From ab17169870e985b062e520ecf95e6c79ad784f38 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Thu, 23 Apr 2020 11:25:13 +0200 Subject: [PATCH] fixed CVE-2019-16168 (rhbz#1826897) --- src/analyze.c | 4 +++- src/where.c | 1 + test/analyzeC.test | 13 +++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/analyze.c b/src/analyze.c index 5075b57..e47c0f5 100644 --- a/src/analyze.c +++ b/src/analyze.c @@ -1497,7 +1497,9 @@ static void decodeIntArray( if( sqlite3_strglob("unordered*", z)==0 ){ pIndex->bUnordered = 1; }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ - pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); + int sz = sqlite3Atoi(z+3); + if( sz<2 ) sz = 2; + pIndex->szIdxRow = sqlite3LogEst(sz); }else if( sqlite3_strglob("noskipscan*", z)==0 ){ pIndex->noSkipScan = 1; } diff --git a/src/where.c b/src/where.c index 8e01660..1a4fa51 100644 --- a/src/where.c +++ b/src/where.c @@ -2655,6 +2655,7 @@ static int whereLoopAddBtreeIndex( ** it to pNew->rRun, which is currently set to the cost of the index ** seek only. Then, if this is a non-covering index, add the cost of ** visiting the rows in the main table. */ + assert( pSrc->pTab->szTabRow>0 ); rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ diff --git a/test/analyzeC.test b/test/analyzeC.test index 02faa9c..3595c9d 100644 --- a/test/analyzeC.test +++ b/test/analyzeC.test @@ -132,6 +132,19 @@ do_execsql_test 4.3 { SELECT count(a) FROM t1; } {/.*INDEX t1ca.*/} +# 2019-08-15. +# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901 +# The sz=N parameter in the sqlite_stat1 table needs to have a value of +# 2 or more to avoid a division by zero in the query planner. +# +do_execsql_test 4.4 { + DROP TABLE IF EXISTS t44; + CREATE TABLE t44(a PRIMARY KEY); + INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0'); + ANALYZE sqlite_master; + SELECT 0 FROM t44 WHERE a IN(1,2,3); +} {} + # The sz=NNN parameter works even if there is other extraneous text # in the sqlite_stat1.stat column. -- 2.24.1