Fix a possible buffer overwrite in the ".import" command. [forum:/forumpost/0c447f0548|forum post 0c447f0548].

FossilOrigin-Name: 0fd958fa9b56a8ef254127e29800ca2a267590e86edf739bd339239b25a5da6e
This commit is contained in:
dan 2024-05-27 11:35:05 +00:00
parent ee8f926027
commit 09f87094bd
4 changed files with 30 additions and 13 deletions

View File

@ -1,5 +1,5 @@
C Add\snew\sassert()\sstatements\sto\shelp\sout\sa\sstatic\sanalyzer.\s\sResponse\sto\n[forum:/forumpost/17fe8ac32e0de4f5|forum\spost\s17fe8ac32e0de4f5].
D 2024-05-27T11:31:02.983
C Fix\sa\spossible\sbuffer\soverwrite\sin\sthe\s".import"\scommand.\s[forum:/forumpost/0c447f0548|forum\spost\s0c447f0548].
D 2024-05-27T11:35:05.208
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@ -756,7 +756,7 @@ F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
F src/resolve.c 22f1fa3423b377c02ae78d451cfeb1c2d96dcf0389c0642cbdcd19d3bfd7ae01
F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
F src/select.c cbdaf9cb2d9a697ee9ce1484f27d2e96762d33cc19259aedfb818a68b9d3be10
F src/shell.c.in 31249f26684467e95e529915bf486961c535ae8288ed7e79890cc9ed3d781d8f
F src/shell.c.in cba809572972ff736aa6c3423ffb87015c740864206d97e168bb77316129015f
F src/sqlite.h.in c71d9ef76a6d32dc7ff2d373f2e57ce09056af26c1457bcadae5358b7628c7c3
F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
F src/sqlite3ext.h 3f046c04ea3595d6bfda99b781926b17e672fd6d27da2ba6d8d8fc39981dcb54
@ -1615,7 +1615,7 @@ F test/shell1.test 17a5ca9c6f24f807b2f505b4b38fcbce143d96cd8664c06c34bbbe0672bf7
F test/shell2.test 56da24128304c9ab67da2964cc80beff7b35761c446ec6e6e98bff2775b15026
F test/shell3.test 5ad4b2813717956414f2c0c8a2027895cd98ccf7dd54dbacbde4d4f5591ce5a1
F test/shell4.test 522fdc628c55eff697b061504fb0a9e4e6dfc5d9087a633ab0f3dd11bcc4f807
F test/shell5.test 5b2ab1c0540217773f939927c24163a56257446da3f564d4724042620bfea762
F test/shell5.test 6a49440bddc33a132f856fb189e71228f8132963655d12a2c8b8a161263b9632
F test/shell6.test e3b883b61d4916b6906678a35f9d19054861123ad91b856461e0a456273bdbb8
F test/shell7.test 753c6ece5361df50025a50cadf378ea36db9cc05fb23d7a96cff7fa130626ef9
F test/shell8.test aea51ecbcd4494c746b096aeff51d841d04d5f0dc4b62eb42427f16109b87acd
@ -2193,8 +2193,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
P 57aeb3a287fc190bf8d438a7b03d6715c05fd3fd71559c6a14d7bd910d37b38d
R 7cbf595b1ca4596681b998a2f0ff06f6
U drh
Z 965bcfdda628566a6226377c41ce768a
P 857f6d530949221d154b5120ecc2aa906418bec6f69d1c13197a432ba3cad8eb
R 208aed0e15e5a9e1542642ed290f707d
U dan
Z dedd3aceb57544d244ea5c9933280761
# Remove this line to create a well-formed Fossil manifest.

View File

@ -1 +1 @@
857f6d530949221d154b5120ecc2aa906418bec6f69d1c13197a432ba3cad8eb
0fd958fa9b56a8ef254127e29800ca2a267590e86edf739bd339239b25a5da6e

View File

@ -8978,7 +8978,6 @@ static int do_meta_command(char *zLine, ShellState *p){
import_cleanup(&sCtx);
shell_out_of_memory();
}
nByte = strlen(zSql);
rc = sqlite3_prepare_v2(p->db, zSql, -1, &pStmt, 0);
sqlite3_free(zSql);
zSql = 0;
@ -8997,16 +8996,21 @@ static int do_meta_command(char *zLine, ShellState *p){
sqlite3_finalize(pStmt);
pStmt = 0;
if( nCol==0 ) return 0; /* no columns, no error */
zSql = sqlite3_malloc64( nByte*2 + 20 + nCol*2 );
nByte = 64 /* space for "INSERT INTO", "VALUES(", ")\0" */
+ (zSchema ? strlen(zSchema)*2 + 2: 0) /* Quoted schema name */
+ strlen(zTable)*2 + 2 /* Quoted table name */
+ nCol*2; /* Space for ",?" for each column */
zSql = sqlite3_malloc64( nByte );
if( zSql==0 ){
import_cleanup(&sCtx);
shell_out_of_memory();
}
if( zSchema ){
sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?",
sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?",
zSchema, zTable);
}else{
sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
}
j = strlen30(zSql);
for(i=1; i<nCol; i++){
@ -9015,6 +9019,7 @@ static int do_meta_command(char *zLine, ShellState *p){
}
zSql[j++] = ')';
zSql[j] = 0;
assert( j<nByte );
if( eVerbose>=2 ){
oputf("Insert using: %s\n", zSql);
}

View File

@ -585,4 +585,16 @@ do_test shell5-7.1 {
SELECT * FROM t1;}
} {0 aaa|bbb|aaabbb}
#-------------------------------------------------------------------------
do_test shell5-8.1 {
set out [open shell5.csv w]
fconfigure $out -translation lf
puts $out x
close $out
catchcmd :memory: {.import --csv shell5.csv '""""""""""""""""""""""""""""""""""""""""""""""'}
} {0 {}}
finish_test