summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarwin Huang <huangdarwin@chromium.org>2020-12-30 13:23:19 -0800
committerMichael BrĂ¼ning <michael.bruning@qt.io>2021-03-02 15:09:08 +0000
commitbd0def3d818167c350c553f20ae21ac9699fd6f7 (patch)
tree023129d4b1efe51e47b6644b9ad8c757c6ff61fe
parent68bd5bd0b30b016b1ba8ba33b1768fd35684c787 (diff)
downloadqtwebengine-chromium-bd0def3d818167c350c553f20ae21ac9699fd6f7.tar.gz
[Backport] CVE-2021-21120: Use after free in WebSQL
Partial backport (leaving out irrelevant parts and version strings) of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/2607419: Fix a problem handling sub-queries with both a correlated WHERE clause and a "HAVING 0" clause where the parent query is itself an aggregate. FossilOrigin-Name: f62f983b56623f0ec34f9a54ce1c21b013a20399162f5ee6ee43b23f10c2ecd5 (cherry picked from commit f39168e468af3b1d6b6d37efdcb081eced6724b2) Bug: 1160602 Change-Id: I76aaeedc167c8ed8a9b47805cd6ebb29fba0a704 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r--chromium/third_party/sqlite/amalgamation/sqlite3.c10
-rw-r--r--chromium/third_party/sqlite/amalgamation/sqlite3.h2
-rw-r--r--chromium/third_party/sqlite/src/src/select.c4
3 files changed, 10 insertions, 6 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c
index 1b2c2ec7a33..0200f99f70e 100644
--- a/chromium/third_party/sqlite/amalgamation/sqlite3.c
+++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c
@@ -1164,7 +1164,7 @@ extern "C" {
*/
#define SQLITE_VERSION "3.32.1"
#define SQLITE_VERSION_NUMBER 3032001
-#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350"
+#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1"
/*
** CAPI3REF: Run-Time Library Version Numbers
@@ -134374,7 +134374,9 @@ static void explainSimpleCount(
static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){
if( pExpr->op!=TK_AND ){
Select *pS = pWalker->u.pSelect;
- if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){
+ if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy)
+ && ExprAlwaysFalse(pExpr)==0
+ ){
sqlite3 *db = pWalker->pParse->db;
Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1");
if( pNew ){
@@ -224323,7 +224325,7 @@ static void fts5SourceIdFunc(
){
assert( nArg==0 );
UNUSED_PARAM2(nArg, apUnused);
- sqlite3_result_text(pCtx, "fts5: 2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350", -1, SQLITE_TRANSIENT);
+ sqlite3_result_text(pCtx, "fts5: 2020-12-01 16:14:00 0000000000000000000000000000000000000000000000000000000000000000", -1, SQLITE_TRANSIENT);
}
/*
@@ -229108,7 +229110,7 @@ SQLITE_API int sqlite3_stmt_init(
/************** End of stmt.c ************************************************/
#if __LINE__!=229109
#undef SQLITE_SOURCE_ID
-#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba8alt2"
+#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1"
#endif
/* Return the source-id for this library */
SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; }
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.h b/chromium/third_party/sqlite/amalgamation/sqlite3.h
index 1679756cfa8..ec8caeacf3f 100644
--- a/chromium/third_party/sqlite/amalgamation/sqlite3.h
+++ b/chromium/third_party/sqlite/amalgamation/sqlite3.h
@@ -125,7 +125,7 @@ extern "C" {
*/
#define SQLITE_VERSION "3.32.1"
#define SQLITE_VERSION_NUMBER 3032001
-#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350"
+#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1"
/*
** CAPI3REF: Run-Time Library Version Numbers
diff --git a/chromium/third_party/sqlite/src/src/select.c b/chromium/third_party/sqlite/src/src/select.c
index fab4df68fa1..11285db3211 100644
--- a/chromium/third_party/sqlite/src/src/select.c
+++ b/chromium/third_party/sqlite/src/src/select.c
@@ -5407,7 +5407,9 @@ static void explainSimpleCount(
static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){
if( pExpr->op!=TK_AND ){
Select *pS = pWalker->u.pSelect;
- if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){
+ if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy)
+ && ExprAlwaysFalse(pExpr)==0
+ ){
sqlite3 *db = pWalker->pParse->db;
Expr *pNew = sqlite3ExprAlloc(db, TK_INTEGER, &sqlite3IntTokens[1], 0);
if( pNew ){