From 1cbb088f4be95e7a02627f64de60653ef2b13ab5 Mon Sep 17 00:00:00 2001
From: drh <>
Date: Sun, 16 Feb 2025 10:57:25 +0000
Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
 concat_ws() function with an enormous separator values and many arguments.

Fixes the following CVE:
  - CVE-2025-29087: In SQLite 3.44.0 through 3.49.0 before 3.49.1,
                    the concat_ws() SQL function can cause memory to be
                    written beyond the end of a malloc-allocated buffer.

For more info see https://nvd.nist.gov/vuln/detail/CVE-2025-29087

Upstream: https://sqlite.org/src/info/498e3f1cf57f164f

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 sqlite3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlite3.c b/sqlite3.c
index 80433f6..8a43734 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -130954,7 +130954,7 @@ static void concatFuncCore(
   for(i=0; i<argc; i++){
     n += sqlite3_value_bytes(argv[i]);
   }
-  n += (argc-1)*nSep;
+  n += (argc-1)*(i64)nSep;
   z = sqlite3_malloc64(n+1);
   if( z==0 ){
     sqlite3_result_error_nomem(context);
-- 
2.49.0