[Backport] Security bugs 1197786 and 1194330

Partial backport (only amalgamations) originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2855913: Roll src/third_party/sqlite/src/ 60efbb358..144e06fad (361 commits) https://chromium.googlesource.com/chromium/deps/sqlite.git/+log/60efbb3584af..144e06fad937 $ git log 60efbb358..144e06fad --date=short --no-merges --format='%ad %ae %s' 2021-04-22 huangdarwin Amalgamations for release 3.35.5 2021-04-19 Version 3.35.5 2021-04-19 Update the version number to 3.35.5. 2021-04-18 Dan Kennedy Ensure that all records are updated by setting the OPFLAG_SAVEPOSITION flag when updating records as part of ALTER TABLE DROP COLUMN. Fix for [c88f3036a2]. 2021-04-18 Dan Kennedy Modify the drop column code to handle WITHOUT ROWID tables for which a single column appears more than once in the primary key. 2021-04-13 Fix a problem with handling expressions like "(col IS NULL AND <expr1>) OR col == NULL" in WHERE clauses. Reported at [https://sqlite.org/forum/forumpost/1c4f2fdcc4]. 2021-04-02 Dan Kennedy Version 3.35.4 2021-04-02 Fix incorrect RETURNING test cases in wherelimit.test 2021-04-01 When resolving names in the RETURNING clause, do not accept trigger names even within subquires. 2021-03-31 When resolving column names in the RETURNING clause, do not ignore an incorrect table name qualifier. Raise an error instead. 2021-03-31 Defer deletion of expressions that are optimized out by the AND optimizer in the sqlite3ExprAnd() routine until the corresponding Parse object is deleted. This avoids a dangling pointer in AggInfo if sqlite3ExprAnd() is invoked by the push-down optimization. The dangling pointer appears to be harmless in release builds, only showing up in debug builds. Problem found by dbsqlfuzz. 2021-03-31 Ensure that negative numbers may not be used in frame offset clauses even if they are initially text value. e.g. (RANGE BETWEEN '-1' PRECEDING ...). 2021-03-30 Raise an error if a term of the form "TABLE.*" appears in the RETURNING clause, as SQLite does not (yet) know how to handle that. Ticket [132994c8b1063bfb]. 2021-03-29 Increase the patch number to 3.35.4. 2021-03-29 Dan Kennedy Do not do the EXISTS-to-IN transformation if the sub-select has LIMIT clause. 2021-03-26 Version 3.35.3 2021-03-22 This branch for any further patches on 3.35. We anticipate 3.35.3 in a few days. Hopefully there will never be a need for 3.35.4. 2021-03-21 Fix an assert() that in preupdate-hook logic (not normally built) that can be false when running VACUUM on a corrupt database file under PRAGMA writable_schema=ON. 2021-03-21 Add a better comment and an assert() on the code inside sqlite3CreateIndex() that REPLACE indexes come at the end of the index list. [forum:/forumpost/ceb51d83f7|forum post ceb51d83f7] 2021-03-20 Fix the "box" output mode in the shell when statement returns zero-column rows (for example from "PRAGMA incremental_vacuum"). 2021-03-20 Fix a faulty assert() in the OP_SkipScan opcode. dbsqlfuzz a15a9b2ca82e812ad52f62c86cc93dca0dc72f01. Test cases in TH3. 2021-03-19 In the wholenumber virtual table, increase the cost penalty for running open-loop. This appears to fix the problem reported by [https://sqlite.org/forum/forumpost/b52a020ce4|forum post b52a020ce4]. 2021-03-19 Dbsqlfuzz found a new way to make that branch in codeVectorCompare reachable. 2021-03-19 larrybr Fix tokenizer's classification of EBCDIC newline. 2021-03-19 Restore the NEVER() that was taken out by [f481636f1a0333c6] because that case is no longer reachable after the previous check-in. 2021-03-19 Dan Kennedy Fix a crash that could occur when an INSERT has more than one ON CONFLICT clause, at least one of which contains an unresolvable symbol. 2021-03-19 Correlated CTEs should not generate a materialization subroutine. If they need to be materialized, each use case must be materialized separately. dbsqlfuzz 01b8355086998f0a452cb31208e80b9d29ca739a. 2021-03-18 Add a NEVER() on a branch that was made unreachable by the "circular reference" fix. 2021-03-18 Disable a test case requiring generate_series when virtual tables are not available. 2021-03-18 Dan Kennedy Fix a problem causing spurious "<cte>: circular reference" errors to be reported when there is actually a different error in the SQL statement. 2021-03-18 Increase the patch level to 3.35.3. 2021-03-18 Remove unnecessary code from sqlite3BtreeClose() and add test cases. 2021-03-18 Further sanity checking of the OpenDup cursors. 2021-03-18 Fix the dbsqlfuzz-derived authorizer in fuzzcheck to avoid creating junk files when running rogue tests. 2021-03-18 Dan Kennedy Automatically close ephemeral b-trees when their last cursor is closed. 2021-03-18 Fix a problem with the filename normalizer in unix, discovered by dbsqlfuzz. 2021-03-18 Dan Kennedy Allow instruction OP_OpenDup to duplicate cursors created by OP_OpenDup, as well as by OP_OpenEphemeral. 2021-03-18 New assert statements associated with Ephemeral cursors in the bytecode engine. 2021-03-18 Change the name of the iDataVersion field of Btree to iBDataVersion to make it distinct from Pager.iDataVersion. 2021-03-17 Version 3.35.2 2021-03-17 Fix a harmless compiler warning in the appendvfs.c extension. 2021-03-17 Dan Kennedy If there are already 500 or more simple SELECTs in a query, do not add more by flattening UNION ALL sub-queries into parent join queries. 2021-03-17 Dan Kennedy Fix a problem in sqldiff virtual table hanlding to do with tab and other non-space whitespace characters in the CREATE VIRTUAL TABLE statement. 2021-03-16 Date/time functions with no arguments (ex: date() or time()) should be non-deterministic. Fix for ticket [2c6c8689fb5f3d2f]. 2021-03-16 Increase the version number to 3.35.2. 2021-03-16 Comment and stylistic changes to the appendvfs.c implementation. 2021-03-16 Dan Kennedy Fix a problem with ALTER TABLE RENAME COLUMN when used on a schema that features generated columns. 2021-03-16 larrybr Fix assert typo. 2021-03-16 larrybr Fix appendvfs bug exposed with bigger files, and add tests for such conditions. 2021-03-16 larrybr Create new branch named "appendvfs_fix" (...) 2020-12-15 Dan Kennedy Change an fts5 assert() that can be triggered by a corrupt database to an if() condition. 2020-12-14 Dan Kennedy Fix an integer overflow problem in new VACUUM code. 2020-12-14 drh Minor changes for test coverage. 2020-12-12 drh More test cases. No new problems discovered. 2020-12-12 drh New test cases with corresponding bug fixes. 2020-12-11 drh Begin adding test cases. Fix one bug found so far. More are pending. 2020-12-11 Dan Kennedy Fix an assert() broken by recent changes to vacuum. 2020-12-11 drh Small performance tweaks. 2020-12-11 drh Bug fixes so that legacy tests pass. New tests for new functionality have not yet been added. 2020-12-11 Dan Kennedy Add an "#ifndef SQLITE_AMALGAMATION" block around the typedef for u64 in shathree.c. 2020-12-11 drh Fix the configure script on the autoconf distribution so that the --disable-threadsafe option works. See [https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244459|FreeBSD bug 244459]. 2020-12-11 Dan Kennedy Fix the expert extension so that it handles generated columns correctly. 2020-12-11 drh Logic is in place to handle multiple ON CONFLICT clauses, but it does not work. Any use of ON CONFLICT will likely lead to memory faults. This is an incremental check-in to save my place. 2020-12-10 drh Use an iterator for the index loop in sqlite3GenerateConstraintChecks(). The idea is that this iterator can be enhanced to traverse the indexes in any order, as required by multi-index UPSERT. 2020-12-10 Dan Kennedy Remove a redundant branch added by [56a54258560]. 2020-12-10 Dan Kennedy Fix minor issues with new code on this branch. 2020-12-10 Dan Kennedy Better integrate the changes on this branch with OP_Insert and OP_IdxInsert. 2020-12-10 drh Add an optional function to the chsumvfs extension. When activated by the SQLITE_CKSUMVFS_INIT_FUNCNAME macro, this function will invoke the file-control that sets the number of reserved bytes to 8. This can be used to initialize a cksumvfs database file by programming languages that do not have access to the sqlite3_file_control() interface. 2020-12-10 drh The DO UPDATE code generator searches for the correct ON CONFLICT clause to use. 2020-12-09 mistachkin Fix compilation issues with MSVC related to C99. 2020-12-09 Dan Kennedy Transfer large index or WITHOUT ROWID records between b-trees when vacuuming without loading them into memory. 2020-12-09 drh For upsert, the constraint check code generator uses a copy of the index list for the target table, which can potentially be reordered. 2020-12-09 Dan Kennedy Add tests for a 'delete' command on a contentless table where values that weren't actually inserted are NULL. 2020-12-09 Dan Kennedy Avoid loading large intkey rows when VACUUMing, even if the page-size is changing. 2020-12-09 drh Improved comments in sqliteInt.h. No changes to code. 2020-12-09 drh Initialize all terms in the ON CONFLICT clause stack. 2020-12-08 Dan Kennedy Experimental changes to vacuum to avoid loading large records entirely into memory. Currently only works in limited cases only - for rowid tables when the page-size does not change. 2020-12-08 drh Enhance UPSERT parsing to allow multiple ON CONFLICT clauses. Only the very last clause may omit the conflict target, but the conflict target may now be omitted for the DO UPDATE resolution. 2020-12-07 drh Fix a bad assert() in math1Func(). 2020-12-07 drh Fix to the --disable-math option to ./configure. 2020-12-07 drh Many more math functions. Semantics follows PG wherever possible. 2020-12-07 drh Begin adding new SQL functions that depend on -lm: ceil(), ceiling(), floor(), ln(), log(), and log10() so far. More to follow. 2020-12-04 drh Fix harmless compiler warnings associated with the recent FTS5 enhancements. 2020-12-04 drh Fix a bug in the ".eqp" command of the shell that was introduced by the recent sqlite3SelectTrace/SQLITE_TESTCTRL_TRACEFLAGS changes. 2020-12-04 Dan Kennedy Ensure that fts5 function matchinfo() is registered before running tests that use it in fts5corrupt3.test. 2020-12-04 Dan Kennedy Fix a test script problem in walvfs.test. 2020-12-04 drh Fix an incorrect datatype no the sqlite3WhereTrace variable in test1.c. 2020-12-04 drh Further changes to the trace variables to try to eliminate (harmless) compiler warnings in all configurations. 2020-12-04 drh Alternative implementation of ".selecttrace" and ".wheretrace" that uses a test-control rather than global variables. 2020-12-03 Dan Kennedy When merging prefix lists in fts5, use 16-way merges instead of 2-way merges. This faster. 2020-12-03 drh Do not simulate OOM faults on the SQLITE_FCNTL_CKPT_START and SQLITE_FCNTL_CKPT_DONE file-controls, as those are write-only and the return value is always ignored. 2020-12-03 drh Enhance the generate_series() table-valued function to support negative step values. 2020-12-02 mistachkin Prevent potential segfault in the sqlite-expert idxPopulateStat1 context cleanup code. 2020-12-02 Dan Kennedy Allow a search for an N character prefix in fts5 to use a prefix index of size N+1, if no prefix index of size N exists. 2020-12-02 drh Fix the ".open" command in the CLI so that it accepts command-line options both before and after the filename. 2020-12-02 Dan Kennedy Improve performance for fts5 column filters that filter for more than one column. e.g. "{col1 col2 col3}:phrase". 2020-12-02 drh Parameterize the hash function in mkkeywordhash.c. This was an attempt to find a better hash function, which turned out to not be successful. 2020-12-02 drh Increase the version number to 3.35.0 to begin the next development cycle. 2020-12-01 drh Add the --lookaside SIZE COUNT command-line option to the dbfuzz2 testing tool. 2020-11-27 drh Improve the speed of the tokenizer by recognizing that tokens starting with letters "_", "Y", or "Z" can never be SQL keywords and must be ordinary identifiers. Created with: roll-dep src/third_party/sqlite/src Bug: 1194330 Reviewed-by: Chris Mumford <cmumford@google.com> Commit-Queue: Darwin Huang <huangdarwin@chromium.org> Cr-Commit-Position: refs/heads/master@{#877232} Change-Id: Ib68366d5395d72908d730b4b1c5cf741c89dd7ef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
qt · Aug 12, 2021 · c49a1b4 · c49a1b4
1 parent 24fe4f7
commit c49a1b4
Show file tree

Hide file tree

Showing 8 changed files with 15,292 additions and 9,940 deletions.
diff --git a/chromium/third_party/sqlite/src/amalgamation/rename_exports.h b/chromium/third_party/sqlite/src/amalgamation/rename_exports.h
diff --git a/chromium/third_party/sqlite/src/amalgamation/shell/shell.c b/chromium/third_party/sqlite/src/amalgamation/shell/shell.c
diff --git a/chromium/third_party/sqlite/src/amalgamation/sqlite3.c b/chromium/third_party/sqlite/src/amalgamation/sqlite3.c
diff --git a/chromium/third_party/sqlite/src/amalgamation/sqlite3.h b/chromium/third_party/sqlite/src/amalgamation/sqlite3.h
@@ -123,9 +123,9 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.34.0"
-#define SQLITE_VERSION_NUMBER 3034000
-#define SQLITE_SOURCE_ID      "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt1"
+#define SQLITE_VERSION        "3.35.5"
+#define SQLITE_VERSION_NUMBER 3035005
+#define SQLITE_SOURCE_ID      "2021-04-19 18:32:05 1b256d97b553a9611efca188a3d995a2fff712759044ba480f9a0c9e98fae886"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -2115,7 +2115,13 @@ struct sqlite3_mem_methods {
 ** The second parameter is a pointer to an integer into which
 ** is written 0 or 1 to indicate whether triggers are disabled or enabled
 ** following this call.  The second parameter may be a NULL pointer, in
-** which case the trigger setting is not reported back. </dd>
+** which case the trigger setting is not reported back.
+**
+** <p>Originally this option disabled all triggers.  ^(However, since
+** SQLite version 3.35.0, TEMP triggers are still allowed even if
+** this option is off.  So, in other words, this option now only disables
+** triggers in the main database schema or in the schemas of ATTACH-ed
+** databases.)^ </dd>
 **
 ** [[SQLITE_DBCONFIG_ENABLE_VIEW]]
 ** <dt>SQLITE_DBCONFIG_ENABLE_VIEW</dt>
@@ -2126,7 +2132,13 @@ struct sqlite3_mem_methods {
 ** The second parameter is a pointer to an integer into which
 ** is written 0 or 1 to indicate whether views are disabled or enabled
 ** following this call.  The second parameter may be a NULL pointer, in
-** which case the view setting is not reported back. </dd>
+** which case the view setting is not reported back.
+**
+** <p>Originally this option disabled all views.  ^(However, since
+** SQLite version 3.35.0, TEMP views are still allowed even if
+** this option is off.  So, in other words, this option now only disables
+** views in the main database schema or in the schemas of ATTACH-ed
+** databases.)^ </dd>
 **
 ** [[SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER]]
 ** <dt>SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER</dt>
@@ -3499,6 +3511,7 @@ SQLITE_API void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*);
 **          that uses dot-files in place of posix advisory locking.
 ** <tr><td> file:data.db?mode=readonly <td>
 **          An error. "readonly" is not a valid option for the "mode" parameter.
+**          Use "ro" instead:  "file:data.db?mode=ro".
 ** </table>
 **
 ** ^URI hexadecimal escape sequences (%HH) are supported within the path and
@@ -3697,7 +3710,7 @@ SQLITE_API sqlite3_file *sqlite3_database_file_object(const char*);
 ** If the Y parameter to sqlite3_free_filename(Y) is anything other
 ** than a NULL pointer or a pointer previously acquired from
 ** sqlite3_create_filename(), then bad things such as heap
-** corruption or segfaults may occur. The value Y should be
+** corruption or segfaults may occur. The value Y should not be
 ** used again after sqlite3_free_filename(Y) has been called.  This means
 ** that if the [sqlite3_vfs.xOpen()] method of a VFS has been called using Y,
 ** then the corresponding [sqlite3_module.xClose() method should also be
@@ -7765,7 +7778,8 @@ SQLITE_API int sqlite3_test_control(int op, ...);
 #define SQLITE_TESTCTRL_PRNG_SEED               28
 #define SQLITE_TESTCTRL_EXTRA_SCHEMA_CHECKS     29
 #define SQLITE_TESTCTRL_SEEK_COUNT              30
-#define SQLITE_TESTCTRL_LAST                    30  /* Largest TESTCTRL */
+#define SQLITE_TESTCTRL_TRACEFLAGS              31
+#define SQLITE_TESTCTRL_LAST                    31  /* Largest TESTCTRL */
 
 /*
 ** CAPI3REF: SQL Keyword Checking
@@ -10438,6 +10452,14 @@ SQLITE_API int sqlite3session_patchset(
 */
 SQLITE_API int sqlite3session_isempty(sqlite3_session *pSession);
 
+/*
+** CAPI3REF: Query for the amount of heap memory used by a session object.
+**
+** This API returns the total amount of heap memory in bytes currently
+** used by the session object passed as the only argument.
+*/
+SQLITE_API sqlite3_int64 sqlite3session_memory_used(sqlite3_session *pSession);
+
 /*
 ** CAPI3REF: Create An Iterator To Traverse A Changeset
 ** CONSTRUCTOR: sqlite3_changeset_iter
@@ -10540,18 +10562,23 @@ SQLITE_API int sqlite3changeset_next(sqlite3_changeset_iter *pIter);
 ** call to [sqlite3changeset_next()] must have returned [SQLITE_ROW]. If this
 ** is not the case, this function returns [SQLITE_MISUSE].
 **
-** If argument pzTab is not NULL, then *pzTab is set to point to a
-** nul-terminated utf-8 encoded string containing the name of the table
-** affected by the current change. The buffer remains valid until either
-** sqlite3changeset_next() is called on the iterator or until the
-** conflict-handler function returns. If pnCol is not NULL, then *pnCol is
-** set to the number of columns in the table affected by the change. If
-** pbIndirect is not NULL, then *pbIndirect is set to true (1) if the change
+** Arguments pOp, pnCol and pzTab may not be NULL. Upon return, three
+** outputs are set through these pointers:
+**
+** *pOp is set to one of [SQLITE_INSERT], [SQLITE_DELETE] or [SQLITE_UPDATE],
+** depending on the type of change that the iterator currently points to;
+**
+** *pnCol is set to the number of columns in the table affected by the change; and
+**
+** *pzTab is set to point to a nul-terminated utf-8 encoded string containing
+** the name of the table affected by the current change. The buffer remains
+** valid until either sqlite3changeset_next() is called on the iterator
+** or until the conflict-handler function returns.
+**
+** If pbIndirect is not NULL, then *pbIndirect is set to true (1) if the change
 ** is an indirect change, or false (0) otherwise. See the documentation for
 ** [sqlite3session_indirect()] for a description of direct and indirect
-** changes. Finally, if pOp is not NULL, then *pOp is set to one of
-** [SQLITE_INSERT], [SQLITE_DELETE] or [SQLITE_UPDATE], depending on the
-** type of change that the iterator currently points to.
+** changes.
 **
 ** If no error occurs, SQLITE_OK is returned. If an error does occur, an
 ** SQLite error code is returned. The values of the output variables may not