mirror of
https://git.yoctoproject.org/poky
synced 2026-02-27 03:49:41 +01:00
74d50ba1bd
CVE: CVE-2020-13434 Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13434 (From OE-Core rev: 0338c2eb099532eb3b9a9de038f6b1a757348513) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From dd6c33d372f3b83f4fe57904c2bd5ebba5c38018 Mon Sep 17 00:00:00 2001
|
|
From: drh <drh@noemail.net>
|
|
Date: Sat, 23 May 2020 19:58:07 +0000
|
|
Subject: [PATCH] Limit the "precision" of floating-point to text conversions
|
|
in the printf() function to 100,000,000. Fix for ticket [23439ea582241138].
|
|
|
|
FossilOrigin-Name: d08d3405878d394e08e5d3af281246edfbd81ca74cc8d16458808591512fb93d
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2020-13434
|
|
|
|
Reference to upstream patch:
|
|
https://github.com/sqlite/sqlite/commit/dd6c33d372f3b83f4fe57904c2bd5ebba5c38018
|
|
|
|
Patch converted to amalgamation format
|
|
|
|
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
---
|
|
diff --git a/sqlite3.c b/sqlite3.c
|
|
index 55dc686..5ff2c14 100644
|
|
--- a/sqlite3.c
|
|
+++ b/sqlite3.c
|
|
@@ -28147,6 +28147,13 @@ static char *printfTempBuf(sqlite3_str *pAccum, sqlite3_int64 n){
|
|
#endif
|
|
#define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */
|
|
|
|
+/*
|
|
+** Hard limit on the precision of floating-point conversions.
|
|
+*/
|
|
+#ifndef SQLITE_PRINTF_PRECISION_LIMIT
|
|
+# define SQLITE_FP_PRECISION_LIMIT 100000000
|
|
+#endif
|
|
+
|
|
/*
|
|
** Render a string given by "fmt" into the StrAccum object.
|
|
*/
|
|
@@ -28468,6 +28475,11 @@ SQLITE_API void sqlite3_str_vappendf(
|
|
length = 0;
|
|
#else
|
|
if( precision<0 ) precision = 6; /* Set default precision */
|
|
+#ifdef SQLITE_FP_PRECISION_LIMIT
|
|
+ if( precision>SQLITE_FP_PRECISION_LIMIT ){
|
|
+ precision = SQLITE_FP_PRECISION_LIMIT;
|
|
+ }
|
|
+#endif
|
|
if( realvalue<0.0 ){
|
|
realvalue = -realvalue;
|
|
prefix = '-';
|