From: drh <> Date: Wed, 24 Jun 2026 12:40:26 +0000 (+0000) Subject: Defend against integer overflow on oversized string inputs to X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d87f8c4965497148a2cb0cc696ce557d5961cf87;p=thirdparty%2Fsqlite.git Defend against integer overflow on oversized string inputs to sqlite3_mprintf() and similar C-language interfaces when using the "%!.*s" conversion. The problem is not reachable from SQL due to string length restrictions in SQL. C-code is required. [bugs:/info/2026-06-24T11:57:36Z|Bug 2026-06-24T11:57:36Z]. FossilOrigin-Name: 15a6482300bb2804fbfad1f07d6d74da6c0cb5953d44b74bc61c17d29e29821c --- diff --git a/manifest b/manifest index d4e8fab430..a8c27c58c8 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Back\sout\s[23936786e6]\sbecause\s[9725b513c0]\sobviates\sit. -D 2026-06-24T12:23:29.940 +C Defend\sagainst\sinteger\soverflow\son\s\soversized\sstring\sinputs\sto\nsqlite3_mprintf()\sand\ssimilar\sC-language\sinterfaces\swhen\susing\nthe\s"%!.*s"\sconversion.\s\sThe\sproblem\sis\snot\sreachable\sfrom\sSQL\ndue\sto\sstring\slength\srestrictions\sin\sSQL.\sC-code\sis\srequired.\n[bugs:/info/2026-06-24T11:57:36Z|Bug\s2026-06-24T11:57:36Z]. +D 2026-06-24T12:40:26.285 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -733,7 +733,7 @@ F src/pcache.h 092b758d2c5e4dabb30eae46d8dfad77c0f70b16bf3ff1943f7a232b0fe0d4ba F src/pcache1.c d7ee0f95992501a65379f620b3de1430b64e52e397769938668a9fd9dd1c8145 F src/pragma.c 789ef67117b74b5be0a2db6681f7f0c55e6913791b9da309aefd280de2c8a74d F src/prepare.c b1337cd601f8cb58c07a61bafdf2e501332dd1a07959c5d1c118a5adef01f4c7 -F src/printf.c 6916d50913c3271aefe96d3483701ceca8644331ec4c7b23a5aa54a9ba36230f +F src/printf.c 9e252514a044fc845820438688816d7a047bfd10890ad09a763f3879cab4f0d9 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c F src/resolve.c d0724113da9f5c0430d2052808ce59519f51ae7c4fbb1f5ef21fe3a832956086 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97 @@ -2208,9 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 7af7c501b60358cf84e843eb147e6edf9a5aaca30b1c570abe63ca68b54e3ec2 -Q -23936786e680131af644510eb50b7ad20ee39221d1fb29732dea76483aed2273 -R daf719e9a49a465f86650e8c31185dc9 -U stephan -Z 6ec60b335a09043c3fbaa63db7c3bfc0 +P ef5e415303aeeaad65987871302380e96704316daf89ab5e96330798e4cbe1ce +R adc65683d6d6244acd09ff55a719db9c +U drh +Z e40b4ff061815f5bc5162c2cb5a88938 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 7c30185d04..5654d6cfe5 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -ef5e415303aeeaad65987871302380e96704316daf89ab5e96330798e4cbe1ce +15a6482300bb2804fbfad1f07d6d74da6c0cb5953d44b74bc61c17d29e29821c diff --git a/src/printf.c b/src/printf.c index 38c8979db1..01d20874f3 100644 --- a/src/printf.c +++ b/src/printf.c @@ -858,7 +858,7 @@ void sqlite3_str_vappendf( while( precision-- > 0 && z[0] ){ SQLITE_SKIP_UTF8(z); } - length = (int)(z - (unsigned char*)bufpt); + length = (int)MIN((z - (unsigned char*)bufpt),0x7ffffff0); }else{ for(length=0; length