From: drh <> Date: Mon, 1 Jun 2026 13:44:19 +0000 (+0000) Subject: Fix an integer overflow that could lead to a buffer overrun in the zipfile X-Git-Tag: release~17 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=81ceb00b0076928c16f18f8216d46fb576b2cd21;p=thirdparty%2Fsqlite.git Fix an integer overflow that could lead to a buffer overrun in the zipfile extension. FossilOrigin-Name: ae9c99b904a8d1b9745a8f09cb35412e4107f4f24f95cabccc18a777b9e76bdf --- diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c index 607dfcf6e1..fe0941823d 100644 --- a/ext/misc/zipfile.c +++ b/ext/misc/zipfile.c @@ -2000,10 +2000,10 @@ struct ZipfileCtx { }; static int zipfileBufferGrow(ZipfileBuffer *pBuf, i64 nByte){ - if( pBuf->n+nByte>pBuf->nAlloc ){ + if( (pBuf->nAlloc-pBuf->n)n ? pBuf->n*2 : 512; - int nReq = pBuf->n + nByte; + i64 nNew = pBuf->n ? (i64)pBuf->n*2 : 512; + i64 nReq = pBuf->n + nByte; while( nNewa, nNew); diff --git a/manifest b/manifest index 8bdadbc262..c42056729b 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Extra\sdefenses\sagainst\sinteger\soverflows\sin\sthe\suntested,\sunused,\sand\nunsupported\stransliterate()\sSQL\sextension\sfunction\sfound\sin\sthe\next/misc/spellfix.c\sextension. -D 2026-06-01T13:39:15.844 +C Fix\san\sinteger\soverflow\sthat\scould\slead\sto\sa\sbuffer\soverrun\sin\sthe\szipfile\s\nextension. +D 2026-06-01T13:44:19.059 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea @@ -417,7 +417,7 @@ F ext/misc/vtablog.c 6c0c11c4822ab6c1a205718ea7c6d1bb561d96b27104b9c1fe84d01aa62 F ext/misc/vtshim.c f5ab480d1e33fa46a0b138359bedc9979e32798d72348e04bbe6093f9ae95c7b F ext/misc/wholenumber.c aa5e6d786fe8d79bc100ea0e852249c026a91ae65a5c1bcb2b869cd1a7cdd6d5 F ext/misc/windirent.h 02211ce51f3034c675f2dbf4d228194d51b3ee05734678bad5106fff6292e60c -F ext/misc/zipfile.c d865756e2eaaf4d39497affbfb295f2330516120f7598be68c03b8171638a618 +F ext/misc/zipfile.c 38211d2b23e1fcb57af2d7c597458112e6c3d6130bf97dc4c224816d9f8218fa F ext/misc/zorder.c bddff2e1b9661a90c95c2a9a9c7ecd8908afab5763256294dd12d609d4664eee F ext/qrf/README.md 9e644615d7d7b77ef7e9db798765679e50c5ed12eda48bce21c9ef9eb4715e9d F ext/qrf/dev-notes.md e68a6d91ce4c7eb296ef2daadc2bb79c95c317ad15b9fafe40850c67b29c2430 @@ -2101,7 +2101,7 @@ F test/writecrash.test 13520af28f376bfc8c0bcd130efc1fff20bb165198e8b94cf153f1f75 F test/zeroblob.test 7b74cefc7b281dfa2b07cd237987fbe94b4a2037a7771e9e83f2d5f608b1d99e F test/zeroblobfault.test 861d8191a0d944dfebb3cb4d2c5b4e46a5a119eaec5a63dd996c2389f8063441 F test/zerodamage.test 9c41628db7e8d9e8a0181e59ea5f189df311a9f6ce99cc376dc461f66db6f8dc -F test/zipfile.test a3fcfc43115e4226fdddadd43bdf31c8ca805ad08dad435634f1633d8f5840d9 +F test/zipfile.test 3aa05e7311f01679d81a2b49ddb7189b433dfda17580d7e8f9e904e87ee99440 F test/zipfile2.test 21afaffcf4f7769df38bf16e4a9c4dfa6ba1b0f5b695f844ec61fafb92db0db7 F test/zipfilefault.test 44d4d7a7f7cca7521d569d7f71026b241d65a6b1757aa409c1a168827edbbc2c F tool/GetFile.cs 47852aa0d806fe47ed1ac5138bdce7f000fe87aaa7f28107d0cb1e26682aeb44 @@ -2198,9 +2198,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c -P f6108e2fbdddfa03154a12efab17e5c1d681884ebcdfb6da5c319544601676ed -Q +2b073519b6080abc8872b0728c64827cc088d1b43f132cd2aeb396f06de3d36f -R 2f7daa1c46c45eb31e7197c26425c234 +P ca800b1d2d243715426045df0d40ad171aed89182f4a5bb1055787964e74ff3c +Q +a8dac6af353c02aed8eaaba5921e036d3f3a6639367ae70e8c75d759c7b4ab52 +R 80ac68a9b82129945df09153254c9333 U drh -Z be799d4ff0ce59cd0a89210e120595ce +Z ec9077059143ff37588990fc2f789bcd # Remove this line to create a well-formed Fossil manifest. diff --git a/manifest.uuid b/manifest.uuid index 5c942d3b72..87a79a2d84 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -ca800b1d2d243715426045df0d40ad171aed89182f4a5bb1055787964e74ff3c +ae9c99b904a8d1b9745a8f09cb35412e4107f4f24f95cabccc18a777b9e76bdf diff --git a/test/zipfile.test b/test/zipfile.test index f57170724d..fe4f41503a 100644 --- a/test/zipfile.test +++ b/test/zipfile.test @@ -914,4 +914,20 @@ do_catchsql_test 21.0 { SELECT * FROM zipfile(X'504B03040A0000000000000000000000000000000000000000000100000078504B010200000A0000000000000000000000000000000000000000000100000000000000000000000000E2FFFFFF78504B050600000000010001002F0000001F0000000000'); } {1 {failed to read LFH at offset -30}} + +#-------------------------------------------------------------------------- +reset_db +load_static_extension db zipfile + +# This test requires a non-default SQLITE_MAX_LENGTH value to run. +# +if {[catch {db one {SELECT length( zeroblob(1200000000) )}}]==0} { + do_catchsql_test 23.0 { + SELECT length(zipfile(name,0,0,data,0)) FROM ( + SELECT 'a' AS name, zeroblob(1000000000) AS data + UNION ALL SELECT 'b', zeroblob(1200000000) + ); + } {1 {out of memory}} +} + finish_test