From: drh <>
Date: Thu, 19 Dec 2024 12:08:39 +0000 (+0000)
Subject: Fix additional integer overflow problems in the substr() function.
X-Git-Tag: major-relase~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2dcd4fad6b1a4cfbaa0c1e106b840d15caf574dd;p=thirdparty%2Fsqlite.git

Fix additional integer overflow problems in the substr() function.

FossilOrigin-Name: 472abb492f1d1553ae6bdf53cc64bebfe75423526335beab7eaff26cc495cd7d
---

diff --git a/manifest b/manifest
index 266012a6f8..890f176556 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\spossible\sinteger\soveflow\sin\sthe\ssecond\sand\sthird\sargument\sto\ssubstr().
-D 2024-12-18T20:29:29.783
+C Fix\sadditional\sinteger\soverflow\sproblems\sin\sthe\ssubstr()\sfunction.
+D 2024-12-19T12:08:39.381
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md e108e1e69ae8e8a59e93c455654b8ac9356a11720d3345df2a4743e9590fb20d
@@ -730,7 +730,7 @@ F src/delete.c 03a77ba20e54f0f42ebd8eddf15411ed6bdb06a2c472ac4b6b336521bf7cea42
 F src/expr.c 3329173aacc6c37da3971b6253827799b32e301673be00126df8271bf018e15f
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 928ed2517e8732113d2b9821aa37af639688d752f4ea9ac6e0e393d713eeb76f
-F src/func.c 92f1c5a5116fd96e009f1a6ae59c15ee571985f75cbcddab0ba10f84035a2805
+F src/func.c 3772ea69ace31835841629f893d86c9316a6facbc489f8113c7a205ec373de29
 F src/global.c a19e4b1ca1335f560e9560e590fc13081e21f670643367f99cb9e8f9dc7d615b
 F src/hash.c 9ee4269fb1d6632a6fecfb9479c93a1f29271bddbbaf215dd60420bcb80c7220
 F src/hash.h 3340ab6e1d13e725571d7cee6d3e3135f0779a7d8e76a9ce0a85971fa3953c51
@@ -1258,7 +1258,7 @@ F test/fts4umlaut.test fcaca4471de7e78c9d1f7e8976e3e8704d7d8ad979d57a739d00f3f75
 F test/fts4unicode.test 82a9c16b68ba2f358a856226bb2ee02f81583797bc4744061c54401bf1a0f4c9
 F test/fts4upfrom.test f25835162c989dffd5e2ef91ec24c4848cc9973093e2d492d1c7b32afac1b49d
 F test/full.test 6b3c8fb43c6beab6b95438c1675374b95fab245d
-F test/func.test 59ae5fbfc2d5d565e3475824b25df2acc6f1b728d1a8d8e3e719ce64c494f69d
+F test/func.test 15f686741608294340bbea9f35f751074b4cf7df3797724dda40a9f4905ddbe1
 F test/func2.test 69f6ae3751b4ec765bdc3b803c0a255aa0f693f28f44805bef03e6b4a3fd242f
 F test/func3.test 600a632c305a88f3946d38f9a51efe145c989b2e13bd2b2a488db47fe76bab6a
 F test/func4.test a02e695f62beb31cb092dccf6873ff97543407fff97a5f3ec4da70b5b337bc84
@@ -2202,8 +2202,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 49a486c5069de041aedcbde4de178293e0463ae9918ecad7539eedf0ec77a139
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P a9759fc78d6cb0df7c81f20c2c5c358729e571ebee50ee2b1441a15239d0b4b6
-R 0e55189459a80d645412fd9406897915
+P b04b4006f38f83d36eaf43c4bace7d53866b02b45e0ddcf1704266fed3bfc11c
+R 345d60c42f9cb58fb08744de2e2cd750
 U drh
-Z ddc339cbca9c68ef9d9f1e1df3d93e64
+Z 5a2ba1d4ac587b2805dae851878da0c3
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 3e1bf40a1b..50afdd985d 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b04b4006f38f83d36eaf43c4bace7d53866b02b45e0ddcf1704266fed3bfc11c
+472abb492f1d1553ae6bdf53cc64bebfe75423526335beab7eaff26cc495cd7d
diff --git a/src/func.c b/src/func.c
index e4c628047d..2fe50f0155 100644
--- a/src/func.c
+++ b/src/func.c
@@ -427,9 +427,11 @@ static void substrFunc(
     sqlite3_result_text64(context, (char*)z, z2-z, SQLITE_TRANSIENT,
                           SQLITE_UTF8);
   }else{
-    if( p1+p2>len ){
+    if( p1>=len ){
+      p1 = p2 = 0;
+    }else if( p2>len-p1 ){
       p2 = len-p1;
-      if( p2<0 ) p2 = 0;
+      assert( p2>0 );
     }
     sqlite3_result_blob64(context, (char*)&z[p1], (u64)p2, SQLITE_TRANSIENT);
   }
diff --git a/test/func.test b/test/func.test
index 2b25c94340..85c9ada7eb 100644
--- a/test/func.test
+++ b/test/func.test
@@ -123,6 +123,9 @@ do_test func-2.11 {
 do_test func-2.12 {
   execsql {SELECT substr('abcdefg',1,0x100000002)}
 } {abcdefg}
+do_test func-2.13 {
+  execsql {SELECT quote(substr(x'313233343536373839',0x7ffffffffffffffe,5))}
+} {X''}
 
 # Only do the following tests if TCL has UTF-8 capabilities
 #