[Backport] Security bugs 1175522 and 1181276

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/2730249: Fix a couple of memory-sanitizer complaints that could be triggered by a corrupt database. Cherry-picking from https://www.sqlite.org/src/info/39c8686cabe6c437 FossilOrigin-Name: 9c8686cabe6c437ba4860aade49a701c4f5772b97d9fbe6cb9a394e85b9c092 Bug: 1181276, 1175522 Change-Id: Icc7e115ec54789fab59c03071dccf97987d5ac7f Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Darwin Huang <huangdarwin@chromium.org> 2021-03-02 18:42:25 -0800
committer: Michael Brüning <michael.bruning@qt.io> 2021-05-07 08:27:41 +0000
commit: 2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05 (patch)
tree: 7c1f996d7037888fc2c65d5249a2f1cd6af8431b
parent: 1fec1bec9bc17067a5128eb6d8bcdb822928acd5 (diff)
download: qtwebengine-chromium-2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05.tar.gz
3 files changed, 15 insertions, 13 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c
index 6b4a7899d33..f22c51cd758 100644
--- a/chromium/third_party/sqlite/amalgamation/sqlite3.c
+++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c
@@ -50422,6 +50422,7 @@ static PgHdr1 *pcache1AllocPage(PCache1 *pCache, int benignMalloc){
     p->page.pExtra = &p[1];
     p->isBulkLocal = 0;
     p->isAnchor = 0;
+    p->pLruPrev = 0;           /* Initializing this saves a valgrind error */
   }
   (*pCache->pnPurgeable)++;
   return p;
@@ -72324,7 +72325,9 @@ static int balance_nonroot(
   }
   pgno = get4byte(pRight);
   while( 1 ){
-    rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0);
+    if( rc==SQLITE_OK ){
+      rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0);
+    }
     if( rc ){
       memset(apOld, 0, (i+1)*sizeof(MemPage*));
       goto balance_cleanup;
@@ -72363,12 +72366,10 @@ static int balance_nonroot(
       if( pBt->btsFlags & BTS_FAST_SECURE ){
         int iOff;
 
+        /* If the following if() condition is not true, the db is corrupted.
+        ** The call to dropCell() below will detect this.  */
         iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData);
-        if( (iOff+szNew[i])>(int)pBt->usableSize ){
-          rc = SQLITE_CORRUPT_BKPT;
-          memset(apOld, 0, (i+1)*sizeof(MemPage*));
-          goto balance_cleanup;
-        }else{
+        if( (iOff+szNew[i])<=(int)pBt->usableSize ){
           memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]);
           apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData];
         }
@@ -231234,7 +231235,7 @@ SQLITE_API int sqlite3_stmt_init(
 #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
 
 /************** End of stmt.c ************************************************/
-#if __LINE__!=231237
+#if __LINE__!=231238
 #undef SQLITE_SOURCE_ID
 #define SQLITE_SOURCE_ID      "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt2"
 #endif
diff --git a/chromium/third_party/sqlite/src/src/btree.c b/chromium/third_party/sqlite/src/src/btree.c
index 62f4bd9db1d..28d759a8e5f 100644
--- a/chromium/third_party/sqlite/src/src/btree.c
+++ b/chromium/third_party/sqlite/src/src/btree.c
@@ -7417,7 +7417,9 @@ static int balance_nonroot(
   }
   pgno = get4byte(pRight);
   while( 1 ){
-    rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0);
+    if( rc==SQLITE_OK ){
+      rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0);
+    }
     if( rc ){
       memset(apOld, 0, (i+1)*sizeof(MemPage*));
       goto balance_cleanup;
@@ -7450,12 +7452,10 @@ static int balance_nonroot(
       if( pBt->btsFlags & BTS_FAST_SECURE ){
         int iOff;
 
+        /* If the following if() condition is not true, the db is corrupted.
+        ** The call to dropCell() below will detect this.  */
         iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData);
-        if( (iOff+szNew[i])>(int)pBt->usableSize ){
-          rc = SQLITE_CORRUPT_BKPT;
-          memset(apOld, 0, (i+1)*sizeof(MemPage*));
-          goto balance_cleanup;
-        }else{
+        if( (iOff+szNew[i])<=(int)pBt->usableSize ){
           memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]);
           apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData];
         }
diff --git a/chromium/third_party/sqlite/src/src/pcache1.c b/chromium/third_party/sqlite/src/src/pcache1.c
index 1986b22ca61..70a8c088788 100644
--- a/chromium/third_party/sqlite/src/src/pcache1.c
+++ b/chromium/third_party/sqlite/src/src/pcache1.c
@@ -446,6 +446,7 @@ static PgHdr1 *pcache1AllocPage(PCache1 *pCache, int benignMalloc){
     p->page.pExtra = &p[1];
     p->isBulkLocal = 0;
     p->isAnchor = 0;
+    p->pLruPrev = 0;           /* Initializing this saves a valgrind error */
   }
   (*pCache->pnPurgeable)++;
   return p;
author	Darwin Huang <huangdarwin@chromium.org>	2021-03-02 18:42:25 -0800
committer	Michael Brüning <michael.bruning@qt.io>	2021-05-07 08:27:41 +0000
commit	2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05 (patch)
tree	7c1f996d7037888fc2c65d5249a2f1cd6af8431b
parent	1fec1bec9bc17067a5128eb6d8bcdb822928acd5 (diff)
download	qtwebengine-chromium-2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05.tar.gz