From c4add21ff123bc01be51f6e7374a14c2106e3686 Mon Sep 17 00:00:00 2001
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Date: Thu, 18 Dec 2025 23:28:45 +0530
Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
 concat_ws() function with an enormous separator values and many arguments.

FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5

CVE: CVE-2025-3277
CVE: CVE-2025-29087
Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f4fc2ee20311a0a5141726c71d318ab52001c974]

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 sqlite3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlite3.c b/sqlite3.c
index 80433f6c1f..8a43734131 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -130954,7 +130954,7 @@ static void concatFuncCore(
   for(i=0; i<argc; i++){
     n += sqlite3_value_bytes(argv[i]);
   }
-  n += (argc-1)*nSep;
+  n += (argc-1)*(i64)nSep;
   z = sqlite3_malloc64(n+1);
   if( z==0 ){
     sqlite3_result_error_nomem(context);