diff options
author | Michal Klocek <michal.klocek@qt.io> | 2020-06-11 08:23:47 +0200 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-06-11 07:49:31 +0000 |
commit | 04e8b821b3635e7d8b32853067894253028a2626 (patch) | |
tree | 1c2bf6e94c8debcf6cf96fda80466cca17791e87 | |
parent | ebc9d4ba6251ea83ab497bd00bcb25f7bb0ee788 (diff) | |
download | qtwebengine-chromium-04e8b821b3635e7d8b32853067894253028a2626.tar.gz |
[Backport] Security Bug 1070012 5/5
Fix a case when a pointer might be used after being freed
in the ALTER TABLE code. Fix for [4722bdab08cb1].
FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
(cherry picked from commit fb99e388ec7f30fe43e4878236e3695ff24ae58d)
https://www.sqlite.org/src/info/d09f8c3621d5f7f8
Bug: 1070012
Change-Id: Ic2b68b4c525a34df339a765003b1d32d6adabe36
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c index dfaf9c0090d..911f098be07 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.c +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c @@ -105361,6 +105361,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){ } } } + +/* +** Unmap all tokens in the IdList object passed as the second argument. +*/ +static void unmapColumnIdlistNames( + Parse *pParse, + IdList *pIdList +){ + if( pIdList ){ + int ii; + for(ii=0; ii<pIdList->nId; ii++){ + sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName); + } + } +} /* ** Walker callback used by sqlite3RenameExprUnmap(). @@ -105383,6 +105398,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){ for(i=0; i<pSrc->nSrc; i++){ sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName); if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort; + unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing); } } |