From d7f45414935e4ef6e3361f02a22876f1ee7a04aa Mon Sep 17 00:00:00 2001
From: drh <>
Date: Sun, 16 Feb 2025 10:57:25 +0000
Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
 concat_ws() function with an enormous separator values and many arguments.

FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5

CVE: CVE-2025-3277
CVE: CVE-2025-29087
Upstream-Status: Backport [https://sqlite.org/src/info/498e3f1cf57f164f]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 sqlite3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlite3.c b/sqlite3.c
index 08c593e55c..24d0d954d9 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -129594,7 +129594,7 @@ static void concatFuncCore(
   for(i=0; i<argc; i++){
     n += sqlite3_value_bytes(argv[i]);
   }
-  n += (argc-1)*nSep;
+  n += (argc-1)*(i64)nSep;
   z = sqlite3_malloc64(n+1);
   if( z==0 ){
     sqlite3_result_error_nomem(context);