poky/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch

CVE: CVE-2019-19923
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>

From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Wed, 18 Dec 2019 20:51:58 +0000
Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
 check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
 query is DISTINCT.  Without this fix, if an index scan is run on the table
 within the view on the right-hand side of the LEFT JOIN, stale result
 registers might be accessed yielding incorrect results, and/or an
 OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
 NULL-pointer dereference.  This problem was found by the Yongheng and Rui
 fuzzer.

FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
---
 sqlite3.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sqlite3.c b/sqlite3.c
index d29da07..5bc06c8 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -129216,6 +129216,7 @@ static void substSelect(
 **        (3b) the FROM clause of the subquery may not contain a virtual
 **             table and
 **        (3c) the outer query may not be an aggregate.
+**        (3d) the outer query may not be DISTINCT.
 **
 **   (4)  The subquery can not be DISTINCT.
 **
@@ -129412,8 +129413,11 @@ static int flattenSubquery(
   */
   if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
     isLeftJoin = 1;
-    if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
-      /*  (3a)             (3c)     (3b) */
+    if( pSubSrc->nSrc>1                   /* (3a) */
+     || isAgg                             /* (3b) */
+     || IsVirtual(pSubSrc->a[0].pTab)     /* (3c) */
+     || (p->selFlags & SF_Distinct)!=0    /* (3d) */
+    ){
       return 0;
     }
   }
-- 
2.24.1