Package: sqlite3 / 3.27.2-3+deb10u1

CVE-2019-16168.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From 725dd72400872da94dcfb6af48128905b93d57fe Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 15 Aug 2019 14:35:45 +0000
Subject: [PATCH] Ensure that the optional "sz=N" parameter that can be
 manually added to the end of an sqlite_stat1 entry does not have an N value
 that is too small. Ticket [e4598ecbdd18bd82]

FossilOrigin-Name: 98357d8c1263920b33a3648ef9214a63c99728bafa7a8d3dd6a1241b2303fd42
---
 src/analyze.c      |  4 +++-
 src/where.c        |  1 +
 test/analyzeC.test | 14 ++++++++++++++
 5 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/src/analyze.c b/src/analyze.c
index 31fb6f5b5..1904b9be0 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1450,7 +1450,9 @@ static void decodeIntArray(
       if( sqlite3_strglob("unordered*", z)==0 ){
         pIndex->bUnordered = 1;
       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
+        int sz = sqlite3Atoi(z+3);
+        if( sz<2 ) sz = 2;
+        pIndex->szIdxRow = sqlite3LogEst(sz);
       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
         pIndex->noSkipScan = 1;
       }
diff --git a/src/where.c b/src/where.c
index 65c92863a..a37a810a2 100644
--- a/src/where.c
+++ b/src/where.c
@@ -2670,6 +2670,7 @@ static int whereLoopAddBtreeIndex(
     ** it to pNew->rRun, which is currently set to the cost of the index
     ** seek only. Then, if this is a non-covering index, add the cost of
     ** visiting the rows in the main table.  */
+    assert( pSrc->pTab->szTabRow>0 );
     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
diff --git a/test/analyzeC.test b/test/analyzeC.test
index 02faa9c7e..2a0a89781 100644
--- a/test/analyzeC.test
+++ b/test/analyzeC.test
@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
   SELECT count(a) FROM t1;
 } {/.*INDEX t1ca.*/}
 
+# 2019-08-15.
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
+# 2 or more to avoid a division by zero in the query planner.
+#
+do_execsql_test 4.4 {
+  DROP TABLE IF EXISTS t44;
+  CREATE TABLE t44(a PRIMARY KEY);
+  INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
+  ANALYZE sqlite_master;
+  SELECT 0 FROM t44 WHERE a IN(1,2,3);
+} {}
+
+
 
 # The sz=NNN parameter works even if there is other extraneous text
 # in the sqlite_stat1.stat column.