SQLite: View Ticket

2021-07-12
15:00		Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. This fix is associated with CVE-2020-15358. (Leaf check-in: bcd014c4 user: dan tags: branch-3.32a)
14:38		Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. This fix is associated with CVE-2020-15358. (check-in: 9e001b63 user: dan tags: branch-3.28a)
2020-06-15
13:56		• Fixed ticket [8f157e80]: Heap Buffer Overflow in multiSelectOrderBy plus 7 other changes (artifact: 60b1a173 user: drh)
13:51		Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. (check-in: 10fa79d0 user: drh tags: trunk)
2020-06-14
20:14		• New ticket [8f157e80] Heap Buffer Overflow in multiSelectOrderBy. (artifact: 5a6a79fc user: yongheng)

Ticket Hash:	8f157e8010b22af03cb95f6e4f070fb4ccc07fcf
Title:	Heap Buffer Overflow in multiSelectOrderBy
Status:	Fixed	Type:	Code_Defect
Severity:	Minor	Priority:	Low
Subsystem:	Unknown	Resolution:	Fixed
Last Modified:	2020-06-15 13:56:11
Version Found In:
User Comments:
yongheng added on 2020-06-14 20:14:12: Affect at least trunk and 3.32 release version. POC: --- CREATE TABLE a(b); CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b; SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c; --- drh added on 2020-06-15 13:56:11: Simplified test case that does not involve window functions: `CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc'); CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123); CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3); CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4; SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;` Problem first appeared in the 3.25.0 release on 2018-09-15 and seems to have been caused by the new use of transitive properties for constant propagation - the optimization identified as "3c" in the change log