new file mode 100644
@@ -0,0 +1,179 @@
+From 40f668e88d70d47b17652ca629d5f36fafaae0e8 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Mon, 17 Feb 2025 14:16:49 +0000
+Subject: [PATCH] Harden the SQLITE_DBCONFIG_LOOKASIDE interface against
+ misuse, such as described in [forum:/forumpost/48f365daec|forum post
+ 48f365daec]. Enhancements to the SQLITE_DBCONFIG_LOOKASIDE documentation.
+ Test cases in TH3.
+
+FossilOrigin-Name: 1ec4c308c76c69fba031184254fc3340f07607cfbf8342b13713ab445563d377
+
+CVE: CVE-2025-29088
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 42 +++++++++++++++++++++++---------------
+ sqlite3.h | 60 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 67 insertions(+), 35 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 0b979f7a7d..27bea6f2e0 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -169267,17 +169267,22 @@ SQLITE_API int sqlite3_config(int op, ...){
+ ** If lookaside is already active, return SQLITE_BUSY.
+ **
+ ** The sz parameter is the number of bytes in each lookaside slot.
+-** The cnt parameter is the number of slots. If pStart is NULL the
+-** space for the lookaside memory is obtained from sqlite3_malloc().
+-** If pStart is not NULL then it is sz*cnt bytes of memory to use for
+-** the lookaside memory.
++** The cnt parameter is the number of slots. If pBuf is NULL the
++** space for the lookaside memory is obtained from sqlite3_malloc()
++** or similar. If pBuf is not NULL then it is sz*cnt bytes of memory
++** to use for the lookaside memory.
+ */
+-static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
++static int setupLookaside(
++ sqlite3 *db, /* Database connection being configured */
++ void *pBuf, /* Memory to use for lookaside. May be NULL */
++ int sz, /* Desired size of each lookaside memory slot */
++ int cnt /* Number of slots to allocate */
++){
+ #ifndef SQLITE_OMIT_LOOKASIDE
+- void *pStart;
+- sqlite3_int64 szAlloc = sz*(sqlite3_int64)cnt;
+- int nBig; /* Number of full-size slots */
+- int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */
++ void *pStart; /* Start of the lookaside buffer */
++ sqlite3_int64 szAlloc; /* Total space set aside for lookaside memory */
++ int nBig; /* Number of full-size slots */
++ int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */
+
+ if( sqlite3LookasideUsed(db,0)>0 ){
+ return SQLITE_BUSY;
+@@ -169290,17 +169295,22 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
+ sqlite3_free(db->lookaside.pStart);
+ }
+ /* The size of a lookaside slot after ROUNDDOWN8 needs to be larger
+- ** than a pointer to be useful.
++ ** than a pointer and small enough to fit in a u16.
+ */
+- sz = ROUNDDOWN8(sz); /* IMP: R-33038-09382 */
++ sz = ROUNDDOWN8(sz);
+ if( sz<=(int)sizeof(LookasideSlot*) ) sz = 0;
+- if( cnt<0 ) cnt = 0;
+- if( sz==0 || cnt==0 ){
++ if( sz>65528 ) sz = 65528;
++ /* Count must be at least 1 to be useful, but not so large as to use
++ ** more than 0x7fff0000 total bytes for lookaside. */
++ if( cnt<1 ) cnt = 0;
++ if( sz>0 && cnt>(0x7fff0000/sz) ) cnt = 0x7fff0000/sz;
++ szAlloc = (i64)sz*(i64)cnt;
++ if( szAlloc==0 ){
+ sz = 0;
+ pStart = 0;
+ }else if( pBuf==0 ){
+ sqlite3BeginBenignMalloc();
+- pStart = sqlite3Malloc( szAlloc ); /* IMP: R-61949-35727 */
++ pStart = sqlite3Malloc( szAlloc );
+ sqlite3EndBenignMalloc();
+ if( pStart ) szAlloc = sqlite3MallocSize(pStart);
+ }else{
+@@ -169309,10 +169319,10 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
+ #ifndef SQLITE_OMIT_TWOSIZE_LOOKASIDE
+ if( sz>=LOOKASIDE_SMALL*3 ){
+ nBig = szAlloc/(3*LOOKASIDE_SMALL+sz);
+- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL;
++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL;
+ }else if( sz>=LOOKASIDE_SMALL*2 ){
+ nBig = szAlloc/(LOOKASIDE_SMALL+sz);
+- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL;
++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL;
+ }else
+ #endif /* SQLITE_OMIT_TWOSIZE_LOOKASIDE */
+ if( sz>0 ){
+diff --git a/sqlite3.h b/sqlite3.h
+index de393da9dc..04e6b616d5 100644
+--- a/sqlite3.h
++++ b/sqlite3.h
+@@ -1914,13 +1914,16 @@ struct sqlite3_mem_methods {
+ **
+ ** [[SQLITE_CONFIG_LOOKASIDE]] <dt>SQLITE_CONFIG_LOOKASIDE</dt>
+ ** <dd> ^(The SQLITE_CONFIG_LOOKASIDE option takes two arguments that determine
+-** the default size of lookaside memory on each [database connection].
++** the default size of [lookaside memory] on each [database connection].
+ ** The first argument is the
+-** size of each lookaside buffer slot and the second is the number of
+-** slots allocated to each database connection.)^ ^(SQLITE_CONFIG_LOOKASIDE
+-** sets the <i>default</i> lookaside size. The [SQLITE_DBCONFIG_LOOKASIDE]
+-** option to [sqlite3_db_config()] can be used to change the lookaside
+-** configuration on individual connections.)^ </dd>
++** size of each lookaside buffer slot ("sz") and the second is the number of
++** slots allocated to each database connection ("cnt").)^
++** ^(SQLITE_CONFIG_LOOKASIDE sets the <i>default</i> lookaside size.
++** The [SQLITE_DBCONFIG_LOOKASIDE] option to [sqlite3_db_config()] can
++** be used to change the lookaside configuration on individual connections.)^
++** The [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to change the
++** default lookaside configuration at compile-time.
++** </dd>
+ **
+ ** [[SQLITE_CONFIG_PCACHE2]] <dt>SQLITE_CONFIG_PCACHE2</dt>
+ ** <dd> ^(The SQLITE_CONFIG_PCACHE2 option takes a single argument which is
+@@ -2133,24 +2136,43 @@ struct sqlite3_mem_methods {
+ ** <dt>SQLITE_DBCONFIG_LOOKASIDE</dt>
+ ** <dd> ^This option takes three additional arguments that determine the
+ ** [lookaside memory allocator] configuration for the [database connection].
+-** ^The first argument (the third parameter to [sqlite3_db_config()] is a
++** <ol>
++** <li><p>The first argument ("buf") is a
+ ** pointer to a memory buffer to use for lookaside memory.
+-** ^The first argument after the SQLITE_DBCONFIG_LOOKASIDE verb
+-** may be NULL in which case SQLite will allocate the
+-** lookaside buffer itself using [sqlite3_malloc()]. ^The second argument is the
+-** size of each lookaside buffer slot. ^The third argument is the number of
+-** slots. The size of the buffer in the first argument must be greater than
+-** or equal to the product of the second and third arguments. The buffer
+-** must be aligned to an 8-byte boundary. ^If the second argument to
+-** SQLITE_DBCONFIG_LOOKASIDE is not a multiple of 8, it is internally
+-** rounded down to the next smaller multiple of 8. ^(The lookaside memory
++** The first argument may be NULL in which case SQLite will allocate the
++** lookaside buffer itself using [sqlite3_malloc()].
++** <li><P>The second argument ("sz") is the
++** size of each lookaside buffer slot. Lookaside is disabled if "sz"
++** is less than 8. The "sz" argument should be a multiple of 8 less than
++** 65536. If "sz" does not meet this constraint, it is reduced in size until
++** it does.
++** <li><p>The third argument ("cnt") is the number of slots. Lookaside is disabled
++** if "cnt"is less than 1. The "cnt" value will be reduced, if necessary, so
++** that the product of "sz" and "cnt" does not exceed 2,147,418,112. The "cnt"
++** parameter is usually chosen so that the product of "sz" and "cnt" is less
++** than 1,000,000.
++** </ol>
++** <p>If the "buf" argument is not NULL, then it must
++** point to a memory buffer with a size that is greater than
++** or equal to the product of "sz" and "cnt".
++** The buffer must be aligned to an 8-byte boundary.
++** The lookaside memory
+ ** configuration for a database connection can only be changed when that
+ ** connection is not currently using lookaside memory, or in other words
+-** when the "current value" returned by
+-** [sqlite3_db_status](D,[SQLITE_CONFIG_LOOKASIDE],...) is zero.
++** when the value returned by [SQLITE_DBSTATUS_LOOKASIDE_USED] is zero.
+ ** Any attempt to change the lookaside memory configuration when lookaside
+ ** memory is in use leaves the configuration unchanged and returns
+-** [SQLITE_BUSY].)^</dd>
++** [SQLITE_BUSY].
++** If the "buf" argument is NULL and an attempt
++** to allocate memory based on "sz" and "cnt" fails, then
++** lookaside is silently disabled.
++** <p>
++** The [SQLITE_CONFIG_LOOKASIDE] configuration option can be used to set the
++** default lookaside configuration at initialization. The
++** [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to set the default lookaside
++** configuration at compile-time. Typical values for lookaside are 1200 for
++** "sz" and 40 to 100 for "cnt".
++** </dd>
+ **
+ ** [[SQLITE_DBCONFIG_ENABLE_FKEY]]
+ ** <dt>SQLITE_DBCONFIG_ENABLE_FKEY</dt>
@@ -8,6 +8,7 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2022-46908.patch \
file://CVE-2023-36191.patch \
file://CVE-2023-7104.patch \
+ file://CVE-2025-29088.patch \
"
SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"