From: drh <> Date: Wed, 8 Apr 2026 17:00:33 +0000 (+0000) Subject: Fix a buffer overflow bug in a recent check-in, reported by unsolicted X-Git-Tag: major-release~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a7200804eb4aeb35229388a37ea00af27559bd25;p=thirdparty%2Fsqlite.git Fix a buffer overflow bug in a recent check-in, reported by unsolicted email from OpenAI/Codex. FossilOrigin-Name: be891a137af15897691250324e4d3d9c96f0c5fb414bca27d0c3bfdd3012a8a2 --- diff --git a/manifest b/manifest index aa86baff50..8346aba359 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sa\sfew\sdoc\stypos\sand\sinconsistencies.\sNo\scode\schanges. -D 2026-04-07T15:54:35.800 +C Fix\sa\sbuffer\soverflow\sbug\sin\sa\srecent\scheck-in,\sreported\sby\sunsolicted\nemail\sfrom\sOpenAI/Codex. +D 2026-04-08T17:00:33.995 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -730,7 +730,7 @@ F src/pcache.h 092b758d2c5e4dabb30eae46d8dfad77c0f70b16bf3ff1943f7a232b0fe0d4ba F src/pcache1.c 131ca0daf4e66b4608d2945ae76d6ed90de3f60539afbd5ef9ec65667a5f2fcd F src/pragma.c 789ef67117b74b5be0a2db6681f7f0c55e6913791b9da309aefd280de2c8a74d F src/prepare.c f6a6e28a281bd1d1da12f47d370a81af46159b40f73bf7fa0b276b664f9c8b7d -F src/printf.c 9abec48ffb0fc1aac72a461e2ca456b5284a39c84cddc932c86822311e059882 +F src/printf.c 41fb76fcb5ed7e16aaddc659d3b23891abebea45549fe125fc2e6ec380cc7175 F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c F src/resolve.c 928ff887f2a7c64275182060d94d06fdddbe32226c569781cf7e7edc6f58d7fd F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97 @@ -1514,7 +1514,7 @@ F test/pragma5.test 7b33fc43e2e41abf17f35fb73f71b49671a380ea92a6c94b6ce530a25f8d F test/pragma6.test c5ec577ba087954b4dfa619a3cbe97b155b60a0af487527abe89b10fc17e6512 F test/pragmafault.test 275edaf3161771d37de60e5c2b412627ac94cef11739236bec12ed1258b240f8 F test/prefixes.test b524a1c44bffec225b9aec98bd728480352aa8532ac4c15771fb85e8beef65d9 -F test/printf.test 685fec5a0c5af2490ab0632775a301554361d674211d690f5bee0a97b05333de +F test/printf.test bcb093ef5cbd17e2d94d93d62045ee61ed0f465c1ca123f284774e474e73a9ea F test/printf2.test 3f55c1871a5a65507416076f6eb97e738d5210aeda7595a74ee895f2224cce60 F test/progress.test ebab27f670bd0d4eb9d20d49cef96e68141d92fb F test/ptrchng.test ef1aa72d6cf35a2bbd0869a649b744e9d84977fc @@ -2197,8 +2197,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P 4a36454904e1c5e7d25406713ab0125f11df66eabe0d378edcb837ef8dedc981 -R 16f1b21b4cb5faffe725c6e07d5c25a3 -U stephan -Z 22c44324ea68c832a57d85b95caa6e8a +P 025abd4cf409fb9938e116289f23dc5bcd6d14feb46066221e691b146ee9b354 +R 7600f47bef4b02dcc59e25059aaa900d +U drh +Z c818e025424851b4793e1d43a62d77e7 # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 832bf071a8..9731891d07 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -025abd4cf409fb9938e116289f23dc5bcd6d14feb46066221e691b146ee9b354 +be891a137af15897691250324e4d3d9c96f0c5fb414bca27d0c3bfdd3012a8a2 diff --git a/src/printf.c b/src/printf.c index 257fcb3757..c9fc1a72c0 100644 --- a/src/printf.c +++ b/src/printf.c @@ -621,7 +621,7 @@ void sqlite3_str_vappendf( e2 = s.iDP - 1; } - szBufNeeded = MAX(e2,0)+(i64)precision+(i64)width+8; + szBufNeeded = MAX(e2,0)+(i64)precision+(i64)width+10; if( cThousand && e2>0 ) szBufNeeded += (e2+2)/3; if( sqlite3StrAccumEnlargeIfNeeded(pAccum, szBufNeeded) ){ width = length = 0; diff --git a/test/printf.test b/test/printf.test index cc439e6172..1f8ab25a59 100644 --- a/test/printf.test +++ b/test/printf.test @@ -3823,6 +3823,11 @@ do_execsql_test printf-17.11 { SELECT format('%.30f',1.0000000000000000076e-50); } 0.000000000000000000000000000000 +# Reported by OpenAI Codex Security on 2026-04-08 +do_execsql_test printf-17.12 { + SELECT format('%!.0e',-1e100); +} -1.0e+100 + #------------------------------------------------------------------------- # dbsqlfuzz ad651aad4bb2100f3a724129a555d8d773366d46 #