package/sqlite/0002-CVE-2017-15286.patch - buildroot - Git at Google

 Fix CVE-2017-15286

 SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c
 because it fails to consider certain cases where
 `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
 initialized.

 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878680

 Upstream commit: http://www.sqlite.org/src/info/5d0ceb8dcdef92cd

 Index: src/shell.c
 ==================================================================
 --- src/shell.c
 +++ src/shell.c
 @@ -3807,10 +3807,11 @@
          isIPK = 0;
        }
      }
    }
    sqlite3_finalize(pStmt);
 +  if( azCol==0 ) return 0;
    azCol[0] = 0;
    azCol[nCol+1] = 0;

    /* The decision of whether or not a rowid really needs to be preserved
    ** is tricky.  We never need to preserve a rowid for a WITHOUT ROWID table
	Fix CVE-2017-15286

	SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c
	because it fails to consider certain cases where
	`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
	initialized.

	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878680

	Upstream commit: http://www.sqlite.org/src/info/5d0ceb8dcdef92cd

	Index: src/shell.c
	==================================================================
	--- src/shell.c
	+++ src/shell.c
	@@ -3807,10 +3807,11 @@
	isIPK = 0;
	}
	}
	}
	sqlite3_finalize(pStmt);
	+ if( azCol==0 ) return 0;
	azCol[0] = 0;
	azCol[nCol+1] = 0;

	/* The decision of whether or not a rowid really needs to be preserved
	** is tricky. We never need to preserve a rowid for a WITHOUT ROWID table