!100 [sync] PR-99: fix issue CVE-2023-7104

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0003-CVE-2022-35737.patch

@@ -0,0 +1,80 @@
+From effc07ec9c6e08d3bd17665f8800054770f8c643 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Fri, 15 Jul 2022 12:34:31 +0000
+Subject: [PATCH] Fix the whereKeyStats() routine (part of STAT4 processing
+ only) so that it is able to cope with row-value comparisons against the
+ primary key index of a WITHOUT ROWID table.
+ [forum:/forumpost/3607259d3c|Forum post 3607259d3c].
+
+FossilOrigin-Name: 2a6f761864a462de5c2d5bc666b82fb0b7e124a03443cd1482620dde344b34bb
+
+---
+ src/where.c        |  4 ++--
+ test/rowvalue.test | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/where.c b/src/where.c
+index de6ea91e3..110eb4845 100644
+--- a/src/where.c
++++ b/src/where.c
+@@ -1433,7 +1433,7 @@ static int whereKeyStats(
+ #endif
+   assert( pRec!=0 );
+   assert( pIdx->nSample>0 );
+-  assert( pRec->nField>0 && pRec->nField<=pIdx->nSampleCol );
++  assert( pRec->nField>0 );
+ 
+   /* Do a binary search to find the first sample greater than or equal
+   ** to pRec. If pRec contains a single field, the set of samples to search
+@@ -1479,7 +1479,7 @@ static int whereKeyStats(
+   ** it is extended to two fields. The duplicates that this creates do not 
+   ** cause any problems.
+   */
+-  nField = pRec->nField;
++  nField = MIN(pRec->nField, pIdx->nSample);
+   iCol = 0;
+   iSample = pIdx->nSample * nField;
+   do{
+diff --git a/test/rowvalue.test b/test/rowvalue.test
+index 12fee8237..59b44d938 100644
+--- a/test/rowvalue.test
++++ b/test/rowvalue.test
+@@ -751,4 +751,35 @@ do_execsql_test 30.3 {
+ 
+ 
+ 
++# 2022-07-15
++# https://sqlite.org/forum/forumpost/3607259d3c
++#
++reset_db
++do_execsql_test 33.1 {
++  CREATE TABLE t1(a INT, b INT PRIMARY KEY) WITHOUT ROWID;
++  INSERT INTO t1(a, b) VALUES (0, 1),(15,-7),(3,100);
++  ANALYZE;
++} {}
++do_execsql_test 33.2 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (0,5) AND (99,-2);
++} {0 1}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (-8,5) AND (0,-2);
++} {15 -7}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,4);
++} {3 100}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,2);
++} {}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (-2,99) AND (1,0);
++} {0 1}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (14,99) AND (16,0);
++} {15 -7}
++do_execsql_test 33.3 {
++  SELECT * FROM t1 WHERE (a,b) BETWEEN (2,99) AND (4,0);
++} {3 100}
++
+ finish_test
+-- 
+2.25.1
+

0004-fix-memory-problem-in-the-rtree-test-suite.patch

@@ -0,0 +1,25 @@
+From 3755f418be5c3608a7e0b59488a8e172d443d738 Mon Sep 17 00:00:00 2001
+From: zwtmichael <zhuwentao5@huawei.com>
+Date: Tue, 30 Aug 2022 17:02:04 +0800
+Subject: [PATCH] fix memory problem in the rtree test suite
+
+---
+ ext/rtree/test_rtreedoc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/rtree/test_rtreedoc.c b/ext/rtree/test_rtreedoc.c
+index 119be0e..cdbcb2e 100644
+--- a/ext/rtree/test_rtreedoc.c
++++ b/ext/rtree/test_rtreedoc.c
+@@ -324,7 +324,7 @@ static int SQLITE_TCLAPI register_box_query(
+   }
+   if( getDbPointer(interp, Tcl_GetString(objv[1]), &db) ) return TCL_ERROR;
+ 
+-  pCtx = (BoxQueryCtx*)ckalloc(sizeof(BoxQueryCtx*));
++  pCtx = (BoxQueryCtx*)ckalloc(sizeof(BoxQueryCtx));
+   pCtx->interp = interp;
+   pCtx->pScript = Tcl_DuplicateObj(objv[2]);
+   Tcl_IncrRefCount(pCtx->pScript);
+-- 
+2.23.0
+

0005-fix-integer-overflow-on-gigabyte-string.patch

@@ -0,0 +1,28 @@
+From 72210cf3c782ff30867d5c78e13900be9904ba76 Mon Sep 17 00:00:00 2001
+From: zwtmichael <zhuwentao5@huawei.com>
+Date: Mon, 5 Sep 2022 16:49:05 +0800
+Subject: [PATCH] fix integer overflow on gigabyte string
+
+Signed-off-by: zwtmichael <zhuwentao5@huawei.com>
+---
+ src/printf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/printf.c b/src/printf.c
+index e635184..fb3689e 100644
+--- a/src/printf.c
++++ b/src/printf.c
+@@ -803,8 +803,8 @@ void sqlite3_str_vappendf(
+       case etSQLESCAPE:           /* %q: Escape ' characters */
+       case etSQLESCAPE2:          /* %Q: Escape ' and enclose in '...' */
+       case etSQLESCAPE3: {        /* %w: Escape " characters */
+-        int i, j, k, n, isnull;
+-        int needQuote;
++        i64 i, j, k, n;
++        int needQuote, isnull;
+         char ch;
+         char q = ((xtype==etSQLESCAPE3)?'"':'\'');   /* Quote character */
+         char *escarg;
+-- 
+2.25.1
+

0006-CVE-2022-46908.patch

@@ -0,0 +1,53 @@
+From 040177c01a76ccb631bbe19a445f716f0d7b9458 Mon Sep 17 00:00:00 2001
+From: zwtmichael <zhuwentao5@huawei.com>
+Date: Thu, 15 Dec 2022 09:49:15 +0800
+Subject: [PATCH] Fix safe mode authorizer callback to reject disallowed UDFs
+
+Signed-off-by: zwtmichael <zhuwentao5@huawei.com>
+---
+ src/shell.c.in   |  4 ++--
+ test/shell2.test | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/shell.c.in b/src/shell.c.in
+index 543141c..2c1e013 100644
+--- a/src/shell.c.in
++++ b/src/shell.c.in
+@@ -1829,7 +1829,7 @@ static int safeModeAuth(
+     "zipfile",
+     "zipfile_cds",
+   };
+-  UNUSED_PARAMETER(zA2);
++  UNUSED_PARAMETER(zA1);
+   UNUSED_PARAMETER(zA3);
+   UNUSED_PARAMETER(zA4);
+   switch( op ){
+@@ -1840,7 +1840,7 @@ static int safeModeAuth(
+     case SQLITE_FUNCTION: {
+       int i;
+       for(i=0; i<ArraySize(azProhibitedFunctions); i++){
+-        if( sqlite3_stricmp(zA1, azProhibitedFunctions[i])==0 ){
++        if( sqlite3_stricmp(zA2, azProhibitedFunctions[i])==0 ){
+           failIfSafeMode(p, "cannot use the %s() function in safe mode",
+                          azProhibitedFunctions[i]);
+         }
+diff --git a/test/shell2.test b/test/shell2.test
+index 6b4dff5..c3777eb 100644
+--- a/test/shell2.test
++++ b/test/shell2.test
+@@ -188,4 +188,15 @@ b
+ 2
+ }}
+ 
++# Verify that safe mode rejects certain UDFs
++# Reported at https://sqlite.org/forum/forumpost/07beac8056151b2f
++do_test shell2-1.4.8 {
++  catchcmd "-safe :memory:" {
++ SELECT edit('DoNotCare');}
++} {1 {line 2: cannot use the edit() function in safe mode}}
++do_test shell2-1.4.9 {
++  catchcmd "-safe :memory:" {
++ SELECT writefile('DoNotCare', x'');}
++} {1 {line 2: cannot use the writefile() function in safe mode}}
++
+ finish_test

0007-CVE-2023-36191.patch

@@ -0,0 +1,32 @@
+From 1b2901722e5de3ef8d29edb4481327e48bd3363c Mon Sep 17 00:00:00 2001
+From: zwtmichael <zhuwentao5@huawei.com>
+Date: Mon, 7 Aug 2023 15:10:32 +0800
+Subject: [PATCH] fix segmentation violation
+
+Signed-off-by: zwtmichael <zhuwentao5@huawei.com>
+---
+ src/shell.c.in | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/shell.c.in b/src/shell.c.in
+index 543141c..d278988 100644
+--- a/src/shell.c.in
++++ b/src/shell.c.in
+@@ -11469,8 +11469,12 @@ int SQLITE_CDECL wmain(int argc, wchar_t **wargv){
+     }else if( strcmp(z,"-bail")==0 ){
+       bail_on_error = 1;
+     }else if( strcmp(z,"-nonce")==0 ){
+-      free(data.zNonce);
+-      data.zNonce = strdup(argv[++i]);
++      if( data.zNonce ) free(data.zNonce);
++        if( i+1 < argc ) data.zNonce = strdup(argv[++i]);
++        else{
++          data.zNonce = 0;
++            break;
++        }
+     }else if( strcmp(z,"-safe")==0 ){
+       /* no-op - catch this on the second pass */
+     }
+-- 
+2.34.1.windows.1
+

0008-CVE-2023-7104.patch

@@ -0,0 +1,45 @@
+it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001
+From: mazhao <mazhao12@huawei.com>
+Date: Wed, 3 Jan 2024 12:00:45 +0800
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could
+ occur when processing a corrupt changeset.
+
+Signed-off-by: mazhao <mazhao12@huawei.com>
+---
+ ext/session/sqlite3session.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index a892804..72ad427 100644
+--- a/ext/session/sqlite3session.c
++++ b/ext/session/sqlite3session.c
+@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++        if( (pIn->nData-pIn->iNext)<8 ){
++          rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++          sqlite3_int64 v = sessionGetI64(aVal);
++          if( eType==SQLITE_INTEGER ){
++            sqlite3VdbeMemSetInt64(apOut[i], v);
++          }else{
++            double d;
++            memcpy(&d, &v, 8);
++            sqlite3VdbeMemSetDouble(apOut[i], d);
++          }
++          pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.34.1
+

sqlite.spec

@@ -1,22 +1,28 @@
 %bcond_without check
 
-%global extver 3340000
+%global extver 3370200
 %global tcl_version 8.6
 %global tcl_sitearch %{_libdir}/tcl%{tcl_version}
 
 Name:    sqlite
-Version: 3.34.0
-Release: 1
+Version: 3.37.2
+Release: 7
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
 
-Source0: https://www.sqlite.org/2020/sqlite-src-%{extver}.zip
-Source1: http://www.sqlite.org/2020/sqlite-doc-%{extver}.zip
-Source2: https://www.sqlite.org/2020/sqlite-autoconf-%{extver}.tar.gz
+Source0: https://www.sqlite.org/2022/sqlite-src-%{extver}.zip
+Source1: http://www.sqlite.org/2022/sqlite-doc-%{extver}.zip
+Source2: https://www.sqlite.org/2022/sqlite-autoconf-%{extver}.tar.gz
 
 Patch1: 0001-sqlite-no-malloc-usable-size.patch
 Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
+Patch3: 0003-CVE-2022-35737.patch
+Patch4: 0004-fix-memory-problem-in-the-rtree-test-suite.patch
+Patch5: 0005-fix-integer-overflow-on-gigabyte-string.patch
+Patch6: 0006-CVE-2022-46908.patch
+Patch7: 0007-CVE-2023-36191.patch
+Patch8: 0008-CVE-2023-7104.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -61,12 +67,18 @@ This contains man files and HTML files for the using of sqlite.
 %setup -q -a1 -n %{name}-src-%{extver}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
-autoconf
-
 %build
+
+autoconf
 export CFLAGS="$RPM_OPT_FLAGS $RPM_LD_FLAGS -DSQLITE_ENABLE_COLUMN_METADATA=1 \
                -DSQLITE_DISABLE_DIRSYNC=1 -DSQLITE_ENABLE_FTS3=3 \
                -DSQLITE_ENABLE_RTREE=1 -DSQLITE_SECURE_DELETE=1 \
@@ -107,6 +119,10 @@ export MALLOC_CHECK_=3
 %else
 rm test/csv01.test
 %endif
+%ifarch loongarch64
+rm -rf test/thread1.test
+rm -rf test/thread2.test
+%endif
 
 make test
 %endif # with check
@@ -131,6 +147,42 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Wed Jan 3 2024 mazhao <mazhao12@huawei.com> - 3.37.2-7
+- fix the CVE-2023-7104
+
+* Mon Aug 7 2023 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-6
+- fix the CVE-2023-36191
+
+* Fri Jan 13 2023 Wenlong Zhang<zhangwenlong@loongson.cn> - 3.37.2-5
+- remove fail testcase for loongarch
+
+* Wed Dec 14 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-4
+- fix the CVE-2022-46908
+
+* Wed Sep 14 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-3
+- fix build problem
+
+* Mon Sep 5 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-2
+- fix integer overflow on gigabyte string
+
+* Mon Aug 29 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-1
+- update to 3.37.2
+
+* Tue Aug 16 2022 liusirui <liusirui@huawei.com> - 3.36.0-3
+- fix the CVE-2022-35737.
+
+* Sat Nov 27 2021 wbq_sky <wangbingquan@huawei.com> - 3.36.0-2
+- fix the CVE-2021-36690.
+
+* Fri Nov 25 2021 wbq_sky <wangbingquan@huawei.com> - 3.36.0-1
+- update to 3.36.0.
+
+* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-3
+- fix the null reference in the tigger statement.
+
+* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-2
+- fix the infinite loop problem in the trim function while the pattern is well formed.
+
 * Thu Jan 14 2021 yanglongkang <yanglongkang@huawei.com> - 3.34.0-1
 - update package to 3.34.0