Fix a possible buffer overwrite in the ".import" command. [forum:/forumpost/0c447f054...

FossilOrigin-Name: 0fd958fa9b56a8ef254127e29800ca2a267590e86edf739bd339239b25a5da6e

diff --git a/manifest b/manifest
index 056cbd8b8da17d238a3be22893c062c42ab4bd25..309839cbc348086e8e92f54b3eb4db2ce23ac73f 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\snew\sassert()\sstatements\sto\shelp\sout\sa\sstatic\sanalyzer.\s\sResponse\sto\n[forum:/forumpost/17fe8ac32e0de4f5|forum\spost\s17fe8ac32e0de4f5].
-D 2024-05-27T11:31:02.983
+C Fix\sa\spossible\sbuffer\soverwrite\sin\sthe\s".import"\scommand.\s[forum:/forumpost/0c447f0548|forum\spost\s0c447f0548].
+D 2024-05-27T11:35:05.208
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -756,7 +756,7 @@ F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c 22f1fa3423b377c02ae78d451cfeb1c2d96dcf0389c0642cbdcd19d3bfd7ae01
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
 F src/select.c cbdaf9cb2d9a697ee9ce1484f27d2e96762d33cc19259aedfb818a68b9d3be10
-F src/shell.c.in 31249f26684467e95e529915bf486961c535ae8288ed7e79890cc9ed3d781d8f
+F src/shell.c.in cba809572972ff736aa6c3423ffb87015c740864206d97e168bb77316129015f
 F src/sqlite.h.in c71d9ef76a6d32dc7ff2d373f2e57ce09056af26c1457bcadae5358b7628c7c3
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 3f046c04ea3595d6bfda99b781926b17e672fd6d27da2ba6d8d8fc39981dcb54
@@ -1615,7 +1615,7 @@ F test/shell1.test 17a5ca9c6f24f807b2f505b4b38fcbce143d96cd8664c06c34bbbe0672bf7
 F test/shell2.test 56da24128304c9ab67da2964cc80beff7b35761c446ec6e6e98bff2775b15026
 F test/shell3.test 5ad4b2813717956414f2c0c8a2027895cd98ccf7dd54dbacbde4d4f5591ce5a1
 F test/shell4.test 522fdc628c55eff697b061504fb0a9e4e6dfc5d9087a633ab0f3dd11bcc4f807
-F test/shell5.test 5b2ab1c0540217773f939927c24163a56257446da3f564d4724042620bfea762
+F test/shell5.test 6a49440bddc33a132f856fb189e71228f8132963655d12a2c8b8a161263b9632
 F test/shell6.test e3b883b61d4916b6906678a35f9d19054861123ad91b856461e0a456273bdbb8
 F test/shell7.test 753c6ece5361df50025a50cadf378ea36db9cc05fb23d7a96cff7fa130626ef9
 F test/shell8.test aea51ecbcd4494c746b096aeff51d841d04d5f0dc4b62eb42427f16109b87acd
@@ -2193,8 +2193,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 57aeb3a287fc190bf8d438a7b03d6715c05fd3fd71559c6a14d7bd910d37b38d
-R 7cbf595b1ca4596681b998a2f0ff06f6
-U drh
-Z 965bcfdda628566a6226377c41ce768a
+P 857f6d530949221d154b5120ecc2aa906418bec6f69d1c13197a432ba3cad8eb
+R 208aed0e15e5a9e1542642ed290f707d
+U dan
+Z dedd3aceb57544d244ea5c9933280761
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 2cd71fe929bd53e3e9aeabbd1e6995175616b7ca..a2019d0631f50e022ad58dab2e8bd6013c7d3a9d 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-857f6d530949221d154b5120ecc2aa906418bec6f69d1c13197a432ba3cad8eb
\ No newline at end of file
+0fd958fa9b56a8ef254127e29800ca2a267590e86edf739bd339239b25a5da6e
\ No newline at end of file

diff --git a/src/shell.c.in b/src/shell.c.in
index 2da78c3f25d1f080035cae390bd660ed1016177a..b895fb0501ef5d8fefdd6dc36eb60bd89731e81b 100644 (file)
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -8978,7 +8978,6 @@ static int do_meta_command(char *zLine, ShellState *p){
       import_cleanup(&sCtx);
       shell_out_of_memory();
     }
-    nByte = strlen(zSql);    
     rc =  sqlite3_prepare_v2(p->db, zSql, -1, &pStmt, 0);
     sqlite3_free(zSql);
     zSql = 0;
@@ -8997,16 +8996,21 @@ static int do_meta_command(char *zLine, ShellState *p){
     sqlite3_finalize(pStmt);
     pStmt = 0;
     if( nCol==0 ) return 0; /* no columns, no error */
-    zSql = sqlite3_malloc64( nByte*2 + 20 + nCol*2 );
+
+    nByte = 64                 /* space for "INSERT INTO", "VALUES(", ")\0" */
+          + (zSchema ? strlen(zSchema)*2 + 2: 0)  /* Quoted schema name */
+          + strlen(zTable)*2 + 2                  /* Quoted table name */
+          + nCol*2;            /* Space for ",?" for each column */
+    zSql = sqlite3_malloc64( nByte );
     if( zSql==0 ){
       import_cleanup(&sCtx);
       shell_out_of_memory();
     }
     if( zSchema ){
-      sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?", 
+      sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?", 
                        zSchema, zTable);
     }else{
-      sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
+      sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
     }
     j = strlen30(zSql);
     for(i=1; i<nCol; i++){
@@ -9015,6 +9019,7 @@ static int do_meta_command(char *zLine, ShellState *p){
     }
     zSql[j++] = ')';
     zSql[j] = 0;
+    assert( j<nByte );
     if( eVerbose>=2 ){
       oputf("Insert using: %s\n", zSql);
     }

diff --git a/test/shell5.test b/test/shell5.test
index 877676d7263176adceb78f6fb373c6e11bcb5d67..8727edaafba3626f2ac3f156932273b7410826e0 100644 (file)
--- a/test/shell5.test
+++ b/test/shell5.test
@@ -585,4 +585,16 @@ do_test shell5-7.1 {
 SELECT * FROM t1;}
 } {0 aaa|bbb|aaabbb}
 
+#-------------------------------------------------------------------------
+
+do_test shell5-8.1 {
+
+  set out [open shell5.csv w]
+  fconfigure $out -translation lf
+  puts $out x
+  close $out
+
+  catchcmd :memory: {.import --csv shell5.csv '""""""""""""""""""""""""""""""""""""""""""""""'}
+} {0 {}}
+
 finish_test