Headline
CVE-2020-11655: SQLite: Check-in [4a302b42c7]
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object’s initialization is mishandled.
Overview
Comment:
In the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08].
Downloads:
Tarball | ZIP archive | SQL archive
Timelines:
family | ancestors | descendants | both | trunk
Files:
files | file ages | folders
SHA3-256:
4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
User & Date:
drh on 2020-04-03 13:19:03
Other Links:
manifest | tags
Context
2020-04-03
16:11
Add a test case to fuzzdata8.db for the recent Henry Liu bugs. (check-in: 42b02454b1 user: drh tags: trunk)
15:48
Merge updates from trunk. (check-in: 348c40136c user: drh tags: bytecode-function)
13:39
Do not suppress errors when resolving references in an ORDER BY clause belonging to a compound SELECT within a view or trigger within ALTER TABLE. Fix for ticket [a10a14e9b4ba2]. Also, in the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08]. (check-in: b64674919f user: drh tags: branch-3.31)
13:19
In the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08]. (check-in: 4a302b42c7 user: drh tags: trunk)
11:52
Do not suppress errors when resolving references in an ORDER BY clause belonging to a compound SELECT within a view or trigger within ALTER TABLE. Fix for ticket [a10a14e9b4ba2]. (check-in: 684293882c user: dan tags: trunk)
Changes
Modified src/select.c from [6908c059e4] to [fd38aa7f87].
︙
︙
5384 5385 5386 5387 5388 5389 5390
5391 5392 5393 5394 5395 5396 5397
*/ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ Vdbe *v = pParse->pVdbe; int i; struct AggInfo_func *pFunc; int nReg = pAggInfo->nFunc + pAggInfo->nColumn; if( nReg==0 ) return;
#ifdef SQLITE_DEBUG /* Verify that all AggInfo registers are within the range specified by ** AggInfo.mnReg…AggInfo.mxReg */ assert( nReg==pAggInfo->mxReg-pAggInfo->mnReg+1 ); for(i=0; i<pAggInfo->nColumn; i++){ assert( pAggInfo->aCol[i].iMem>=pAggInfo->mnReg && pAggInfo->aCol[i].iMem<=pAggInfo->mxReg );
5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398
*/ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ Vdbe *v = pParse->pVdbe; int i; struct AggInfo_func *pFunc; int nReg = pAggInfo->nFunc + pAggInfo->nColumn; if( nReg==0 ) return; if( pParse->nErr ) return; #ifdef SQLITE_DEBUG /* Verify that all AggInfo registers are within the range specified by ** AggInfo.mnReg…AggInfo.mxReg */ assert( nReg==pAggInfo->mxReg-pAggInfo->mnReg+1 ); for(i=0; i<pAggInfo->nColumn; i++){ assert( pAggInfo->aCol[i].iMem>=pAggInfo->mnReg && pAggInfo->aCol[i].iMem<=pAggInfo->mxReg );
︙
︙
Modified test/window1.test from [879a1928c9] to [ec792f92e6].
︙
︙
1649 1650 1651 1652 1653 1654 1655 1656 1657
1658
WHERE a=1 OR ((SELECT sum(a) OVER(ORDER BY a%8)) AND 10<=a) } {10.0}
do_execsql_test 50.5 { SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM (SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM t1 NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)))OVER(ORDER BY a% 1 )) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND 10<=a)))OVER(ORDER BY a%5)) AND a<=10); } {10.0}
finish_test
| |
1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666
WHERE a=1 OR ((SELECT sum(a) OVER(ORDER BY a%8)) AND 10<=a) } {10.0}
do_execsql_test 50.5 { SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM (SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM t1 NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)))OVER(ORDER BY a% 1 )) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND 10<=a)))OVER(ORDER BY a%5)) AND a<=10); } {10.0}
# 2020-04-03 ticket af4556bb5c285c08
reset_db do_catchsql_test 51.1 { CREATE TABLE a(b, c); SELECT c FROM a GROUP BY c HAVING(SELECT(sum(b) OVER(ORDER BY b), sum(b) OVER(PARTITION BY min(DISTINCT c), c ORDER BY b))); } {1 {row value misused}} finish_test