diff --git a/patch/0007-BugFix-CurrVersion.patch b/patch/0007-BugFix-CurrVersion.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbd61dce4ab48f291938852e3107abac9f5caf9c --- /dev/null +++ b/patch/0007-BugFix-CurrVersion.patch @@ -0,0 +1,72 @@ +From 5dd4cd181892660bbf665994c42d2fd18e8846a5 Mon Sep 17 00:00:00 2001 +From: linzhuobin1 +Date: Sat, 1 Mar 2025 16:29:16 +0800 +Subject: [PATCH] IssueNo:#IBPWV3 Description: fix a potential uaf in fts3. + Sig: SIG_DataManagement Feature or Bugfix:Bugfix Binary Source:No/Yes + TDD:Pass XTS:Pass Pretest:Pass + +Signed-off-by: linzhuobin1 +--- + src/sqlite3.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/src/sqlite3.c b/src/sqlite3.c +index 7e9dcbf..2084441 100644 +--- a/src/sqlite3.c ++++ b/src/sqlite3.c +@@ -205751,6 +205751,39 @@ static int fts3ExprTermOffsetInit(Fts3Expr *pExpr, int iPhrase, void *ctx){ + return rc; + } + ++/* ++** Expression node pExpr is an MSR phrase. This function restarts pExpr ++** so that it is a regular phrase query, not an MSR. SQLITE_OK is returned ++** if successful, or an SQLite error code otherwise. ++*/ ++int sqlite3Fts3MsrCancel(Fts3Cursor *pCsr, Fts3Expr *pExpr){ ++ int rc = SQLITE_OK; ++ if( pExpr->bEof==0 ){ ++ i64 iDocid = pExpr->iDocid; ++ fts3EvalRestart(pCsr, pExpr, &rc); ++ while( rc==SQLITE_OK && pExpr->iDocid!=iDocid ){ ++ fts3EvalNextRow(pCsr, pExpr, &rc); ++ if( pExpr->bEof ) rc = FTS_CORRUPT_VTAB; ++ } ++ } ++ return rc; ++} ++ ++/* ++** If expression pExpr is a phrase expression that uses an MSR query, ++** restart it as a regular, non-incremental query. Return SQLITE_OK ++** if successful, or an SQLite error code otherwise. ++*/ ++static int fts3ExprRestartIfCb(Fts3Expr *pExpr, int iPhrase, void *ctx){ ++ TermOffsetCtx *p = (TermOffsetCtx*)ctx; ++ int rc = SQLITE_OK; ++ if( pExpr->pPhrase && pExpr->pPhrase->bIncr ){ ++ rc = sqlite3Fts3MsrCancel(p->pCsr, pExpr); ++ pExpr->pPhrase->bIncr = 0; ++ } ++ return rc; ++} ++ + /* + ** Implementation of offsets() function. + */ +@@ -205787,6 +205820,12 @@ SQLITE_PRIVATE void sqlite3Fts3Offsets( + sCtx.iDocid = pCsr->iPrevId; + sCtx.pCsr = pCsr; + ++ /* If a query restart will be required, do it here, rather than later of ++ ** after pointers to poslist buffers that may be invalidated by a restart ++ ** have been saved. */ ++ rc = sqlite3Fts3ExprIterate(pCsr->pExpr, fts3ExprRestartIfCb, (void*)&sCtx); ++ if( rc!=SQLITE_OK ) goto offsets_out; ++ + /* Loop through the table columns, appending offset information to + ** string-buffer res for each column. + */ +-- +2.46.0.windows.1 +