Fix an off-by-one error in the Bloom filter pulldown logic, found by OSSFuzz.

Also fix over-length source code lines in the immediate vicinity.

FossilOrigin-Name: 027626521c02be06ef61e8229bde49d20cb3f1cb600c4cb127c5f139b9de8858

diff --git a/manifest b/manifest
index 301a4cf91b8e2d2ebde5312e443f37089f673fa7..9fb8ae3cb8a6ba336a562d2cb3f081c6a6d7fda4 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Remove\sunused\scode.
-D 2021-12-13T00:02:59.146
+C Fix\san\soff-by-one\serror\sin\sthe\sBloom\sfilter\spulldown\slogic,\sfound\sby\sOSSFuzz.\nAlso\sfix\sover-length\ssource\scode\slines\sin\sthe\simmediate\svicinity.
+D 2021-12-13T18:43:46.407
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -638,7 +638,7 @@ F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
 F src/wal.c ed0398a7adf02c31e34aada42cc86c58f413a7afe5f741a5d373ad087abde028
 F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
 F src/walker.c f890a3298418d7cba3b69b8803594fdc484ea241206a8dfa99db6dd36f8cbb3b
-F src/where.c f92862c2d7b9dd6524b10c4ad1f1b30d9cd6724b93077550ad8ebe4a74810458
+F src/where.c 78a878f3264b4710b805bc11d18651435fbc80051d00e3e42692fc86c1cd31bb
 F src/whereInt.h e83f7ba73db5b1b2685118fad67d178fbe04751a25419f0f6ff73e58b4807325
 F src/wherecode.c 6a594ed25bfbeb60d455868b7be62637575e4f1949152de4336e4825e0c54ba6
 F src/whereexpr.c 791544603b254cf11f8e84e3b50b0863c57322e9f213b828680f658e232ebc57
@@ -1934,7 +1934,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 799db7cb2e0d73031182d26a0e5919368f9f9823df81cb2863bfe79eca344f5c
-R 443c4836c6ff4faa05c5e5c0f674c8e4
+P b98b24f26518fb362e776bbaef80910bed66b654239e7c76d4b234033ef4174b
+R 3a4dce129857177521e360c2e6772ed6
 U drh
-Z fcc54c34db6e9396cb50523f7150424b
+Z e1c941de49bea239b2265178ce7baef0

diff --git a/manifest.uuid b/manifest.uuid
index f6fc78967260f4caa1a40fbc483ca67f03641a16..2e6de68e217de0e7aacd2ce6b7797a3749413084 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b98b24f26518fb362e776bbaef80910bed66b654239e7c76d4b234033ef4174b
\ No newline at end of file
+027626521c02be06ef61e8229bde49d20cb3f1cb600c4cb127c5f139b9de8858
\ No newline at end of file

diff --git a/src/where.c b/src/where.c
index 221ab8f0e721ca4addfa010d779a4f464c0f5068..852f1c17ffaa3c9245d6fb267fffeba15f287f05 100644 (file)
--- a/src/where.c
+++ b/src/where.c
@@ -1069,16 +1069,18 @@ static SQLITE_NOINLINE void sqlite3ConstructBloomFilter(
     sqlite3VdbeJumpHere(v, addrTop);
     pLoop->wsFlags &= ~WHERE_BLOOMFILTER;
     if( OptimizationDisabled(pParse->db, SQLITE_BloomPulldown) ) break;
-    while( iLevel < pWInfo->nLevel ){
-      iLevel++;
+    while( ++iLevel < pWInfo->nLevel ){
       pLevel = &pWInfo->a[iLevel];
       pLoop = pLevel->pWLoop;
       if( pLoop==0 ) continue;
       if( pLoop->prereq & notReady ) continue;
-      if( (pLoop->wsFlags & (WHERE_BLOOMFILTER|WHERE_COLUMN_IN))==WHERE_BLOOMFILTER ){
+      if( (pLoop->wsFlags & (WHERE_BLOOMFILTER|WHERE_COLUMN_IN))
+                 ==WHERE_BLOOMFILTER
+      ){
         /* This is a candidate for bloom-filter pull-down (early evaluation).
-        ** The test that WHERE_COLUMN_IN is omitted is important, as we are not able
-        ** to do early evaluation of bloom filters that make use of the IN operator */
+        ** The test that WHERE_COLUMN_IN is omitted is important, as we are
+        ** not able to do early evaluation of bloom filters that make use of
+        ** the IN operator */
         break;
       }
     }