new file mode 100644
@@ -0,0 +1,46 @@
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sqlite3.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+ }
+ }
+ if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+- sqlite3_int64 v = sessionGetI64(aVal);
+- if( eType==SQLITE_INTEGER ){
+- sqlite3VdbeMemSetInt64(apOut[i], v);
++ if( (pIn->nData-pIn->iNext)<8 ){
++ rc = SQLITE_CORRUPT_BKPT;
+ }else{
+- double d;
+- memcpy(&d, &v, 8);
+- sqlite3VdbeMemSetDouble(apOut[i], d);
++ sqlite3_int64 v = sessionGetI64(aVal);
++ if( eType==SQLITE_INTEGER ){
++ sqlite3VdbeMemSetInt64(apOut[i], v);
++ }else{
++ double d;
++ memcpy(&d, &v, 8);
++ sqlite3VdbeMemSetDouble(apOut[i], d);
++ }
++ pIn->iNext += 8;
+ }
+- pIn->iNext += 8;
+ }
+ }
+ }
+--
+2.25.1
+
@@ -17,6 +17,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2020-35525.patch \
file://CVE-2020-35527.patch \
file://CVE-2021-20223.patch \
+ file://CVE-2023-7104.patch \
"
SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"