diff options
author | Darwin Huang <huangdarwin@chromium.org> | 2019-05-18 00:28:40 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2019-07-25 06:23:49 +0000 |
commit | 1952a079e6a9236c0e7f6f945955d74bb30d02d6 (patch) | |
tree | ab47bb256c14f43004a0b223789b13e671c1862a /chromium/third_party | |
parent | 4f97dbdf2e88627249f4a462d2c3c028dba5c437 (diff) | |
download | qtwebengine-chromium-1952a079e6a9236c0e7f6f945955d74bb30d02d6.tar.gz |
[Backport] Security bug 962083
sqlite: Backport bugfixes.
Bug: 962055, 962083
Change-Id: I282e5bec23b587358a8961cc649d79be48e0d5bf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party')
-rw-r--r-- | chromium/third_party/sqlite/amalgamation/sqlite3.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c index 9afe9dd0a0e..28f61e60401 100644 --- a/chromium/third_party/sqlite/amalgamation/sqlite3.c +++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c @@ -68626,6 +68626,7 @@ SQLITE_PRIVATE int sqlite3BtreeMovetoUnpacked( ** case this happens. */ void *pCellKey; u8 * const pCellBody = pCell - pPage->childPtrSize; + const int nOverrun = 18; /* Size of the overrun padding */ pPage->xParseCell(pPage, pCellBody, &pCur->info); nCell = (int)pCur->info.nKey; testcase( nCell<0 ); /* True if key size is 2^32 or more */ @@ -68636,13 +68637,14 @@ SQLITE_PRIVATE int sqlite3BtreeMovetoUnpacked( rc = SQLITE_CORRUPT_PAGE(pPage); goto moveto_finish; } - pCellKey = sqlite3Malloc( nCell+18 ); + pCellKey = sqlite3Malloc( nCell+nOverrun ); if( pCellKey==0 ){ rc = SQLITE_NOMEM_BKPT; goto moveto_finish; } pCur->ix = (u16)idx; rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 0); + memset(((u8*)pCellKey)+nCell,0,nOverrun); /* Fix uninit warnings */ pCur->curFlags &= ~BTCF_ValidOvfl; if( rc ){ sqlite3_free(pCellKey); @@ -88187,7 +88189,7 @@ case OP_Delete: { ** OP_Delete will have also set the pC->movetoTarget field to the rowid of ** the row that is being deleted */ i64 iKey = sqlite3BtreeIntegerKey(pC->uc.pCursor); - assert( pC->movetoTarget==iKey ); + assert( CORRUPT_DB || pC->movetoTarget==iKey ); } #endif |