From a2f1b595f71027d32329d756e666d7a6c45f628f Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Fri, 12 Jun 2026 09:51:06 +0800
Subject: [PATCH] [CVE][Upstream] Add patch to fix CVE-2025-70873

To #bug31628
commit upstream
Project: TC2024080204
Signed-off-by: tomcruiseqi <tomcruiseqi@inspur.com>
---
 0003-bugfix-for-CVE-2025-70873.patch | 17 +++++++
 1001-fix-CVE-2025-6965.patch         | 68 ++++++++++++----------------
 sqlite.spec                          | 10 +++-
 3 files changed, 54 insertions(+), 41 deletions(-)
 create mode 100644 0003-bugfix-for-CVE-2025-70873.patch

diff --git a/0003-bugfix-for-CVE-2025-70873.patch b/0003-bugfix-for-CVE-2025-70873.patch
new file mode 100644
index 0000000..37d1b98
--- /dev/null
+++ b/0003-bugfix-for-CVE-2025-70873.patch
@@ -0,0 +1,17 @@
+Index: ext/misc/zipfile.c
+==================================================================
+--- a/ext/misc/zipfile.c	
++++ b/ext/misc/zipfile.c
+@@ -1007,11 +1007,11 @@
+     }else{
+       err = inflate(&str, Z_NO_FLUSH);
+       if( err!=Z_STREAM_END ){
+         zipfileCtxErrorMsg(pCtx, "inflate() failed (%d)", err);
+       }else{
+-        sqlite3_result_blob(pCtx, aRes, nOut, zipfileFree);
++        sqlite3_result_blob(pCtx, aRes, (int)str.total_out, zipfileFree);
+         aRes = 0;
+       }
+     }
+     sqlite3_free(aRes);
+     inflateEnd(&str);
diff --git a/1001-fix-CVE-2025-6965.patch b/1001-fix-CVE-2025-6965.patch
index ce56034..0c7e201 100644
--- a/1001-fix-CVE-2025-6965.patch
+++ b/1001-fix-CVE-2025-6965.patch
@@ -1,15 +1,5 @@
-From a456383b64e9863040bdcb3bbe54201bd11e09ec Mon Sep 17 00:00:00 2001
-From: mgb01105731 <mgb01105731@alibaba-inc.com>
-Date: Fri, 25 Jul 2025 15:12:35 +0800
-Subject: [PATCH 1/1] fix CVE-2025-6965
-
----
- src/expr.c      | 16 +++++++++++++++-
- src/sqliteInt.h | 14 +++++++++++---
- 2 files changed, 26 insertions(+), 4 deletions(-)
-
 diff --git a/src/expr.c b/src/expr.c
-index a81b459..79c95e7 100644
+index a81b459..eb8aeb4 100644
 --- a/src/expr.c
 +++ b/src/expr.c
 @@ -6409,7 +6409,9 @@ static void findOrCreateAggInfoColumn(
@@ -18,7 +8,7 @@ index a81b459..79c95e7 100644
    int k;
 +  int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
  
-+  assert( mxTerm <= SMXV(i16));
++  assert( mxTerm <= SMXV(i16) );
    assert( pAggInfo->iFirstReg==0 );
    pCol = pAggInfo->aCol;
    for(k=0; k<pAggInfo->nColumn; k++, pCol++){
@@ -37,7 +27,7 @@ index a81b459..79c95e7 100644
    if( pExpr->op==TK_COLUMN ){
      pExpr->op = TK_AGG_COLUMN;
    }
-+  assert( k <= SMXV(PeXPR->Iagg) );
++  assert( k <= SMXV(pExpr->iAgg) );
    pExpr->iAgg = (i16)k;
  }
  
@@ -45,8 +35,8 @@ index a81b459..79c95e7 100644
          ** function that is already in the pAggInfo structure
          */
          struct AggInfo_func *pItem = pAggInfo->aFunc;
-+	int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
-+	assert( mxTerm <= SMXV(i16) );
++        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++        assert( mxTerm <= SMXV(i16) );
          for(i=0; i<pAggInfo->nFunc; i++, pItem++){
            if( pItem->pFExpr==pExpr ) break;
            if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
@@ -54,11 +44,11 @@ index a81b459..79c95e7 100644
            }
          }
 -        if( i>=pAggInfo->nFunc ){
-+	if( i>mxTerm ){
-+	  sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
-+	  i = mxTerm;
-+	  assert( i<pAggInfo->nFunc );
-+	}else if( i>=pAggInfo->nFunc ){
++        if( i>mxTerm ){
++          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++          i = mxTerm;
++          assert( i<pAggInfo->nFunc );
++        }else if( i>=pAggInfo->nFunc ){
            /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
            */
            u8 enc = ENC(pParse->db);
@@ -66,15 +56,30 @@ index a81b459..79c95e7 100644
          */
          assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
          ExprSetVVAProperty(pExpr, EP_NoReduce);
-+	assert( i <= SMXV(pExpr->iAgg) );
++        assert( i <= SMXV(pExpr->iAgg) );
          pExpr->iAgg = (i16)i;
          pExpr->pAggInfo = pAggInfo;
          return WRC_Prune;
 diff --git a/src/sqliteInt.h b/src/sqliteInt.h
-index 2c89377..fbe1cd8 100644
+index 2c89377..54f5a7e 100644
 --- a/src/sqliteInt.h
 +++ b/src/sqliteInt.h
-@@ -2782,7 +2782,7 @@ struct AggInfo {
+@@ -942,6 +942,14 @@ typedef INT16_TYPE LogEst;
+ #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32))
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+ 
++/*
++** Macro SMXV(n) return the maximum value that can be held in variable n,
++** assuming n is a signed integer type.  UMXV(n) is similar for unsigned
++** integer types.
++*/
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
+ /*
+ ** Round up a number to the next larger multiple of 8.  This is used
+ ** to force 8-byte alignment on 64-bit architectures.
+@@ -2782,7 +2790,7 @@ struct AggInfo {
                            ** from source tables rather than from accumulators */
    u8 useSortingIdx;       /* In direct mode, reference the sorting index rather
                            ** than the source table */
@@ -83,7 +88,7 @@ index 2c89377..fbe1cd8 100644
    int sortingIdx;         /* Cursor number of the sorting index */
    int sortingIdxPTab;     /* Cursor number of pseudo-table */
    int iFirstReg;          /* First register in range for aCol[] and aFunc[] */
-@@ -2791,8 +2791,8 @@ struct AggInfo {
+@@ -2791,8 +2799,8 @@ struct AggInfo {
      Table *pTab;             /* Source table */
      Expr *pCExpr;            /* The original expression */
      int iTable;              /* Cursor number of the source table */
@@ -94,19 +99,4 @@ index 2c89377..fbe1cd8 100644
    } *aCol;
    int nColumn;            /* Number of used entries in aCol[] */
    int nAccumulator;       /* Number of columns that show through to the output.
-@@ -5607,4 +5607,12 @@ sqlite3_uint64 sqlite3Hwtime(void);
- # define IS_STMT_SCANSTATUS(db) 0
- #endif
- 
-+/*
-+** Macro SMXV(n) retrun the maximum value that can be held in varibale n,
-+** assuming n is a signed integer type. UMXV(n) is similar for unsigned 
-+** integer types.
-+*/
-+#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
-+#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
-+
- #endif /* SQLITEINT_H */
--- 
-2.47.3
 
diff --git a/sqlite.spec b/sqlite.spec
index 1408e5a..df74e5c 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -1,4 +1,4 @@
-%define anolis_release 5
+%define anolis_release 6
 
 %bcond_without tcl
 %bcond_without sqldiff
@@ -22,6 +22,7 @@ Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{docver}.zip
 Patch0001: 0001-CVE-2023-7104.patch 
 # https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
 Patch0002: 1001-fix-CVE-2025-6965.patch
+Patch0003: 0003-bugfix-for-CVE-2025-70873.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -117,6 +118,8 @@ This package contains the analysis program for %{name}.
 %prep
 %setup -q -a1 -n %{name}-src-%{realver}
 %patch0001 -p1
+%patch0002 -p1
+%patch0003 -p1
 
 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -241,7 +244,10 @@ rm -rf test/transitive1.test test/tkt3493.test test/misc1.test test/indexexpr2.t
 %endif
 
 %changelog
-* Fri Jul 25 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 3.42.0-5
+* Fri Jun 12 2026 tomcruiseqi <tomcruiseqi@inspur.com> - 1:3.42.0-6
+- Fix CVE-2025-70873
+
+* Fri Jul 25 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 1:3.42.0-5
 - Add patch to fix CVE-2025-6965
 
 * Wed Jul  3 2024 pangqing <pangqing@uniontech.com> - 3.42.0-4
-- 
Gitee