Defend against integer overflow on oversized string inputs to

sqlite3_mprintf() and similar C-language interfaces when using
the "%!.*s" conversion.  The problem is not reachable from SQL
due to string length restrictions in SQL. C-code is required.
[bugs:/info/2026-06-24T11:57:36Z|Bug 2026-06-24T11:57:36Z].

FossilOrigin-Name: 15a6482300bb2804fbfad1f07d6d74da6c0cb5953d44b74bc61c17d29e29821c

diff --git a/manifest b/manifest
index d4e8fab430bbd20b9a9dc2454793c522d1673287..a8c27c58c8a7773567ce7f4211503741938f8315 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Back\sout\s[23936786e6]\sbecause\s[9725b513c0]\sobviates\sit.
-D 2026-06-24T12:23:29.940
+C Defend\sagainst\sinteger\soverflow\son\s\soversized\sstring\sinputs\sto\nsqlite3_mprintf()\sand\ssimilar\sC-language\sinterfaces\swhen\susing\nthe\s"%!.*s"\sconversion.\s\sThe\sproblem\sis\snot\sreachable\sfrom\sSQL\ndue\sto\sstring\slength\srestrictions\sin\sSQL.\sC-code\sis\srequired.\n[bugs:/info/2026-06-24T11:57:36Z|Bug\s2026-06-24T11:57:36Z].
+D 2026-06-24T12:40:26.285
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -733,7 +733,7 @@ F src/pcache.h 092b758d2c5e4dabb30eae46d8dfad77c0f70b16bf3ff1943f7a232b0fe0d4ba
 F src/pcache1.c d7ee0f95992501a65379f620b3de1430b64e52e397769938668a9fd9dd1c8145
 F src/pragma.c 789ef67117b74b5be0a2db6681f7f0c55e6913791b9da309aefd280de2c8a74d
 F src/prepare.c b1337cd601f8cb58c07a61bafdf2e501332dd1a07959c5d1c118a5adef01f4c7
-F src/printf.c 6916d50913c3271aefe96d3483701ceca8644331ec4c7b23a5aa54a9ba36230f
+F src/printf.c 9e252514a044fc845820438688816d7a047bfd10890ad09a763f3879cab4f0d9
 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c d0724113da9f5c0430d2052808ce59519f51ae7c4fbb1f5ef21fe3a832956086
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
@@ -2208,9 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 7af7c501b60358cf84e843eb147e6edf9a5aaca30b1c570abe63ca68b54e3ec2
-Q -23936786e680131af644510eb50b7ad20ee39221d1fb29732dea76483aed2273
-R daf719e9a49a465f86650e8c31185dc9
-U stephan
-Z 6ec60b335a09043c3fbaa63db7c3bfc0
+P ef5e415303aeeaad65987871302380e96704316daf89ab5e96330798e4cbe1ce
+R adc65683d6d6244acd09ff55a719db9c
+U drh
+Z e40b4ff061815f5bc5162c2cb5a88938
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 7c30185d0486a67427b0c981e250025df0157dc0..5654d6cfe5a82319d702c7f8c0feb1ad62d4020c 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-ef5e415303aeeaad65987871302380e96704316daf89ab5e96330798e4cbe1ce
+15a6482300bb2804fbfad1f07d6d74da6c0cb5953d44b74bc61c17d29e29821c

diff --git a/src/printf.c b/src/printf.c
index 38c8979db123fe0b3ba8003871cd3afc30a16622..01d20874f35a1f6c1051e603907cc4ac8722a888 100644 (file)
--- a/src/printf.c
+++ b/src/printf.c
@@ -858,7 +858,7 @@ void sqlite3_str_vappendf(
             while( precision-- > 0 && z[0] ){
               SQLITE_SKIP_UTF8(z);
             }
-            length = (int)(z - (unsigned char*)bufpt);
+            length = (int)MIN((z - (unsigned char*)bufpt),0x7ffffff0);
           }else{
             for(length=0; length<precision && bufpt[length]; length++){}
           }