From: drh <>
Date: Tue, 26 May 2026 14:23:36 +0000 (+0000)
Subject: Fix a 32-bit integer overflow in sqlite3changegroup_change_blob() that
X-Git-Tag: release~26
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=600eb440c2b29fb02f87dc3b9e56ee9c0f654509;p=thirdparty%2Fsqlite.git

Fix a 32-bit integer overflow in sqlite3changegroup_change_blob() that
could lead to a buffer overwrite.

FossilOrigin-Name: f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6
---

diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 809a34580f..a4d77a690c 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -7080,7 +7080,7 @@ int sqlite3changegroup_change_blob(
   const void *pVal, 
   int nVal
 ){
-  sqlite3_int64 nByte = 1 + sessionVarintLen(nVal) + nVal;
+  sqlite3_int64 nByte = 1 + sessionVarintLen(nVal) + (i64)nVal;
   int rc = SQLITE_OK;
   SessionBuffer *pBuf = 0;
 
diff --git a/manifest b/manifest
index 0fe060aee7..9f2ec62721 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sQRF\sso\sthat\sit\sworks\ssensibly\swith\s"--wrap\s1"
-D 2026-05-26T13:57:36.324
+C Fix\sa\s32-bit\sinteger\soverflow\sin\ssqlite3changegroup_change_blob()\sthat\ncould\slead\sto\sa\sbuffer\soverwrite.
+D 2026-05-26T14:23:36.811
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -572,7 +572,7 @@ F ext/session/sessionrowid.test 85187c2f1b38861a5844868126f69f9ec62223a03449a98a
 F ext/session/sessionsize.test 8fcf4685993c3dbaa46a24183940ab9f5aa9ed0d23e5fb63bfffbdb56134b795
 F ext/session/sessionstat1.test 5e718d5888c0c49bbb33a7a4f816366db85f59f6a4f97544a806421b85dc2dec
 F ext/session/sessionwor.test 6fd9a2256442cebde5b2284936ae9e0d54bde692d0f5fd009ecef8511f4cf3fc
-F ext/session/sqlite3session.c 3914203a4970a96ccdc6f5b5d0afd09df29da87aed7723363c7bb648ea906c7b
+F ext/session/sqlite3session.c b290fc15a18e2ac239c2d3a8617fd34a05cb39b838a45e547ded2db0a578dd95
 F ext/session/sqlite3session.h 063e7bf7be2fff874456f452a224b5b3013b25682d108933b0351c93a1279b9c
 F ext/session/test_session.c 2a02a68b522e2f3d4a64b2a4733af54b0f3e500769aeccd5bcbdd440103db069
 F ext/wasm/GNUmakefile 68c750f173106d9d63f12c1edf1256c6f4bad9894b155da5db64322f4912de4b
@@ -944,6 +944,7 @@ F test/btree02.test 7555a5440453d900410160a52554fe6478af4faf53098f7235f1f443d5a1
 F test/btreefault.test a82a23b0578bc587afbf9a622c8f54a54f63762f062ba8a35613cfee38ab42f9
 F test/busy.test caff7164c16ce06a53af51f9e4c2753d4cc64250e00790a5e48b9c4f4be37597
 F test/busy2.test 20823a5d7c42fb257d9f108c66312d90b1bb4ec3d80ba6b4e371073727560f98
+F test/c/changeblob1.c c2f51ff87ed628634badfe635d987c21ffcc6a03554a29bff7f68607e6deb9ab
 F test/cache.test 13bc046b26210471ca6f2889aceb1ea52dc717de
 F test/cacheflush.test af25bb1509df04c1da10e38d8f322d66eceedf61
 F test/cachespill.test 895997f84a25b323b166aecb69baab2d6380ea98f9e0bcc688c4493c535cfab9
@@ -1715,7 +1716,7 @@ F test/temptrigfault.tes fc5918e64f3867156fefe7cfca9d8e1f495134a5229b2b511b0dc11
 F test/temptrigger.test a00f258ed8d21a0e8fd4f322f15e8cfb5cef2e43655670e07a753e3fb4769d61
 F test/tester.tcl 2d943f60200e0a36bcd3f1f0baf181a751cd3604ef6b6bd4c8dc39b4e8a53116
 F test/testloadext.c 862b848783eaed9985fbce46c65cd214664376b549fae252b364d5d1ef350a27
-F test/testrunner.tcl 6b232f0d4825dec8b967754503080fc9609fad077f582d02f86bd2d95bec4110 x
+F test/testrunner.tcl 8d92cacf9989aefdf33229c414adac56d389b5b6d9d31d9ebed34d5ab4e13833 x
 F test/testrunner_data.tcl 48c8a230fcada37f4809f95c2ba49e44bc3d520b6165c09173249c6e65b01cc1
 F test/testrunner_estwork.tcl 81e2ae10238f50540f42fbf2d94913052a99bfb494b69e546506323f195dcff9
 F test/thread001.test a0985c117eab62c0c65526e9fa5d1360dd1cac5b03bde223902763274ce21899
@@ -2198,9 +2199,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P a8d18783fb2dbe9683bb6f3b57ebb3cc3ccf1e5afdd5e14786abf1e4e240f51a
-Q +48f950b2a1ef841d915ca733baf324a1af98e644b660f238dd5018015340a6c6
-R 7b0c61606ec21acd58d37b3a99b6b7d6
+P 90eb6c22687449441824c7da5741a31e78bb78098c170382b230e851d03212c0
+Q +8a289158e2baeee8aa5e601bde46b0482361064ede09e4108f519270efdd5f69
+R 04e59fd679d81b5d0def33e9d765e8ec
 U drh
-Z 637b704daa2b7eb95fc1fc39926baffe
+Z b3fb4c1477861bb76e1a170baea48365
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 19423e399f..1dfcfe426c 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-90eb6c22687449441824c7da5741a31e78bb78098c170382b230e851d03212c0
+f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6
diff --git a/test/c/changeblob1.c b/test/c/changeblob1.c
new file mode 100644
index 0000000000..a0d1f2be30
--- /dev/null
+++ b/test/c/changeblob1.c
@@ -0,0 +1,35 @@
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "sqlite3.h"
+
+int main(void){
+#ifdef SQLITE_ENABLE_SESSION
+  sqlite3 *db;
+  sqlite3_changegroup *pGrp;
+  char *zErr = 0;
+  char *buf = malloc(64);
+  int rc = SQLITE_OK;
+
+  sqlite3_open(":memory:", &db);
+  sqlite3_exec(db, "CREATE TABLE t1(a INTEGER PRIMARY KEY, b TEXT);", 0, 0, 0);
+
+  sqlite3changegroup_new(&pGrp);
+  sqlite3changegroup_schema(pGrp, db, "main");
+  sqlite3changegroup_change_begin(pGrp, SQLITE_INSERT, "t1", 0, &zErr);
+  sqlite3changegroup_change_int64(pGrp, 1, 0, 42);
+
+  memset(buf, 'X', 64);
+
+  /* This should return an OOM error: */
+  rc = sqlite3changegroup_change_blob(pGrp, 1, 1, buf, 2147483647);
+
+  free(buf);
+  sqlite3changegroup_delete(pGrp);
+  sqlite3_close(db);
+  return (rc==7) ? 0 : -1;
+#else
+  return 0;
+#endif
+}
diff --git a/test/testrunner.tcl b/test/testrunner.tcl
index 62dce8e626..61a2ec79a2 100755
--- a/test/testrunner.tcl
+++ b/test/testrunner.tcl
@@ -127,6 +127,7 @@ Special values for PERMUTATION include:
     mdevtest  - tests recommended prior to normal development check-ins.
     devtest   - alias for "mdevtest"
     release   - full release test with various builds.
+    c         - tests in test/c directory only.
     sdevtest  - like mdevtest but using ASAN and UBSAN.
     all       - all tcl test scripts, plus a subset of test scripts rerun
                 with various permutations.
@@ -1514,6 +1515,13 @@ proc add_jobs_from_cmdline {patternlist} {
       }
     }
 
+    c {
+      set patternlist [lrange $patternlist 1 end]
+      foreach b [trd_builds $TRG(platform)] {
+        add_c_jobs $b $patternlist
+      }
+    }
+
     list {
       set allperm [array names ::testspec]
       lappend allperm all devtest mdevtest sdevtest release list