From: drh <>
Date: Wed, 24 Jun 2026 13:45:04 +0000 (+0000)
Subject: Fix the sqlite3ParseUri() for improved defenses against ridiculously long
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ae4d56c05b1e5ea11440e6b08c8eea1bdd83ad3;p=thirdparty%2Fsqlite.git

Fix the sqlite3ParseUri() for improved defenses against ridiculously long
URI inputs causing integer overflow problems.
[bugs:/info/2026-06-24T11:46:39Z|Bug 2026-06-24T11:46:39Z].

FossilOrigin-Name: 140a693ee0c0cfa8f332cd1bbdfe045c016e4bf5169d6dd94648cbe38d7517c6
---

diff --git a/manifest b/manifest
index 1de685d6c4..c1dd671601 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Revert\sthe\sfixes\sto\sbackup\sin\s[1f940357f7]\sand\s[e5db80350c]\sand\sinstead\sfix\sthe\sproblem\sreported\sby\sforum\spost\s[forum:15d82885e2\s|\s15d82885e2]\s(that\sa\scall\sto\ssqlite3_deserialize()\safter\ssqlite3_backup_init()\sbut\sbefore\sthe\sfirst\scall\sto\ssqlite3_backup_step()\son\sthe\sdestination\sdb\sof\sa\sbackup\scould\scause\sa\scrash)\sby\sdeferring\scaching\sthe\spointer\sto\sthe\sdestination\sBtree\suntil\safter\sit\sis\slocked.\sThis\saddresses\sbug\s[bugs:/info/2026-06-24T08:41:13Z\s|\s2026-06-24T08:41:13Z].
-D 2026-06-24T13:42:39.595
+C Fix\sthe\ssqlite3ParseUri()\sfor\simproved\sdefenses\sagainst\sridiculously\slong\nURI\sinputs\scausing\sinteger\soverflow\sproblems.\n[bugs:/info/2026-06-24T11:46:39Z|Bug\s2026-06-24T11:46:39Z].
+D 2026-06-24T13:45:04.507
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -701,7 +701,7 @@ F src/insert.c e6e9b574b4863649e2c433f2260f226183e697df1ab73fcb8da9a85d5abcd390
 F src/json.c 74e903d4b84171b674727edc67eb8e89190eee0e7b737210f2af5b79db2f3bff
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 5cd4cd7ec6e1a46416806899086363fbf95eecd3bfb9a388b436c9a77243c902
-F src/main.c efd782fadd65b8e67952f439d56d7605134582346573018a614a8e082e074bd7
+F src/main.c 25e0dc6888cf5da157768511c381ac87bb2313e0ff50c25b6ff35e034f99546c
 F src/malloc.c 422f7e0498e1c9ef967f06283b6f2c0b16db6b905d8e06f6dbc8baaa3e4e6c5a
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c 3bb59158c38e05f6270e761a9f435bf19827a264c13d1631c58b84bdc96d73b2
@@ -2208,9 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 15a6482300bb2804fbfad1f07d6d74da6c0cb5953d44b74bc61c17d29e29821c bfce01a4b06b5f3bfb050bf15e25919a6c85b3ec0002acd016ac8c5ffa500daf
-R ae02e6a96d80119e0cbe4dbea114f6cd
-T +closed bfce01a4b06b5f3bfb050bf15e25919a6c85b3ec0002acd016ac8c5ffa500daf
-U dan
-Z 30bf857c649d855780f8a8b1154b464c
+P 18da5759590793c934184a6f1e28fe61a9714f305f1e9704061364325c0bbf9e
+R 8876e5e7dc705c4cfef217b5363371f8
+U drh
+Z da9348347abf04e18e642adc168a56c6
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 0338b9e84c..47b9706bab 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-18da5759590793c934184a6f1e28fe61a9714f305f1e9704061364325c0bbf9e
+140a693ee0c0cfa8f332cd1bbdfe045c016e4bf5169d6dd94648cbe38d7517c6
diff --git a/src/main.c b/src/main.c
index 310be10459..9530d258eb 100644
--- a/src/main.c
+++ b/src/main.c
@@ -3080,7 +3080,7 @@ int sqlite3ParseUri(
   const char *zVfs = zDefaultVfs;
   char *zFile;
   char c;
-  int nUri = sqlite3Strlen30(zUri);
+  i64 nUri = strlen(zUri);
 
   assert( *pzErrMsg==0 );
 
@@ -3090,8 +3090,8 @@ int sqlite3ParseUri(
   ){
     char *zOpt;
     int eState;                   /* Parser state when parsing URI */
-    int iIn;                      /* Input character index */
-    int iOut = 0;                 /* Output character index */
+    i64 iIn;                      /* Input character index */
+    i64 iOut = 0;                 /* Output character index */
     u64 nByte = nUri+8;           /* Bytes of space to allocate */
 
     /* Make sure the SQLITE_OPEN_URI flag is set to indicate to the VFS xOpen
@@ -3125,7 +3125,7 @@ int sqlite3ParseUri(
       while( zUri[iIn] && zUri[iIn]!='/' ) iIn++;
       if( iIn!=7 && (iIn!=16 || memcmp("localhost", &zUri[7], 9)) ){
         *pzErrMsg = sqlite3_mprintf("invalid uri authority: %.*s",
-            iIn-7, &zUri[7]);
+            (int)(iIn-7), &zUri[7]);
         rc = SQLITE_ERROR;
         goto parse_uri_out;
       }
@@ -3200,11 +3200,11 @@ int sqlite3ParseUri(
     ** here. Options that are interpreted here include "vfs" and those that
     ** correspond to flags that may be passed to the sqlite3_open_v2()
     ** method. */
-    zOpt = &zFile[sqlite3Strlen30(zFile)+1];
+    zOpt = &zFile[strlen(zFile)+1];
     while( zOpt[0] ){
-      int nOpt = sqlite3Strlen30(zOpt);
+      i64 nOpt = strlen(zOpt);
       char *zVal = &zOpt[nOpt+1];
-      int nVal = sqlite3Strlen30(zVal);
+      i64 nVal = strlen(zVal);
 
       if( nOpt==3 && memcmp("vfs", zOpt, 3)==0 ){
         zVfs = zVal;
@@ -3250,7 +3250,7 @@ int sqlite3ParseUri(
           int mode = 0;
           for(i=0; aMode[i].z; i++){
             const char *z = aMode[i].z;
-            if( nVal==sqlite3Strlen30(z) && 0==memcmp(zVal, z, nVal) ){
+            if( nVal==(i64)strlen(z) && 0==memcmp(zVal, z, nVal) ){
               mode = aMode[i].mode;
               break;
             }