From: drh <>
Date: Mon, 27 May 2024 11:38:03 +0000 (+0000)
Subject: Fix a possible buffer overwrite in the ".import" command.
X-Git-Tag: version-3.46.1~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2eec675e6e307951d458768de71cf38916830e67;p=thirdparty%2Fsqlite.git

Fix a possible buffer overwrite in the ".import" command.

FossilOrigin-Name: 55eee9f920e5dfdb88be5bb294707e743fa7ffe679fb0ff1e8f04b3a67ee271e
---

diff --git a/manifest b/manifest
index 8db2343ec2..ee447759aa 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Ensure\sthat\ssqlite3ViewGetColumnNames()\sreturns\snon-zero\son\sany\serror.
-D 2024-05-25T23:17:49.594
+C Fix\sa\spossible\sbuffer\soverwrite\sin\sthe\s".import"\scommand.
+D 2024-05-27T11:38:03.090
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -755,7 +755,7 @@ F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c 22f1fa3423b377c02ae78d451cfeb1c2d96dcf0389c0642cbdcd19d3bfd7ae01
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
 F src/select.c 1a841c38974d45cf15a7611398479182b61ad4c187423c380741d8b1688fe607
-F src/shell.c.in 885dafabb3f16d68bdb4576683afb0e39a1939f50985b162255bf656c470babf
+F src/shell.c.in ebb698028ec031e0b1595865500097d2005f977be0efd14bd8b0ddf634d5ed8d
 F src/sqlite.h.in c71d9ef76a6d32dc7ff2d373f2e57ce09056af26c1457bcadae5358b7628c7c3
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 3f046c04ea3595d6bfda99b781926b17e672fd6d27da2ba6d8d8fc39981dcb54
@@ -1614,7 +1614,7 @@ F test/shell1.test 17a5ca9c6f24f807b2f505b4b38fcbce143d96cd8664c06c34bbbe0672bf7
 F test/shell2.test 56da24128304c9ab67da2964cc80beff7b35761c446ec6e6e98bff2775b15026
 F test/shell3.test 5ad4b2813717956414f2c0c8a2027895cd98ccf7dd54dbacbde4d4f5591ce5a1
 F test/shell4.test 522fdc628c55eff697b061504fb0a9e4e6dfc5d9087a633ab0f3dd11bcc4f807
-F test/shell5.test 5b2ab1c0540217773f939927c24163a56257446da3f564d4724042620bfea762
+F test/shell5.test 6a49440bddc33a132f856fb189e71228f8132963655d12a2c8b8a161263b9632
 F test/shell6.test e3b883b61d4916b6906678a35f9d19054861123ad91b856461e0a456273bdbb8
 F test/shell7.test 753c6ece5361df50025a50cadf378ea36db9cc05fb23d7a96cff7fa130626ef9
 F test/shell8.test aea51ecbcd4494c746b096aeff51d841d04d5f0dc4b62eb42427f16109b87acd
@@ -2191,9 +2191,9 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 170e3a91d53ec28ae25e6b0d15ef3af65438f776097a0b8b538f66c37583eeb5
-Q +57aeb3a287fc190bf8d438a7b03d6715c05fd3fd71559c6a14d7bd910d37b38d
-R 68d938d6c76952afa664e25f6697241e
+P 01ead0a2d98cab8c58216387d76756419e20b827adba809596a2ad67382b9278
+Q +0fd958fa9b56a8ef254127e29800ca2a267590e86edf739bd339239b25a5da6e
+R 697db273532868aed3d3530909b97d35
 U drh
-Z ebcf7d570338e7449a5960dc5015d2c4
+Z 8b9b061549db0b8a2214bdf7b4c184db
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 26eb1b1620..d485de85c2 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-01ead0a2d98cab8c58216387d76756419e20b827adba809596a2ad67382b9278
\ No newline at end of file
+55eee9f920e5dfdb88be5bb294707e743fa7ffe679fb0ff1e8f04b3a67ee271e
\ No newline at end of file
diff --git a/src/shell.c.in b/src/shell.c.in
index 0029682f32..7960acfab9 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -8977,7 +8977,6 @@ static int do_meta_command(char *zLine, ShellState *p){
       import_cleanup(&sCtx);
       shell_out_of_memory();
     }
-    nByte = strlen(zSql);    
     rc =  sqlite3_prepare_v2(p->db, zSql, -1, &pStmt, 0);
     sqlite3_free(zSql);
     zSql = 0;
@@ -8996,16 +8995,21 @@ static int do_meta_command(char *zLine, ShellState *p){
     sqlite3_finalize(pStmt);
     pStmt = 0;
     if( nCol==0 ) return 0; /* no columns, no error */
-    zSql = sqlite3_malloc64( nByte*2 + 20 + nCol*2 );
+
+    nByte = 64                 /* space for "INSERT INTO", "VALUES(", ")\0" */
+          + (zSchema ? strlen(zSchema)*2 + 2: 0)  /* Quoted schema name */
+          + strlen(zTable)*2 + 2                  /* Quoted table name */
+          + nCol*2;            /* Space for ",?" for each column */
+    zSql = sqlite3_malloc64( nByte );
     if( zSql==0 ){
       import_cleanup(&sCtx);
       shell_out_of_memory();
     }
     if( zSchema ){
-      sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?", 
+      sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\".\"%w\" VALUES(?", 
                        zSchema, zTable);
     }else{
-      sqlite3_snprintf(nByte+20, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
+      sqlite3_snprintf(nByte, zSql, "INSERT INTO \"%w\" VALUES(?", zTable);
     }
     j = strlen30(zSql);
     for(i=1; i<nCol; i++){
@@ -9014,6 +9018,7 @@ static int do_meta_command(char *zLine, ShellState *p){
     }
     zSql[j++] = ')';
     zSql[j] = 0;
+    assert( j<nByte );
     if( eVerbose>=2 ){
       oputf("Insert using: %s\n", zSql);
     }
diff --git a/test/shell5.test b/test/shell5.test
index 877676d726..8727edaafb 100644
--- a/test/shell5.test
+++ b/test/shell5.test
@@ -585,4 +585,16 @@ do_test shell5-7.1 {
 SELECT * FROM t1;}
 } {0 aaa|bbb|aaabbb}
 
+#-------------------------------------------------------------------------
+
+do_test shell5-8.1 {
+
+  set out [open shell5.csv w]
+  fconfigure $out -translation lf
+  puts $out x
+  close $out
+
+  catchcmd :memory: {.import --csv shell5.csv '""""""""""""""""""""""""""""""""""""""""""""""'}
+} {0 {}}
+
 finish_test