0

sqlite: Backport Bugfixes.

Bug: 1033461, 1037786, 1038213, 1038863
Change-Id: I22b98c909e9af632818bed4e49f96b028f1dcf28
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1990216
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Darwin Huang <huangdarwin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#729415}
This commit is contained in:
Darwin Huang
2020-01-08 19:00:19 +00:00
committed by Commit Bot
parent 4dbd35bd72
commit c9b98f55e8
35 changed files with 466 additions and 34 deletions

@ -5827,6 +5827,7 @@ static int zipfileUpdate(
if( rc==SQLITE_OK ){
zPath = (const char*)sqlite3_value_text(apVal[2]);
if( zPath==0 ) zPath = "";
nPath = (int)strlen(zPath);
mTime = zipfileGetTime(apVal[4]);
}

@ -19114,6 +19114,7 @@ SQLITE_PRIVATE void sqlite3EndTransaction(Parse*,int);
SQLITE_PRIVATE void sqlite3Savepoint(Parse*, int, Token*);
SQLITE_PRIVATE void sqlite3CloseSavepoints(sqlite3 *);
SQLITE_PRIVATE void sqlite3LeaveMutexAndCloseZombie(sqlite3*);
SQLITE_PRIVATE u32 sqlite3IsTrueOrFalse(const char*);
SQLITE_PRIVATE int sqlite3ExprIdToTrueFalse(Expr*);
SQLITE_PRIVATE int sqlite3ExprTruthValue(const Expr*);
SQLITE_PRIVATE int sqlite3ExprIsConstant(Expr*);
@ -99330,19 +99331,34 @@ SQLITE_PRIVATE int sqlite3SelectWalkFail(Walker *pWalker, Select *NotUsed){
return WRC_Abort;
}
/*
** Check the input string to see if it is "true" or "false" (in any case).
**
** If the string is.... Return
** "true" EP_IsTrue
** "false" EP_IsFalse
** anything else 0
*/
SQLITE_PRIVATE u32 sqlite3IsTrueOrFalse(const char *zIn){
if( sqlite3StrICmp(zIn, "true")==0 ) return EP_IsTrue;
if( sqlite3StrICmp(zIn, "false")==0 ) return EP_IsFalse;
return 0;
}
/*
** If the input expression is an ID with the name "true" or "false"
** then convert it into an TK_TRUEFALSE term. Return non-zero if
** the conversion happened, and zero if the expression is unaltered.
*/
SQLITE_PRIVATE int sqlite3ExprIdToTrueFalse(Expr *pExpr){
u32 v;
assert( pExpr->op==TK_ID || pExpr->op==TK_STRING );
if( !ExprHasProperty(pExpr, EP_Quoted)
&& (sqlite3StrICmp(pExpr->u.zToken, "true")==0
|| sqlite3StrICmp(pExpr->u.zToken, "false")==0)
&& (v = sqlite3IsTrueOrFalse(pExpr->u.zToken))!=0
){
pExpr->op = TK_TRUEFALSE;
ExprSetProperty(pExpr, pExpr->u.zToken[4]==0 ? EP_IsTrue : EP_IsFalse);
ExprSetProperty(pExpr, v);
return 1;
}
return 0;
@ -127627,7 +127643,7 @@ SQLITE_PRIVATE int sqlite3ColumnsFromExprList(
zName = pEList->a[i].zSpan;
}
}
if( zName ){
if( zName && !sqlite3IsTrueOrFalse(zName) ){
zName = sqlite3DbStrDup(db, zName);
}else{
zName = sqlite3MPrintf(db,"column%d",i+1);
@ -147617,9 +147633,11 @@ static ExprList *exprListAppendList(
int nInit = pList ? pList->nExpr : 0;
for(i=0; i<pAppend->nExpr; i++){
Expr *pDup = sqlite3ExprDup(pParse->db, pAppend->a[i].pExpr, 0);
assert( pDup==0 || !ExprHasProperty(pDup, EP_MemToken) );
if( bIntToNull && pDup && pDup->op==TK_INTEGER ){
pDup->op = TK_NULL;
pDup->flags &= ~(EP_IntValue|EP_IsTrue|EP_IsFalse);
pDup->u.zToken = 0;
}
pList = sqlite3ExprListAppend(pParse, pList, pDup);
if( pList ) pList->a[nInit+i].sortFlags = pAppend->a[i].sortFlags;
@ -172008,7 +172026,7 @@ static int fts3SqlStmt(
** returns zero rows. */
/* 28 */ "SELECT level, count(*) AS cnt FROM %Q.'%q_segdir' "
" GROUP BY level HAVING cnt>=?"
" ORDER BY (level %% 1024) ASC LIMIT 1",
" ORDER BY (level %% 1024) ASC, 2 DESC LIMIT 1",
/* Estimate the upper limit on the number of leaf nodes in a new segment
** created by merging the oldest :2 segments from absolute level :1. See
@ -176598,8 +176616,14 @@ SQLITE_PRIVATE int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
rc = fts3IncrmergeHintPop(&hint, &iHintAbsLevel, &nHintSeg);
if( nSeg<0 || (iAbsLevel % nMod) >= (iHintAbsLevel % nMod) ){
/* Based on the scan in the block above, it is known that there
** are no levels with a relative level smaller than that of
** iAbsLevel with more than nSeg segments, or if nSeg is -1,
** no levels with more than nMin segments. Use this to limit the
** value of nHintSeg to avoid a large memory allocation in case the
** merge-hint is corrupt*/
iAbsLevel = iHintAbsLevel;
nSeg = nHintSeg;
nSeg = MIN(MAX(nMin,nSeg), nHintSeg);
bUseHint = 1;
bDirtyHint = 1;
}else{
@ -176612,7 +176636,7 @@ SQLITE_PRIVATE int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
/* If nSeg is less that zero, then there is no level with at least
** nMin segments and no hint in the %_stat table. No work to do.
** Exit early in this case. */
if( nSeg<0 ) break;
if( nSeg<=0 ) break;
/* Open a cursor to iterate through the contents of the oldest nSeg
** indexes of absolute level iAbsLevel. If this cursor is opened using
@ -177990,7 +178014,7 @@ static int fts3BestSnippet(
/* Set the *pmSeen output variable. */
for(i=0; i<nList; i++){
if( sIter.aPhrase[i].pHead ){
*pmSeen |= (u64)1 << i;
*pmSeen |= (u64)1 << (i%64);
}
}
@ -224696,7 +224720,7 @@ SQLITE_API int sqlite3_stmt_init(
#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
/************** End of stmt.c ************************************************/
#if __LINE__!=224699
#if __LINE__!=224723
#undef SQLITE_SOURCE_ID
#define SQLITE_SOURCE_ID "2019-10-10 20:19:45 18db032d058f1436ce3dea84081f4ee5a0f2259ad97301d43c426bc7f3dfalt2"
#endif

@ -560,7 +560,7 @@ static int fts3BestSnippet(
/* Set the *pmSeen output variable. */
for(i=0; i<nList; i++){
if( sIter.aPhrase[i].pHead ){
*pmSeen |= (u64)1 << i;
*pmSeen |= (u64)1 << (i%64);
}
}

@ -335,7 +335,7 @@ static int fts3SqlStmt(
** returns zero rows. */
/* 28 */ "SELECT level, count(*) AS cnt FROM %Q.'%q_segdir' "
" GROUP BY level HAVING cnt>=?"
" ORDER BY (level %% 1024) ASC LIMIT 1",
" ORDER BY (level %% 1024) ASC, 2 DESC LIMIT 1",
/* Estimate the upper limit on the number of leaf nodes in a new segment
** created by merging the oldest :2 segments from absolute level :1. See
@ -4925,8 +4925,14 @@ int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
rc = fts3IncrmergeHintPop(&hint, &iHintAbsLevel, &nHintSeg);
if( nSeg<0 || (iAbsLevel % nMod) >= (iHintAbsLevel % nMod) ){
/* Based on the scan in the block above, it is known that there
** are no levels with a relative level smaller than that of
** iAbsLevel with more than nSeg segments, or if nSeg is -1,
** no levels with more than nMin segments. Use this to limit the
** value of nHintSeg to avoid a large memory allocation in case the
** merge-hint is corrupt*/
iAbsLevel = iHintAbsLevel;
nSeg = nHintSeg;
nSeg = MIN(MAX(nMin,nSeg), nHintSeg);
bUseHint = 1;
bDirtyHint = 1;
}else{
@ -4939,7 +4945,7 @@ int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
/* If nSeg is less that zero, then there is no level with at least
** nMin segments and no hint in the %_stat table. No work to do.
** Exit early in this case. */
if( nSeg<0 ) break;
if( nSeg<=0 ) break;
/* Open a cursor to iterate through the contents of the oldest nSeg
** indexes of absolute level iAbsLevel. If this cursor is opened using

@ -1618,6 +1618,7 @@ static int zipfileUpdate(
if( rc==SQLITE_OK ){
zPath = (const char*)sqlite3_value_text(apVal[2]);
if( zPath==0 ) zPath = "";
nPath = (int)strlen(zPath);
mTime = zipfileGetTime(apVal[4]);
}

@ -1814,19 +1814,34 @@ int sqlite3SelectWalkFail(Walker *pWalker, Select *NotUsed){
return WRC_Abort;
}
/*
** Check the input string to see if it is "true" or "false" (in any case).
**
** If the string is.... Return
** "true" EP_IsTrue
** "false" EP_IsFalse
** anything else 0
*/
u32 sqlite3IsTrueOrFalse(const char *zIn){
if( sqlite3StrICmp(zIn, "true")==0 ) return EP_IsTrue;
if( sqlite3StrICmp(zIn, "false")==0 ) return EP_IsFalse;
return 0;
}
/*
** If the input expression is an ID with the name "true" or "false"
** then convert it into an TK_TRUEFALSE term. Return non-zero if
** the conversion happened, and zero if the expression is unaltered.
*/
int sqlite3ExprIdToTrueFalse(Expr *pExpr){
u32 v;
assert( pExpr->op==TK_ID || pExpr->op==TK_STRING );
if( !ExprHasProperty(pExpr, EP_Quoted)
&& (sqlite3StrICmp(pExpr->u.zToken, "true")==0
|| sqlite3StrICmp(pExpr->u.zToken, "false")==0)
&& (v = sqlite3IsTrueOrFalse(pExpr->u.zToken))!=0
){
pExpr->op = TK_TRUEFALSE;
ExprSetProperty(pExpr, pExpr->u.zToken[4]==0 ? EP_IsTrue : EP_IsFalse);
ExprSetProperty(pExpr, v);
return 1;
}
return 0;

@ -1980,7 +1980,7 @@ int sqlite3ColumnsFromExprList(
zName = pEList->a[i].zSpan;
}
}
if( zName ){
if( zName && !sqlite3IsTrueOrFalse(zName) ){
zName = sqlite3DbStrDup(db, zName);
}else{
zName = sqlite3MPrintf(db,"column%d",i+1);

@ -4093,6 +4093,7 @@ void sqlite3EndTransaction(Parse*,int);
void sqlite3Savepoint(Parse*, int, Token*);
void sqlite3CloseSavepoints(sqlite3 *);
void sqlite3LeaveMutexAndCloseZombie(sqlite3*);
u32 sqlite3IsTrueOrFalse(const char*);
int sqlite3ExprIdToTrueFalse(Expr*);
int sqlite3ExprTruthValue(const Expr*);
int sqlite3ExprIsConstant(Expr*);

@ -883,9 +883,11 @@ static ExprList *exprListAppendList(
int nInit = pList ? pList->nExpr : 0;
for(i=0; i<pAppend->nExpr; i++){
Expr *pDup = sqlite3ExprDup(pParse->db, pAppend->a[i].pExpr, 0);
assert( pDup==0 || !ExprHasProperty(pDup, EP_MemToken) );
if( bIntToNull && pDup && pDup->op==TK_INTEGER ){
pDup->op = TK_NULL;
pDup->flags &= ~(EP_IntValue|EP_IsTrue|EP_IsFalse);
pDup->u.zToken = 0;
}
pList = sqlite3ExprListAppend(pParse, pList, pDup);
if( pList ) pList->a[nInit+i].sortFlags = pAppend->a[i].sortFlags;

@ -5589,4 +5589,13 @@ do_catchsql_test 35.1 {
INSERT INTO f(f) VALUES ('integrity-check');
} {1 {database disk image is malformed}}
reset_db
do_catchsql_test 36.0 {
CREATE VIRTUAL TABLE f USING fts3(a,tokenize=porter);
CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
INSERT INTO f VALUES (1);
INSERT INTO f_stat VALUES (1,x'00000000000101010119013d00ffff0400fa83717b71a69297979701f63d010101010101010101010101190000000000000000fa83717b71a601f63d01010101010101010101010119013d00ffffff0400fa83717b71a69297979701f63d010101010101010101010101190000000000000000fa83717b71a69201f63d010101f63d01010101010101010101010119013d00ffffff0400fa83717b71a6929797010101010101010101010119013d00ffff01f63d01010101010101010101010119013d00ffffff0400fa83717b71a69297979701f63d00fa03ffffffa69297979701f63d010101000000000101010101197e9797976567656565ffa63535354e');
INSERT INTO f(f) VALUES ('merge=53,216');
} {0 {}}
finish_test

@ -587,5 +587,18 @@ do_execsql_test 5.1 {
{[a70] [a71] [a72]}
}
#-------------------------------------------------------------------------
# Request a snippet from a query with more than 64 phrases.
#
reset_db
do_execsql_test 6.0 {
CREATE VIRTUAL TABLE f USING fts3(b);
INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
}
do_execsql_test 6.1 {
SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
} {1}
set sqlite_fts3_enable_parentheses 0
finish_test

@ -1140,4 +1140,28 @@ do_execsql_test 24.2 {
3 1 1 3
}
# 2020-01-02 chromium ticket 1033461
# Do not allow the generated name of a CTE be "true" or "false" as
# such a label might be later confused for the boolean literals of
# the same name, causing inconsistencies in the abstract syntax
# tree. This problem first arose in version 3.23.0 when SQLite
# began recognizing "true" and "false" as boolean literals, but also
# had to continue to recognize "true" and "false" as identifiers for
# backwards compatibility.
#
reset_db
do_execsql_test 25.1 {
CREATE TABLE dual(dummy);
INSERT INTO dual(dummy) VALUES('X');
WITH cte1 AS (
SELECT TRUE, (
WITH cte2 AS (SELECT avg(DISTINCT TRUE) FROM dual)
SELECT 2571 FROM cte2
) AS subquery1
FROM dual
GROUP BY 1
)
SELECT (SELECT 1324 FROM cte1) FROM cte1;
} {1324}
finish_test

@ -795,4 +795,17 @@ if {$tcl_platform(platform)!="windows"} {
} {. ./x1.txt ./x2.txt}
}
# 2019-12-18 Yongheng and Rui fuzzer
#
do_execsql_test 13.10 {
DROP TABLE IF EXISTS t0;
DROP TABLE IF EXISTS t1;
CREATE TABLE t0(a,b,c,d,e,f,g);
REPLACE INTO t0(c,b,f) VALUES(10,10,10);
CREATE VIRTUAL TABLE t1 USING zipfile('h.zip');
REPLACE INTO t1 SELECT * FROM t0;
SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata),
quote(data),quote(method) FROM t1;
} {'' 10 10 2 X'3130' X'3130' 0}
finish_test

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 14:09:07 -0800
Subject: [PATCH 01/17] Don't allow shadow tables to be dropped in defensive
Subject: [PATCH 01/22] Don't allow shadow tables to be dropped in defensive
mode.
Backports https://www.sqlite.org/src/info/70390bbca49e7066

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 14:32:48 -0800
Subject: [PATCH 02/17] Improve shadow table corruption detection in fts3
Subject: [PATCH 02/22] Improve shadow table corruption detection in fts3
Backports https://www.sqlite.org/src/info/04b2873be5aedeb1

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 15:04:03 -0800
Subject: [PATCH 03/17] Shadow Table Corruption Detection improvements in fts3
Subject: [PATCH 03/22] Shadow Table Corruption Detection improvements in fts3
Backports https://www.sqlite.org/src/info/51525f9c3235967b

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 15:05:43 -0800
Subject: [PATCH 04/17] Remove reachable NEVER in fts3
Subject: [PATCH 04/22] Remove reachable NEVER in fts3
Backports https://www.sqlite.org/src/info/8bd75bf636f72f32

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 15:17:18 -0800
Subject: [PATCH 05/17] Better % corruption detection in fts3.
Subject: [PATCH 05/22] Better % corruption detection in fts3.
Backports https://www.sqlite.org/src/info/1e449687881f4d38

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 15:19:40 -0800
Subject: [PATCH 06/17] Detect/Prevent infinite recursion
Subject: [PATCH 06/22] Detect/Prevent infinite recursion
Backports https://www.sqlite.org/src/info/dfcf081d842629a0

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 19 Nov 2019 15:34:00 -0800
Subject: [PATCH 07/17] Improve corruption detection in fts4
Subject: [PATCH 07/22] Improve corruption detection in fts4
Backports https://www.sqlite.org/src/info/10f8a3b718e0f47b

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Wed, 20 Nov 2019 10:58:51 -0800
Subject: [PATCH 08/17] Further improve corruption detection in fts3
Subject: [PATCH 08/22] Further improve corruption detection in fts3
Backports https://sqlite.org/src/info/a0f6d526baecd061 (aka
https://sqlite.org/src/info/a0f6d526baecd061a5e2)

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 3 Dec 2019 13:56:38 -0800
Subject: [PATCH 09/17] Make sure WITH stack is disabled after error
Subject: [PATCH 09/22] Make sure WITH stack is disabled after error
Backports https://sqlite.org/src/info/de6e6d6846d6a41c

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 3 Dec 2019 13:59:19 -0800
Subject: [PATCH 10/17] Avoid zero offset
Subject: [PATCH 10/22] Avoid zero offset
Backports https://www.sqlite.org/src/info/3ce804e99bbef83d

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 3 Dec 2019 14:01:40 -0800
Subject: [PATCH 11/17] Avoid zero offset of nullptr
Subject: [PATCH 11/22] Avoid zero offset of nullptr
Backports https://www.sqlite.org/src/info/85d95abec4a596eb

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 11:49:51 -0800
Subject: [PATCH 12/17] Fix buffer overread
Subject: [PATCH 12/22] Fix buffer overread
Backports https://www.sqlite.org/src/info/e01fdbf9f700e1bd

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 13:45:04 -0800
Subject: [PATCH 13/17] Fix UB warning
Subject: [PATCH 13/22] Fix UB warning
Backports https://sqlite.org/src/info/052fdf5e58b41cca

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 13:48:39 -0800
Subject: [PATCH 14/17] Avoid temp trigger crash
Subject: [PATCH 14/22] Avoid temp trigger crash
Backports https://sqlite.org/src/info/c4cb9708d48ead10

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Mon, 16 Dec 2019 16:01:06 -0800
Subject: [PATCH 15/17] Fix fts3 integer overflows
Subject: [PATCH 15/22] Fix fts3 integer overflows
Backports https://www.sqlite.org/src/info/3b873029ef1903f7

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Wed, 18 Dec 2019 16:38:02 -0800
Subject: [PATCH 16/17] Avoid infinite recursion in ALTER TABLE code
Subject: [PATCH 16/22] Avoid infinite recursion in ALTER TABLE code
Backports https://www.sqlite.org/src/info/1d2e53a39b87e364685e21de137655b6eee725e4c6d27fc90865072d7c5892b5

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Thu, 19 Dec 2019 14:19:06 -0800
Subject: [PATCH 17/17] Add restrictions on shadow table changes in defensive
Subject: [PATCH 17/22] Add restrictions on shadow table changes in defensive
mode
Backports https://www.sqlite.org/src/info/bae76a5c40703871

@ -0,0 +1,118 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 7 Jan 2020 13:32:12 -0800
Subject: [PATCH 18/22] Avoid ambiguous true and false return
Backports https://www.sqlite.org/src/info/ff9492d3ff733c22
Bug: 1033461
---
third_party/sqlite/patched/src/expr.c | 21 ++++++++++++++++---
third_party/sqlite/patched/src/select.c | 2 +-
third_party/sqlite/patched/src/sqliteInt.h | 1 +
third_party/sqlite/patched/test/with1.test | 24 ++++++++++++++++++++++
4 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/third_party/sqlite/patched/src/expr.c b/third_party/sqlite/patched/src/expr.c
index e8b1f31c42aa..760978c482d3 100644
--- a/third_party/sqlite/patched/src/expr.c
+++ b/third_party/sqlite/patched/src/expr.c
@@ -1814,19 +1814,34 @@ int sqlite3SelectWalkFail(Walker *pWalker, Select *NotUsed){
return WRC_Abort;
}
+/*
+** Check the input string to see if it is "true" or "false" (in any case).
+**
+** If the string is.... Return
+** "true" EP_IsTrue
+** "false" EP_IsFalse
+** anything else 0
+*/
+u32 sqlite3IsTrueOrFalse(const char *zIn){
+ if( sqlite3StrICmp(zIn, "true")==0 ) return EP_IsTrue;
+ if( sqlite3StrICmp(zIn, "false")==0 ) return EP_IsFalse;
+ return 0;
+}
+
+
/*
** If the input expression is an ID with the name "true" or "false"
** then convert it into an TK_TRUEFALSE term. Return non-zero if
** the conversion happened, and zero if the expression is unaltered.
*/
int sqlite3ExprIdToTrueFalse(Expr *pExpr){
+ u32 v;
assert( pExpr->op==TK_ID || pExpr->op==TK_STRING );
if( !ExprHasProperty(pExpr, EP_Quoted)
- && (sqlite3StrICmp(pExpr->u.zToken, "true")==0
- || sqlite3StrICmp(pExpr->u.zToken, "false")==0)
+ && (v = sqlite3IsTrueOrFalse(pExpr->u.zToken))!=0
){
pExpr->op = TK_TRUEFALSE;
- ExprSetProperty(pExpr, pExpr->u.zToken[4]==0 ? EP_IsTrue : EP_IsFalse);
+ ExprSetProperty(pExpr, v);
return 1;
}
return 0;
diff --git a/third_party/sqlite/patched/src/select.c b/third_party/sqlite/patched/src/select.c
index ba70a2bdec78..be705c11d1b4 100644
--- a/third_party/sqlite/patched/src/select.c
+++ b/third_party/sqlite/patched/src/select.c
@@ -1980,7 +1980,7 @@ int sqlite3ColumnsFromExprList(
zName = pEList->a[i].zSpan;
}
}
- if( zName ){
+ if( zName && !sqlite3IsTrueOrFalse(zName) ){
zName = sqlite3DbStrDup(db, zName);
}else{
zName = sqlite3MPrintf(db,"column%d",i+1);
diff --git a/third_party/sqlite/patched/src/sqliteInt.h b/third_party/sqlite/patched/src/sqliteInt.h
index 2eb9ff559aac..970ef817f3e1 100644
--- a/third_party/sqlite/patched/src/sqliteInt.h
+++ b/third_party/sqlite/patched/src/sqliteInt.h
@@ -4093,6 +4093,7 @@ void sqlite3EndTransaction(Parse*,int);
void sqlite3Savepoint(Parse*, int, Token*);
void sqlite3CloseSavepoints(sqlite3 *);
void sqlite3LeaveMutexAndCloseZombie(sqlite3*);
+u32 sqlite3IsTrueOrFalse(const char*);
int sqlite3ExprIdToTrueFalse(Expr*);
int sqlite3ExprTruthValue(const Expr*);
int sqlite3ExprIsConstant(Expr*);
diff --git a/third_party/sqlite/patched/test/with1.test b/third_party/sqlite/patched/test/with1.test
index 4fb074b2cf0a..e5787db704d1 100644
--- a/third_party/sqlite/patched/test/with1.test
+++ b/third_party/sqlite/patched/test/with1.test
@@ -1140,4 +1140,28 @@ do_execsql_test 24.2 {
3 1 1 3
}
+# 2020-01-02 chromium ticket 1033461
+# Do not allow the generated name of a CTE be "true" or "false" as
+# such a label might be later confused for the boolean literals of
+# the same name, causing inconsistencies in the abstract syntax
+# tree. This problem first arose in version 3.23.0 when SQLite
+# began recognizing "true" and "false" as boolean literals, but also
+# had to continue to recognize "true" and "false" as identifiers for
+# backwards compatibility.
+#
+reset_db
+do_execsql_test 25.1 {
+ CREATE TABLE dual(dummy);
+ INSERT INTO dual(dummy) VALUES('X');
+ WITH cte1 AS (
+ SELECT TRUE, (
+ WITH cte2 AS (SELECT avg(DISTINCT TRUE) FROM dual)
+ SELECT 2571 FROM cte2
+ ) AS subquery1
+ FROM dual
+ GROUP BY 1
+ )
+ SELECT (SELECT 1324 FROM cte1) FROM cte1;
+} {1324}
+
finish_test
--
2.24.1.735.g03f4e72817-goog

@ -0,0 +1,52 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 7 Jan 2020 13:34:37 -0800
Subject: [PATCH 19/22] Fix fts3 UB uint64
Backports https://sqlite.org/src/info/e1f12978b53683114ab0
Bug: 1037786
---
third_party/sqlite/patched/ext/fts3/fts3_snippet.c | 2 +-
third_party/sqlite/patched/test/fts3snippet.test | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/third_party/sqlite/patched/ext/fts3/fts3_snippet.c b/third_party/sqlite/patched/ext/fts3/fts3_snippet.c
index dda71c3985af..6eae82dbc3ff 100644
--- a/third_party/sqlite/patched/ext/fts3/fts3_snippet.c
+++ b/third_party/sqlite/patched/ext/fts3/fts3_snippet.c
@@ -560,7 +560,7 @@ static int fts3BestSnippet(
/* Set the *pmSeen output variable. */
for(i=0; i<nList; i++){
if( sIter.aPhrase[i].pHead ){
- *pmSeen |= (u64)1 << i;
+ *pmSeen |= (u64)1 << (i%64);
}
}
diff --git a/third_party/sqlite/patched/test/fts3snippet.test b/third_party/sqlite/patched/test/fts3snippet.test
index ce565127b5a3..9ee37dc6263f 100644
--- a/third_party/sqlite/patched/test/fts3snippet.test
+++ b/third_party/sqlite/patched/test/fts3snippet.test
@@ -587,5 +587,18 @@ do_execsql_test 5.1 {
{[a70] [a71] [a72]}
}
+#-------------------------------------------------------------------------
+# Request a snippet from a query with more than 64 phrases.
+#
+reset_db
+do_execsql_test 6.0 {
+ CREATE VIRTUAL TABLE f USING fts3(b);
+ INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
+}
+
+do_execsql_test 6.1 {
+ SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
+} {1}
+
set sqlite_fts3_enable_parentheses 0
finish_test
--
2.24.1.735.g03f4e72817-goog

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 7 Jan 2020 13:38:31 -0800
Subject: [PATCH 20/22] Avoid large memory alloc for corrupt record
Backports https://www.sqlite.org/src/info/9add58fe9688d5c1
Bug: 1038213
---
third_party/sqlite/patched/ext/fts3/fts3_write.c | 12 +++++++++---
third_party/sqlite/patched/test/fts3corrupt4.test | 9 +++++++++
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/third_party/sqlite/patched/ext/fts3/fts3_write.c b/third_party/sqlite/patched/ext/fts3/fts3_write.c
index 8b6b729987c3..f30bf343635d 100644
--- a/third_party/sqlite/patched/ext/fts3/fts3_write.c
+++ b/third_party/sqlite/patched/ext/fts3/fts3_write.c
@@ -335,7 +335,7 @@ static int fts3SqlStmt(
** returns zero rows. */
/* 28 */ "SELECT level, count(*) AS cnt FROM %Q.'%q_segdir' "
" GROUP BY level HAVING cnt>=?"
- " ORDER BY (level %% 1024) ASC LIMIT 1",
+ " ORDER BY (level %% 1024) ASC, 2 DESC LIMIT 1",
/* Estimate the upper limit on the number of leaf nodes in a new segment
** created by merging the oldest :2 segments from absolute level :1. See
@@ -4925,8 +4925,14 @@ int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
rc = fts3IncrmergeHintPop(&hint, &iHintAbsLevel, &nHintSeg);
if( nSeg<0 || (iAbsLevel % nMod) >= (iHintAbsLevel % nMod) ){
+ /* Based on the scan in the block above, it is known that there
+ ** are no levels with a relative level smaller than that of
+ ** iAbsLevel with more than nSeg segments, or if nSeg is -1,
+ ** no levels with more than nMin segments. Use this to limit the
+ ** value of nHintSeg to avoid a large memory allocation in case the
+ ** merge-hint is corrupt*/
iAbsLevel = iHintAbsLevel;
- nSeg = nHintSeg;
+ nSeg = MIN(MAX(nMin,nSeg), nHintSeg);
bUseHint = 1;
bDirtyHint = 1;
}else{
@@ -4939,7 +4945,7 @@ int sqlite3Fts3Incrmerge(Fts3Table *p, int nMerge, int nMin){
/* If nSeg is less that zero, then there is no level with at least
** nMin segments and no hint in the %_stat table. No work to do.
** Exit early in this case. */
- if( nSeg<0 ) break;
+ if( nSeg<=0 ) break;
/* Open a cursor to iterate through the contents of the oldest nSeg
** indexes of absolute level iAbsLevel. If this cursor is opened using
diff --git a/third_party/sqlite/patched/test/fts3corrupt4.test b/third_party/sqlite/patched/test/fts3corrupt4.test
index 45dd52fff29e..ed670c72223c 100644
--- a/third_party/sqlite/patched/test/fts3corrupt4.test
+++ b/third_party/sqlite/patched/test/fts3corrupt4.test
@@ -5589,4 +5589,13 @@ do_catchsql_test 35.1 {
INSERT INTO f(f) VALUES ('integrity-check');
} {1 {database disk image is malformed}}
+reset_db
+do_catchsql_test 36.0 {
+ CREATE VIRTUAL TABLE f USING fts3(a,tokenize=porter);
+ CREATE TABLE 'f_stat'(id INTEGER PRIMARY KEY, value BLOB);
+ INSERT INTO f VALUES (1);
+ INSERT INTO f_stat VALUES (1,x'00000000000101010119013d00ffff0400fa83717b71a69297979701f63d010101010101010101010101190000000000000000fa83717b71a601f63d01010101010101010101010119013d00ffffff0400fa83717b71a69297979701f63d010101010101010101010101190000000000000000fa83717b71a69201f63d010101f63d01010101010101010101010119013d00ffffff0400fa83717b71a6929797010101010101010101010119013d00ffff01f63d01010101010101010101010119013d00ffffff0400fa83717b71a69297979701f63d00fa03ffffffa69297979701f63d010101000000000101010101197e9797976567656565ffa63535354e');
+ INSERT INTO f(f) VALUES ('merge=53,216');
+} {0 {}}
+
finish_test
--
2.24.1.735.g03f4e72817-goog

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 7 Jan 2020 13:42:03 -0800
Subject: [PATCH 21/22] Avoid invalid pointer dereference in ORDER BY
Backports https://sqlite.org/src/info/1ca0bd982ab1183bbafce0d260e4dceda5eb766ed2e7793374a88d1ae0bdd2ca
Bug: 1038863
---
third_party/sqlite/patched/src/window.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/third_party/sqlite/patched/src/window.c b/third_party/sqlite/patched/src/window.c
index c251cd01974d..2d79ffe63d6d 100644
--- a/third_party/sqlite/patched/src/window.c
+++ b/third_party/sqlite/patched/src/window.c
@@ -883,9 +883,11 @@ static ExprList *exprListAppendList(
int nInit = pList ? pList->nExpr : 0;
for(i=0; i<pAppend->nExpr; i++){
Expr *pDup = sqlite3ExprDup(pParse->db, pAppend->a[i].pExpr, 0);
+ assert( pDup==0 || !ExprHasProperty(pDup, EP_MemToken) );
if( bIntToNull && pDup && pDup->op==TK_INTEGER ){
pDup->op = TK_NULL;
pDup->flags &= ~(EP_IntValue|EP_IsTrue|EP_IsFalse);
+ pDup->u.zToken = 0;
}
pList = sqlite3ExprListAppend(pParse, pList, pDup);
if( pList ) pList->a[nInit+i].sortFlags = pAppend->a[i].sortFlags;
--
2.24.1.735.g03f4e72817-goog

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Tue, 7 Jan 2020 13:43:48 -0800
Subject: [PATCH 22/22] Fix zipfile extension INSERT with NULL pathname
Backports https://sqlite.org/src/info/a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
Bug: 1038863
---
third_party/sqlite/patched/ext/misc/zipfile.c | 1 +
third_party/sqlite/patched/test/zipfile.test | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/third_party/sqlite/patched/ext/misc/zipfile.c b/third_party/sqlite/patched/ext/misc/zipfile.c
index 5a88389bf2da..1dc47a7d9ae0 100644
--- a/third_party/sqlite/patched/ext/misc/zipfile.c
+++ b/third_party/sqlite/patched/ext/misc/zipfile.c
@@ -1618,6 +1618,7 @@ static int zipfileUpdate(
if( rc==SQLITE_OK ){
zPath = (const char*)sqlite3_value_text(apVal[2]);
+ if( zPath==0 ) zPath = "";
nPath = (int)strlen(zPath);
mTime = zipfileGetTime(apVal[4]);
}
diff --git a/third_party/sqlite/patched/test/zipfile.test b/third_party/sqlite/patched/test/zipfile.test
index 25dc5d6497d1..f5c503d7f156 100644
--- a/third_party/sqlite/patched/test/zipfile.test
+++ b/third_party/sqlite/patched/test/zipfile.test
@@ -795,4 +795,17 @@ if {$tcl_platform(platform)!="windows"} {
} {. ./x1.txt ./x2.txt}
}
+# 2019-12-18 Yongheng and Rui fuzzer
+#
+do_execsql_test 13.10 {
+ DROP TABLE IF EXISTS t0;
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t0(a,b,c,d,e,f,g);
+ REPLACE INTO t0(c,b,f) VALUES(10,10,10);
+ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip');
+ REPLACE INTO t1 SELECT * FROM t0;
+ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata),
+ quote(data),quote(method) FROM t1;
+} {'' 10 10 2 X'3130' X'3130' 0}
+
finish_test
--
2.24.1.735.g03f4e72817-goog