Headline
CVE-2015-3416: SQLite: Check-in [c494171f]
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
Overview
References
Context
2015-05-20
19:48
Avoid signed integer overflow when converting oversized in-line integer widths and precisions in printf(). Cherrypick of [c494171f77dc], [5ce4e7d7651e], [95625ef3adc3] and [8e4ac2ce2441]. (check-in: b330c7ff user: dan tags: branch-3.8.6)
2015-04-07
13:28
Further changes to guard against integer overflow in the width and precision of printf() arguments. (check-in: 5ce4e7d7 user: drh tags: trunk)
12:41
Guard against excessive width and precision in floating-point conversions in the printf routines. (check-in: c494171f user: drh tags: trunk)
2015-04-06
11:04
Fix a problem with fts3 prefix terms within phrase queries on “order=DESC” tables with a mix of negative and positive rowids. (check-in: 3ad829e5 user: dan tags: trunk)
Changes
Modified src/printf.c from [8da9a268] to [32f69fcb].
︙
︙
446 447 448 449 450 451 452 453 454 455 456 457 458 459 460
prefix = '-';
}else{
if( flag\_plussign ) prefix = '+';
else if( flag\_blanksign ) prefix = ' ';
else prefix = 0;
}
if( xtype==etGENERIC && precision>0 ) precision--;
for(idx=precision, rounder=0.5; idx>0; idx--, rounder\*=0.1){} if( xtype==etFLOAT ) realvalue += rounder;
/\* Normalize realvalue to within 10.0 > realvalue >= 1.0 \*/
exp = 0;
if( sqlite3IsNaN((double)realvalue) ){
bufpt = "NaN";
length = 3;
break;
|
446 447 448 449 450 451 452 453 454 455 456 457 458 459 460
prefix = '-';
}else{
if( flag\_plussign ) prefix = '+';
else if( flag\_blanksign ) prefix = ' ';
else prefix = 0;
}
if( xtype==etGENERIC && precision>0 ) precision--;
for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder\*=0.1){} if( xtype==etFLOAT ) realvalue += rounder;
/\* Normalize realvalue to within 10.0 > realvalue >= 1.0 \*/
exp = 0;
if( sqlite3IsNaN((double)realvalue) ){
bufpt = "NaN";
length = 3;
break;
︙
︙
501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516
flag\_rtz = flag\_altform2;
}
if( xtype==etEXP ){
e2 = 0;
}else{
e2 = exp;
}
if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){
bufpt = zExtra \= sqlite3Malloc( MAX(e2,0)+precision+width+15 );
if( bufpt==0 ){
setStrAccumError(pAccum, STRACCUM\_NOMEM);
return;
}
}
zOut = bufpt;
nsd = 16 + flag\_altform2\*10;
| |
501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517
flag\_rtz = flag\_altform2;
}
if( xtype==etEXP ){
e2 = 0;
}else{
e2 = exp;
}
if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){
bufpt = zExtra
= sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 ); if( bufpt==0 ){
setStrAccumError(pAccum, STRACCUM\_NOMEM);
return;
}
}
zOut = bufpt;
nsd = 16 + flag\_altform2\*10;
︙
︙
Modified test/printf.test from [ec9870c4] to [2f11179e].
︙
︙
522 523 524 525 526 527 528
529 530 531 532 533 534 535
} {abc: 1 1 (0.0) :xyz} do_test printf-2.1.2.8 { sqlite3_mprintf_double {abc: %d %d (%1.1e) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1.0e-20) :xyz} do_test printf-2.1.2.9 { sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1e-20) :xyz}
do_test printf-2.1.3.1 { sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 } {abc: (1.0) :xyz} do_test printf-2.1.3.2 { sqlite3_mprintf_double {abc: (%*.*e) :xyz} 1 1 1.0 } {abc: (1.0e+00) :xyz} do_test printf-2.1.3.3 {
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538
} {abc: 1 1 (0.0) :xyz} do_test printf-2.1.2.8 { sqlite3_mprintf_double {abc: %d %d (%1.1e) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1.0e-20) :xyz} do_test printf-2.1.2.9 { sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1e-20) :xyz} do_test printf-2.1.2.10 { sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 } {abc: } do_test printf-2.1.3.1 { sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 } {abc: (1.0) :xyz} do_test printf-2.1.3.2 { sqlite3_mprintf_double {abc: (%*.*e) :xyz} 1 1 1.0 } {abc: (1.0e+00) :xyz} do_test printf-2.1.3.3 {
︙
︙
Related news
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.