From 9b2e67077eb3dfd091e76b81081971a5c99f6b14 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Fri, 25 Jul 2025 14:20:28 +0200
Subject: [PATCH] sqlite3: apply patch for CVE-2025-6965

---
 .../libraries/sqlite/CVE-2025-6965.patch      | 113 ++++++++++++++++++
 pkgs/development/libraries/sqlite/default.nix |   3 +
 2 files changed, 116 insertions(+)
 create mode 100644 pkgs/development/libraries/sqlite/CVE-2025-6965.patch

diff --git a/pkgs/development/libraries/sqlite/CVE-2025-6965.patch b/pkgs/development/libraries/sqlite/CVE-2025-6965.patch
new file mode 100644
index 000000000000..96da49e55980
--- /dev/null
+++ b/pkgs/development/libraries/sqlite/CVE-2025-6965.patch
@@ -0,0 +1,113 @@
+Index: src/expr.c
+==================================================================
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -7013,11 +7013,13 @@
+   AggInfo *pAggInfo,   /* The AggInfo object to search and/or modify */
+   Expr *pExpr          /* Expr describing the column to find or insert */
+ ){
+   struct AggInfo_col *pCol;
+   int k;
++  int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+ 
++  // assert( mxTerm <= SMXV(i16) ); # macro not available in 3.48.0
+   assert( pAggInfo->iFirstReg==0 );
+   pCol = pAggInfo->aCol;
+   for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+     if( pCol->pCExpr==pExpr ) return;
+     if( pCol->iTable==pExpr->iTable
+@@ -7030,10 +7032,14 @@
+   k = addAggInfoColumn(pParse->db, pAggInfo);
+   if( k<0 ){
+     /* OOM on resize */
+     assert( pParse->db->mallocFailed );
+     return;
++  }
++  if( k>mxTerm ){
++    sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++    k = mxTerm;
+   }
+   pCol = &pAggInfo->aCol[k];
+   assert( ExprUseYTab(pExpr) );
+   pCol->pTab = pExpr->y.pTab;
+   pCol->iTable = pExpr->iTable;
+@@ -7064,10 +7070,11 @@
+   assert( pExpr->pAggInfo==0 || pExpr->pAggInfo==pAggInfo );
+   pExpr->pAggInfo = pAggInfo;
+   if( pExpr->op==TK_COLUMN ){
+     pExpr->op = TK_AGG_COLUMN;
+   }
++  // assert( k <= SMXV(pExpr->iAgg) ); # macro not available in 3.48.0
+   pExpr->iAgg = (i16)k;
+ }
+ 
+ /*
+ ** This is the xExprCallback for a tree walker.  It is used to
+@@ -7148,17 +7155,23 @@
+       ){
+         /* Check to see if pExpr is a duplicate of another aggregate
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
++        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++        // assert( mxTerm <= SMXV(i16) ); # macro not available in 3.48.0
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( NEVER(pItem->pFExpr==pExpr) ) break;
+           if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
++        if( i>mxTerm ){
++          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++          i = mxTerm;
++          assert( i<pAggInfo->nFunc );
++        }else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+           i = addAggInfoFunc(pParse->db, pAggInfo);
+           if( i>=0 ){
+@@ -7208,10 +7221,11 @@
+         }
+         /* Make pExpr point to the appropriate pAggInfo->aFunc[] entry
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
++        // assert( i <= SMXV(pExpr->iAgg) ); # macro not available in 3.48.0
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+       }else{
+         return WRC_Continue;
+
+Index: src/sqliteInt.h
+==================================================================
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -2894,21 +2894,21 @@
+ struct AggInfo {
+   u8 directMode;          /* Direct rendering mode means take data directly
+                           ** from source tables rather than from accumulators */
+   u8 useSortingIdx;       /* In direct mode, reference the sorting index rather
+                           ** than the source table */
+-  u16 nSortingColumn;     /* Number of columns in the sorting index */
++  u32 nSortingColumn;     /* Number of columns in the sorting index */
+   int sortingIdx;         /* Cursor number of the sorting index */
+   int sortingIdxPTab;     /* Cursor number of pseudo-table */
+   int iFirstReg;          /* First register in range for aCol[] and aFunc[] */
+   ExprList *pGroupBy;     /* The group by clause */
+   struct AggInfo_col {    /* For each column used in source tables */
+     Table *pTab;             /* Source table */
+     Expr *pCExpr;            /* The original expression */
+     int iTable;              /* Cursor number of the source table */
+-    i16 iColumn;             /* Column number within the source table */
+-    i16 iSorterColumn;       /* Column number in the sorting index */
++    int iColumn;             /* Column number within the source table */
++    int iSorterColumn;       /* Column number in the sorting index */
+   } *aCol;
+   int nColumn;            /* Number of used entries in aCol[] */
+   int nAccumulator;       /* Number of columns that show through to the output.
+                           ** Additional columns are used only as parameters to
+                           ** aggregate functions */
+
diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index abde663e2d7d..044159f81328 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -53,6 +53,9 @@ stdenv.mkDerivation rec {
 
     # https://sqlite.org/src/info/2025-02-16T10:57z
     ./CVE-2025-3277_CVE-2025-29087.patch
+
+    # https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
+    ./CVE-2025-6965.patch
   ];
 
   outputs = [