diff options
author | Darwin Huang <huangdarwin@chromium.org> | 2020-12-30 13:23:19 -0800 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-03-02 15:09:08 +0000 |
commit | bd0def3d818167c350c553f20ae21ac9699fd6f7 (patch) | |
tree | 023129d4b1efe51e47b6644b9ad8c757c6ff61fe | |
parent | 68bd5bd0b30b016b1ba8ba33b1768fd35684c787 (diff) | |
download | qtwebengine-chromium-bd0def3d818167c350c553f20ae21ac9699fd6f7.tar.gz |
[Backport] CVE-2021-21120: Use after free in WebSQL
Partial backport (leaving out irrelevant parts and version strings)
of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/2607419:
Fix a problem handling sub-queries with both a correlated WHERE clause and a "HAVING 0" clause where the parent query is itself an aggregate.
FossilOrigin-Name: f62f983b56623f0ec34f9a54ce1c21b013a20399162f5ee6ee43b23f10c2ecd5
(cherry picked from commit f39168e468af3b1d6b6d37efdcb081eced6724b2)
Bug: 1160602
Change-Id: I76aaeedc167c8ed8a9b47805cd6ebb29fba0a704
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.c | 10 | ||||
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.h | 2 | ||||
-rw-r--r-- | chromium/third_party/sqlite/src/src/select.c | 4 |
3 files changed, 10 insertions, 6 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c index 1b2c2ec7a33..0200f99f70e 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.c +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c @@ -1164,7 +1164,7 @@ extern "C" { */ #define SQLITE_VERSION "3.32.1" #define SQLITE_VERSION_NUMBER 3032001 -#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350" +#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1" /* ** CAPI3REF: Run-Time Library Version Numbers @@ -134374,7 +134374,9 @@ static void explainSimpleCount( static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){ if( pExpr->op!=TK_AND ){ Select *pS = pWalker->u.pSelect; - if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){ + if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) + && ExprAlwaysFalse(pExpr)==0 + ){ sqlite3 *db = pWalker->pParse->db; Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1"); if( pNew ){ @@ -224323,7 +224325,7 @@ static void fts5SourceIdFunc( ){ assert( nArg==0 ); UNUSED_PARAM2(nArg, apUnused); - sqlite3_result_text(pCtx, "fts5: 2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350", -1, SQLITE_TRANSIENT); + sqlite3_result_text(pCtx, "fts5: 2020-12-01 16:14:00 0000000000000000000000000000000000000000000000000000000000000000", -1, SQLITE_TRANSIENT); } /* @@ -229108,7 +229110,7 @@ SQLITE_API int sqlite3_stmt_init( /************** End of stmt.c ************************************************/ #if __LINE__!=229109 #undef SQLITE_SOURCE_ID -#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba8alt2" +#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1" #endif /* Return the source-id for this library */ SQLITE_API const char *sqlite3_sourceid(void){ return SQLITE_SOURCE_ID; } diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.h b/chromium/third_party/sqlite/amalgamation/sqlite3.h index 1679756cfa8..ec8caeacf3f 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.h +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.h @@ -125,7 +125,7 @@ extern "C" { */ #define SQLITE_VERSION "3.32.1" #define SQLITE_VERSION_NUMBER 3032001 -#define SQLITE_SOURCE_ID "2020-05-25 16:19:56 0c1fcf4711a2e66c813aed38cf41cd3e2123ee8eb6db98118086764c4ba83350" +#define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1" /* ** CAPI3REF: Run-Time Library Version Numbers diff --git a/chromium/third_party/sqlite/src/src/select.c b/chromium/third_party/sqlite/src/src/select.c index fab4df68fa1..11285db3211 100644 --- a/chromium/third_party/sqlite/src/src/select.c +++ b/chromium/third_party/sqlite/src/src/select.c @@ -5407,7 +5407,9 @@ static void explainSimpleCount( static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){ if( pExpr->op!=TK_AND ){ Select *pS = pWalker->u.pSelect; - if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){ + if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) + && ExprAlwaysFalse(pExpr)==0 + ){ sqlite3 *db = pWalker->pParse->db; Expr *pNew = sqlite3ExprAlloc(db, TK_INTEGER, &sqlite3IntTokens[1], 0); if( pNew ){ |