MemPage*)); - goto balance_cleanup; - }else{ + if( (iOff+szNew[i])<=(int)pBt->usableSize ){ memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; } @@ -231234,7 +231235,7 @@ SQLITE_API int sqlite3_stmt_init( #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ /************** End of stmt.c ************************************************/ -#if __LINE__!=231237 +#if __LINE__!=231238 #undef SQLITE_SOURCE_ID #define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt2" #endif diff --git a/chromium/third_party/sqlite/src/src/btree.c b/chromium/third_party/sqlite/src/src/btree.c index 62f4bd9db1d..28d759a8e5f 100644 --- a/chromium/third_party/sqlite/src/src/btree.c +++ b/chromium/third_party/sqlite/src/src/btree.c @@ -7417,7 +7417,9 @@ static int balance_nonroot( } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + if( rc==SQLITE_OK ){ + rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + } if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -7450,12 +7452,10 @@ static int balance_nonroot( if( pBt->btsFlags & BTS_FAST_SECURE ){ int iOff; + /* If the following if() condition is not true, the db is corrupted. + ** The call to dropCell() below will detect this. */ iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData); - if( (iOff+szNew[i])>(int)pBt->usableSize ){ - rc = SQLITE_CORRUPT_BKPT; - memset(apOld, 0, (i+1)*sizeof(MemPage*)); - goto balance_cleanup; - }else{ + if( (iOff+szNew[i])<=(int)pBt->usableSize ){ memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; } diff --git a/chromium/third_party/sqlite/src/src/pcache1.c b/chromium/third_party/sqlite/src/src/pcache1.c index 1986b22ca61..70a8c088788 100644 --- a/chromium/third_party/sqlite/src/src/pcache1.c +++ b/chromium/third_party/sqlite/src/src/pcache1.c @@ -446,6 +446,7 @@ static PgHdr1 *pcache1AllocPage(PCache1 *pCache, int benignMalloc){ p->page.pExtra = &p[1]; p->isBulkLocal = 0; p->isAnchor = 0; + p->pLruPrev = 0; /* Initializing this saves a valgrind error */ } (*pCache->pnPurgeable)++; return p; |