|
 |
180cfc |
From ab17169870e985b062e520ecf95e6c79ad784f38 Mon Sep 17 00:00:00 2001
|
|
|
180cfc |
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
|
180cfc |
Date: Thu, 23 Apr 2020 11:25:13 +0200
|
|
|
180cfc |
Subject: [PATCH] fixed CVE-2019-16168 (rhbz#1826897)
|
|
|
180cfc |
|
|
|
180cfc |
---
|
|
|
180cfc |
src/analyze.c | 4 +++-
|
|
|
180cfc |
src/where.c | 1 +
|
|
|
180cfc |
test/analyzeC.test | 13 +++++++++++++
|
|
|
180cfc |
3 files changed, 17 insertions(+), 1 deletion(-)
|
|
|
180cfc |
|
|
|
180cfc |
diff --git a/src/analyze.c b/src/analyze.c
|
|
|
180cfc |
index 5075b57..e47c0f5 100644
|
|
|
180cfc |
--- a/src/analyze.c
|
|
|
180cfc |
+++ b/src/analyze.c
|
|
|
180cfc |
@@ -1497,7 +1497,9 @@ static void decodeIntArray(
|
|
|
180cfc |
if( sqlite3_strglob("unordered*", z)==0 ){
|
|
|
180cfc |
pIndex->bUnordered = 1;
|
|
|
180cfc |
}else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
|
|
|
180cfc |
- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
|
|
|
180cfc |
+ int sz = sqlite3Atoi(z+3);
|
|
|
180cfc |
+ if( sz<2 ) sz = 2;
|
|
|
180cfc |
+ pIndex->szIdxRow = sqlite3LogEst(sz);
|
|
|
180cfc |
}else if( sqlite3_strglob("noskipscan*", z)==0 ){
|
|
|
180cfc |
pIndex->noSkipScan = 1;
|
|
|
180cfc |
}
|
|
|
180cfc |
diff --git a/src/where.c b/src/where.c
|
|
|
180cfc |
index 8e01660..1a4fa51 100644
|
|
|
180cfc |
--- a/src/where.c
|
|
|
180cfc |
+++ b/src/where.c
|
|
|
180cfc |
@@ -2655,6 +2655,7 @@ static int whereLoopAddBtreeIndex(
|
|
|
180cfc |
** it to pNew->rRun, which is currently set to the cost of the index
|
|
|
180cfc |
** seek only. Then, if this is a non-covering index, add the cost of
|
|
|
180cfc |
** visiting the rows in the main table. */
|
|
|
180cfc |
+ assert( pSrc->pTab->szTabRow>0 );
|
|
|
180cfc |
rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
|
|
|
180cfc |
pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
|
|
|
180cfc |
if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
|
|
|
180cfc |
diff --git a/test/analyzeC.test b/test/analyzeC.test
|
|
|
180cfc |
index 02faa9c..3595c9d 100644
|
|
|
180cfc |
--- a/test/analyzeC.test
|
|
|
180cfc |
+++ b/test/analyzeC.test
|
|
|
180cfc |
@@ -132,6 +132,19 @@ do_execsql_test 4.3 {
|
|
|
180cfc |
SELECT count(a) FROM t1;
|
|
|
180cfc |
} {/.*INDEX t1ca.*/}
|
|
|
180cfc |
|
|
|
180cfc |
+# 2019-08-15.
|
|
|
180cfc |
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
|
|
|
180cfc |
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
|
|
|
180cfc |
+# 2 or more to avoid a division by zero in the query planner.
|
|
|
180cfc |
+#
|
|
|
180cfc |
+do_execsql_test 4.4 {
|
|
|
180cfc |
+ DROP TABLE IF EXISTS t44;
|
|
|
180cfc |
+ CREATE TABLE t44(a PRIMARY KEY);
|
|
|
180cfc |
+ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
|
|
|
180cfc |
+ ANALYZE sqlite_master;
|
|
|
180cfc |
+ SELECT 0 FROM t44 WHERE a IN(1,2,3);
|
|
|
180cfc |
+} {}
|
|
|
180cfc |
+
|
|
|
180cfc |
|
|
|
180cfc |
# The sz=NNN parameter works even if there is other extraneous text
|
|
|
180cfc |
# in the sqlite_stat1.stat column.
|
|
|
180cfc |
--
|
|
|
180cfc |
2.24.1
|
|
|
180cfc |
|