diff options
Diffstat (limited to 'poky/meta/recipes-support/sqlite/files/CVE-2020-13434.patch')
-rw-r--r-- | poky/meta/recipes-support/sqlite/files/CVE-2020-13434.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2020-13434.patch b/poky/meta/recipes-support/sqlite/files/CVE-2020-13434.patch new file mode 100644 index 0000000000..40c5e6f2ce --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2020-13434.patch @@ -0,0 +1,48 @@ +From dd6c33d372f3b83f4fe57904c2bd5ebba5c38018 Mon Sep 17 00:00:00 2001 +From: drh <drh@noemail.net> +Date: Sat, 23 May 2020 19:58:07 +0000 +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. Fix for ticket [23439ea582241138]. + +FossilOrigin-Name: d08d3405878d394e08e5d3af281246edfbd81ca74cc8d16458808591512fb93d + +Upstream-Status: Backport +CVE: CVE-2020-13434 + +Reference to upstream patch: +https://github.com/sqlite/sqlite/commit/dd6c33d372f3b83f4fe57904c2bd5ebba5c38018 + +Patch converted to amalgamation format + +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- +diff --git a/sqlite3.c b/sqlite3.c +index 55dc686..5ff2c14 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -28147,6 +28147,13 @@ static char *printfTempBuf(sqlite3_str *pAccum, sqlite3_int64 n){ + #endif + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + ++/* ++** Hard limit on the precision of floating-point conversions. ++*/ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ + /* + ** Render a string given by "fmt" into the StrAccum object. + */ +@@ -28468,6 +28475,11 @@ SQLITE_API void sqlite3_str_vappendf( + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; |