Fix a potential buffer overrun in sqlite3_mprintf() when a non-terminated

string is passed to a "%s" format with a precision specifying the number
of bytes to copy. (CVS 5067)

FossilOrigin-Name: 1f5b18419bb4e2552ac26593381e2eb866bb67fd

diff --git a/manifest b/manifest
index 264571c06ee45638d3f89803d1820929fb092d46..4a3d2e105dc025d51fda435626b49fa2680bb739 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Always\sconvert\sIEEE\sNaN\sinto\sNULL.\s\sTicket\s#3060.\s\sAdd\stest\scases\sto\sverify\nthat\sthis\sis\shappening.\s(CVS\s5066)
-D 2008-04-29T00:15:21
+C Fix\sa\spotential\sbuffer\soverrun\sin\ssqlite3_mprintf()\swhen\sa\snon-terminated\nstring\sis\spassed\sto\sa\s"%s"\sformat\swith\sa\sprecision\sspecifying\sthe\snumber\nof\sbytes\sto\scopy.\s(CVS\s5067)
+D 2008-04-29T15:22:27
 F Makefile.arm-wince-mingw32ce-gcc ac5f7b2cef0cd850d6f755ba6ee4ab961b1fadf7
 F Makefile.in 25b3282a4ac39388632c2fb0e044ff494d490952
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@@ -127,7 +127,7 @@ F src/pager.h 45ec2188593afd48a25c743529646771d75e83e4
 F src/parse.y fc4bd35c6088901f7c8daead26c6fb11c87d22e7
 F src/pragma.c 2e4bb2e76e48a32750529fdc4bfe86ac5f54e01b
 F src/prepare.c adc7e1fc08dfbab63cd213d4c0aff8f3fa70d477
-F src/printf.c 2d9bac813d1319babf3c6e925cf7ec5be1281c94
+F src/printf.c 77c192ccc81117d68b21b449cd33396357aa266d
 F src/random.c 2b2db2de4ab491f5a14d3480466f8f4b5a5db74a
 F src/select.c b02ee16591f0194739e7deb12099d3e98e60b7f3
 F src/server.c 087b92a39d883e3fa113cae259d64e4c7438bc96
@@ -633,7 +633,7 @@ F www/tclsqlite.tcl 8be95ee6dba05eabcd27a9d91331c803f2ce2130
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
-P e6f71abb22fb74e5910d817caec98fa44070fc5f
-R e524df0bf8a8555789b9eeb5782f38f2
+P 9b07e59e510e2de39c2081653662fbc654ca6fbb
+R 5793178ea6130e42720ac3eacd25bef7
 U drh
-Z e4a613f256396e3f19a950003ad91fee
+Z 662aa440bf0ad4382085d54e6e7f7798

diff --git a/manifest.uuid b/manifest.uuid
index 301fe26ff7139039c02c1f53d79774fcf24b3e0f..0e0f173baef8b405030ad85c9c720632816775e5 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9b07e59e510e2de39c2081653662fbc654ca6fbb
\ No newline at end of file
+1f5b18419bb4e2552ac26593381e2eb866bb67fd
\ No newline at end of file

diff --git a/src/printf.c b/src/printf.c
index eb90de4d925161b936325c12851eed31f8ebb48c..cfd30070019f589737ba3566f2102c09f9749eb9 100644 (file)
--- a/src/printf.c
+++ b/src/printf.c
@@ -627,8 +627,11 @@ static void vxprintf(
         }else if( xtype==etDYNSTRING ){
           zExtra = bufpt;
         }
-        length = strlen(bufpt);
-        if( precision>=0 && precision<length ) length = precision;
+        if( precision>=0 ){
+          for(length=0; length<precision && bufpt[length]; length++){}
+        }else{
+          length = strlen(bufpt);
+        }
         break;
       case etSQLESCAPE:
       case etSQLESCAPE2: