sqlite: Backport bugfixes for clusterfuzz security bugs

- security bugs were for integer overflow and heap-buffer overflow.

Bug: 925656, 932353, 925381
Change-Id: Ibda5a20302153b7ede3a5b89a7bcea622fded869
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1504333
Reviewed-by: Victor Costan <pwnall@chromium.org>
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Darwin Huang <huangdarwin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#638485}

third_party/sqlite/amalgamation/sqlite3.c

@@ -54328,8 +54328,14 @@ SQLITE_PRIVATE int sqlite3PagerSetPagesize(Pager *pPager, u32 *pPageSize, int nR
       rc = sqlite3OsFileSize(pPager->fd, &nByte);
     }
     if( rc==SQLITE_OK ){
-      pNew = (char *)sqlite3PageMalloc(pageSize);
-      if( !pNew ) rc = SQLITE_NOMEM_BKPT;
+      /* 8 bytes of zeroed overrun space is sufficient so that the b-tree
+      * cell header parser will never run off the end of the allocation */
+      pNew = (char *)sqlite3PageMalloc(pageSize+8);
+      if( !pNew ){
+        rc = SQLITE_NOMEM_BKPT;
+      }else{
+        memset(pNew+pageSize, 0, 8);
+      }
     }
 
     if( rc==SQLITE_OK ){
@@ -68646,7 +68652,7 @@ SQLITE_PRIVATE int sqlite3BtreeMovetoUnpacked(
             sqlite3_free(pCellKey);
             goto moveto_finish;
           }
-          c = xRecordCompare(nCell, pCellKey, pIdxKey);
+          c = sqlite3VdbeRecordCompare(nCell, pCellKey, pIdxKey);
           sqlite3_free(pCellKey);
         }
         assert(
@@ -72676,10 +72682,10 @@ static void checkList(
   IntegrityCk *pCheck,  /* Integrity checking context */
   int isFreeList,       /* True for a freelist.  False for overflow page list */
   int iPage,            /* Page number for first page in the list */
-  int N                 /* Expected number of pages in the list */
+  u32 N                 /* Expected number of pages in the list */
 ){
   int i;
-  int expected = N;
+  u32 expected = N;
   int nErrAtStart = pCheck->nErr;
   while( iPage!=0 && pCheck->mxErr ){
     DbPage *pOvflPage;
@@ -72933,7 +72939,7 @@ static int checkTreePage(
 
     /* Check the content overflow list */
     if( info.nPayload>info.nLocal ){
-      int nPage;       /* Number of pages on the overflow chain */
+      u32 nPage;       /* Number of pages on the overflow chain */
       Pgno pgnoOvfl;   /* First page of the overflow chain */
       assert( pc + info.nSize - 4 <= usableSize );
       nPage = (info.nPayload - info.nLocal + usableSize - 5)/(usableSize - 4);
@@ -221514,7 +221520,7 @@ SQLITE_API int sqlite3_stmt_init(
 #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */
 
 /************** End of stmt.c ************************************************/
-#if __LINE__!=221517
+#if __LINE__!=221523
 #undef SQLITE_SOURCE_ID
 #define SQLITE_SOURCE_ID      "2019-02-25 16:06:06 bd49a8271d650fa89e446b42e513b595a717b9212c91dd384aab871fc1d0alt2"
 #endif

third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: dumi <dumi@chromium.org>
 Date: Mon, 20 Jul 2009 23:40:51 +0000
-Subject: [PATCH 1/7] Modify default VFS to support WebDatabase.
+Subject: [PATCH 01/10] Modify default VFS to support WebDatabase.
 
 The renderer WebDatabase implementation needs to broker certain requests
 to the browser.  This modifies SQLite to allow monkey-patching the VFS
@@ -175,5 +175,5 @@ index e279e21a8cb2..0c566e8f557e 100644
  ** CAPI3REF: String LIKE Matching
  *
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch

@@ -1,7 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Scott Hess <shess@chromium.org>
 Date: Sat, 20 Jul 2013 11:42:21 -0700
-Subject: [PATCH 2/7] Virtual table supporting recovery of corrupted databases.
+Subject: [PATCH 02/10] Virtual table supporting recovery of corrupted
+ databases.
 
 "recover" implements a virtual table which uses the SQLite pager layer
 to read table pages and pull out the data which is structurally sound
@@ -3900,5 +3901,5 @@ index 000000000000..8aa4e049a010
 +
 +finish_test
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "tc@google.com" <tc@google.com>
 Date: Tue, 6 Jan 2009 22:39:41 +0000
-Subject: [PATCH 3/7] Custom shell.c helpers to load Chromium's ICU data.
+Subject: [PATCH 03/10] Custom shell.c helpers to load Chromium's ICU data.
 
 History uses fts3 with an icu-based segmenter.  These changes allow building a
 sqlite3 binary for Linux or Windows which can read those files.
@@ -141,5 +141,5 @@ index 000000000000..67ebbf4fbdb4
 +  return 1;
 +}
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Scott Hess <shess@chromium.org>
 Date: Tue, 16 Dec 2014 13:02:27 -0800
-Subject: [PATCH 4/7] [fts3] Disable fts3_tokenizer and fts4.
+Subject: [PATCH 04/10] [fts3] Disable fts3_tokenizer and fts4.
 
 fts3_tokenizer allows a SQLite user to specify a pointer to call as a
 function, which has obvious sercurity implications.  Disable fts4 until
@@ -56,5 +56,5 @@ index 823e1b6a81fe..c371d3e8f0b5 100644
    }
 
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Scott Graham <scottmg@chromium.org>
 Date: Mon, 11 Sep 2017 13:37:46 -0700
-Subject: [PATCH 5/7] fuchsia: Use dot-file locking for sqlite
+Subject: [PATCH 05/10] fuchsia: Use dot-file locking for sqlite
 
 ---
  third_party/sqlite/src/src/os_unix.c | 4 ++++
@@ -23,5 +23,5 @@ index d0e1c39bc4b8..d0736e0a63de 100644
      UNIXVFS("unix",          posixIoFinder ),
  #endif
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0006-Fix-compilation-with-SQLITE_OMIT_WINDOWFUNC.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Victor Costan <pwnall@chromium.org>
 Date: Sun, 10 Feb 2019 13:12:57 -0800
-Subject: [PATCH 6/7] Fix compilation with SQLITE_OMIT_WINDOWFUNC.
+Subject: [PATCH 06/10] Fix compilation with SQLITE_OMIT_WINDOWFUNC.
 
 ---
  third_party/sqlite/src/src/resolve.c | 2 ++
@@ -28,5 +28,5 @@ index 7169152ed6e8..590e8e073f7f 100644
      /* If this is part of a compound SELECT, check that it has the right
      ** number of expressions in the select list. */
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0007-Fix-dbfuzz2.c-compilation-errors-on-Windows.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Victor Costan <pwnall@chromium.org>
 Date: Sun, 10 Feb 2019 15:18:43 -0800
-Subject: [PATCH 7/7] Fix dbfuzz2.c compilation errors on Windows.
+Subject: [PATCH 07/10] Fix dbfuzz2.c compilation errors on Windows.
 
 ---
  third_party/sqlite/src/test/dbfuzz2.c | 4 ++++
@@ -39,5 +39,5 @@ index c964ad4f018f..dd1ed061717b 100644
      argv[j++] = argv[i];
    }
 -- 
-2.21.0.rc2.261.ga7da99ff1b-goog
+2.21.0.352.gf09ad66450-goog
 

third_party/sqlite/patches/0008-Fix-Heap-buffer-overflow-in-vdbeRecordCompareInt.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darwin Huang <huangdarwin@chromium.org>
+Date: Tue, 5 Mar 2019 13:49:51 -0800
+Subject: [PATCH 08/10] Fix Heap-buffer-overflow in vdbeRecordCompareInt
+
+This backports https://www.sqlite.org/src/info/c1ac00706bae45fe
+
+Bug: 932353
+---
+ third_party/sqlite/src/src/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/third_party/sqlite/src/src/btree.c b/third_party/sqlite/src/src/btree.c
+index 773be1646914..caa45e507da6 100644
+--- a/third_party/sqlite/src/src/btree.c
++++ b/third_party/sqlite/src/src/btree.c
+@@ -5510,7 +5510,7 @@ int sqlite3BtreeMovetoUnpacked(
+             sqlite3_free(pCellKey);
+             goto moveto_finish;
+           }
+-          c = xRecordCompare(nCell, pCellKey, pIdxKey);
++          c = sqlite3VdbeRecordCompare(nCell, pCellKey, pIdxKey);
+           sqlite3_free(pCellKey);
+         }
+         assert(
+--
+2.21.0.352.gf09ad66450-goog
+

third_party/sqlite/patches/0009-fix-heap-buffer-overflow-in-cellsizeptr.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darwin Huang <huangdarwin@chromium.org>
+Date: Tue, 5 Mar 2019 14:13:19 -0800
+Subject: [PATCH 09/10] fix heap-buffer-overflow in cellsizeptr
+
+This backports https://www.sqlite.org/src/info/e7aca0714bc475e0
+
+Bug: 925656
+---
+ third_party/sqlite/src/src/pager.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/third_party/sqlite/src/src/pager.c b/third_party/sqlite/src/src/pager.c
+index 35f625d2c03a..efb9155f545d 100644
+--- a/third_party/sqlite/src/src/pager.c
++++ b/third_party/sqlite/src/src/pager.c
+@@ -3786,8 +3786,14 @@ int sqlite3PagerSetPagesize(Pager *pPager, u32 *pPageSize, int nReserve){
+       rc = sqlite3OsFileSize(pPager->fd, &nByte);
+     }
+     if( rc==SQLITE_OK ){
+-      pNew = (char *)sqlite3PageMalloc(pageSize);
+-      if( !pNew ) rc = SQLITE_NOMEM_BKPT;
++      /* 8 bytes of zeroed overrun space is sufficient so that the b-tree
++      * cell header parser will never run off the end of the allocation */
++      pNew = (char *)sqlite3PageMalloc(pageSize+8);
++      if( !pNew ){
++        rc = SQLITE_NOMEM_BKPT;
++      }else{
++        memset(pNew+pageSize, 0, 8);
++      }
+     }
+
+     if( rc==SQLITE_OK ){
+--
+2.21.0.352.gf09ad66450-goog
+

third_party/sqlite/patches/0010-fix-integer-overflow-in-checkList.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darwin Huang <huangdarwin@chromium.org>
+Date: Tue, 5 Mar 2019 14:17:05 -0800
+Subject: [PATCH 10/10] fix integer overflow in checkList
+
+This backports https://www.sqlite.org/src/info/05b87e0755638d31
+
+Bug: 925381
+---
+ third_party/sqlite/src/src/btree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/third_party/sqlite/src/src/btree.c b/third_party/sqlite/src/src/btree.c
+index caa45e507da6..33d63d7b1ce2 100644
+--- a/third_party/sqlite/src/src/btree.c
++++ b/third_party/sqlite/src/src/btree.c
+@@ -9540,10 +9540,10 @@ static void checkList(
+   IntegrityCk *pCheck,  /* Integrity checking context */
+   int isFreeList,       /* True for a freelist.  False for overflow page list */
+   int iPage,            /* Page number for first page in the list */
+-  int N                 /* Expected number of pages in the list */
++  u32 N                 /* Expected number of pages in the list */
+ ){
+   int i;
+-  int expected = N;
++  u32 expected = N;
+   int nErrAtStart = pCheck->nErr;
+   while( iPage!=0 && pCheck->mxErr ){
+     DbPage *pOvflPage;
+@@ -9797,7 +9797,7 @@ static int checkTreePage(
+
+     /* Check the content overflow list */
+     if( info.nPayload>info.nLocal ){
+-      int nPage;       /* Number of pages on the overflow chain */
++      u32 nPage;       /* Number of pages on the overflow chain */
+       Pgno pgnoOvfl;   /* First page of the overflow chain */
+       assert( pc + info.nSize - 4 <= usableSize );
+       nPage = (info.nPayload - info.nLocal + usableSize - 5)/(usableSize - 4);
+--
+2.21.0.352.gf09ad66450-goog
+

third_party/sqlite/src/src/btree.c

@@ -5510,7 +5510,7 @@ int sqlite3BtreeMovetoUnpacked(
             sqlite3_free(pCellKey);
             goto moveto_finish;
           }
-          c = xRecordCompare(nCell, pCellKey, pIdxKey);
+          c = sqlite3VdbeRecordCompare(nCell, pCellKey, pIdxKey);
           sqlite3_free(pCellKey);
         }
         assert(
@@ -9540,10 +9540,10 @@ static void checkList(
   IntegrityCk *pCheck,  /* Integrity checking context */
   int isFreeList,       /* True for a freelist.  False for overflow page list */
   int iPage,            /* Page number for first page in the list */
-  int N                 /* Expected number of pages in the list */
+  u32 N                 /* Expected number of pages in the list */
 ){
   int i;
-  int expected = N;
+  u32 expected = N;
   int nErrAtStart = pCheck->nErr;
   while( iPage!=0 && pCheck->mxErr ){
     DbPage *pOvflPage;
@@ -9797,7 +9797,7 @@ static int checkTreePage(
 
     /* Check the content overflow list */
     if( info.nPayload>info.nLocal ){
-      int nPage;       /* Number of pages on the overflow chain */
+      u32 nPage;       /* Number of pages on the overflow chain */
       Pgno pgnoOvfl;   /* First page of the overflow chain */
       assert( pc + info.nSize - 4 <= usableSize );
       nPage = (info.nPayload - info.nLocal + usableSize - 5)/(usableSize - 4);

third_party/sqlite/src/src/pager.c

@@ -3786,8 +3786,14 @@ int sqlite3PagerSetPagesize(Pager *pPager, u32 *pPageSize, int nReserve){
       rc = sqlite3OsFileSize(pPager->fd, &nByte);
     }
     if( rc==SQLITE_OK ){
-      pNew = (char *)sqlite3PageMalloc(pageSize);
-      if( !pNew ) rc = SQLITE_NOMEM_BKPT;
+      /* 8 bytes of zeroed overrun space is sufficient so that the b-tree
+      * cell header parser will never run off the end of the allocation */
+      pNew = (char *)sqlite3PageMalloc(pageSize+8);
+      if( !pNew ){
+        rc = SQLITE_NOMEM_BKPT;
+      }else{
+        memset(pNew+pageSize, 0, 8);
+      }
     }
 
     if( rc==SQLITE_OK ){