From: drh <> Date: Mon, 13 Dec 2021 18:43:46 +0000 (+0000) Subject: Fix an off-by-one error in the Bloom filter pulldown logic, found by OSSFuzz. X-Git-Tag: version-3.38.0~181 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5860af006bba5c80bca1c7523c38eddd4580c42;p=thirdparty%2Fsqlite.git Fix an off-by-one error in the Bloom filter pulldown logic, found by OSSFuzz. Also fix over-length source code lines in the immediate vicinity. FossilOrigin-Name: 027626521c02be06ef61e8229bde49d20cb3f1cb600c4cb127c5f139b9de8858 --- diff --git a/manifest b/manifest index 301a4cf91b..9fb8ae3cb8 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Remove\sunused\scode. -D 2021-12-13T00:02:59.146 +C Fix\san\soff-by-one\serror\sin\sthe\sBloom\sfilter\spulldown\slogic,\sfound\sby\sOSSFuzz.\nAlso\sfix\sover-length\ssource\scode\slines\sin\sthe\simmediate\svicinity. +D 2021-12-13T18:43:46.407 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724 @@ -638,7 +638,7 @@ F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9 F src/wal.c ed0398a7adf02c31e34aada42cc86c58f413a7afe5f741a5d373ad087abde028 F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a F src/walker.c f890a3298418d7cba3b69b8803594fdc484ea241206a8dfa99db6dd36f8cbb3b -F src/where.c f92862c2d7b9dd6524b10c4ad1f1b30d9cd6724b93077550ad8ebe4a74810458 +F src/where.c 78a878f3264b4710b805bc11d18651435fbc80051d00e3e42692fc86c1cd31bb F src/whereInt.h e83f7ba73db5b1b2685118fad67d178fbe04751a25419f0f6ff73e58b4807325 F src/wherecode.c 6a594ed25bfbeb60d455868b7be62637575e4f1949152de4336e4825e0c54ba6 F src/whereexpr.c 791544603b254cf11f8e84e3b50b0863c57322e9f213b828680f658e232ebc57 @@ -1934,7 +1934,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P 799db7cb2e0d73031182d26a0e5919368f9f9823df81cb2863bfe79eca344f5c -R 443c4836c6ff4faa05c5e5c0f674c8e4 +P b98b24f26518fb362e776bbaef80910bed66b654239e7c76d4b234033ef4174b +R 3a4dce129857177521e360c2e6772ed6 U drh -Z fcc54c34db6e9396cb50523f7150424b +Z e1c941de49bea239b2265178ce7baef0 diff --git a/manifest.uuid b/manifest.uuid index f6fc789672..2e6de68e21 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -b98b24f26518fb362e776bbaef80910bed66b654239e7c76d4b234033ef4174b \ No newline at end of file +027626521c02be06ef61e8229bde49d20cb3f1cb600c4cb127c5f139b9de8858 \ No newline at end of file diff --git a/src/where.c b/src/where.c index 221ab8f0e7..852f1c17ff 100644 --- a/src/where.c +++ b/src/where.c @@ -1069,16 +1069,18 @@ static SQLITE_NOINLINE void sqlite3ConstructBloomFilter( sqlite3VdbeJumpHere(v, addrTop); pLoop->wsFlags &= ~WHERE_BLOOMFILTER; if( OptimizationDisabled(pParse->db, SQLITE_BloomPulldown) ) break; - while( iLevel < pWInfo->nLevel ){ - iLevel++; + while( ++iLevel < pWInfo->nLevel ){ pLevel = &pWInfo->a[iLevel]; pLoop = pLevel->pWLoop; if( pLoop==0 ) continue; if( pLoop->prereq & notReady ) continue; - if( (pLoop->wsFlags & (WHERE_BLOOMFILTER|WHERE_COLUMN_IN))==WHERE_BLOOMFILTER ){ + if( (pLoop->wsFlags & (WHERE_BLOOMFILTER|WHERE_COLUMN_IN)) + ==WHERE_BLOOMFILTER + ){ /* This is a candidate for bloom-filter pull-down (early evaluation). - ** The test that WHERE_COLUMN_IN is omitted is important, as we are not able - ** to do early evaluation of bloom filters that make use of the IN operator */ + ** The test that WHERE_COLUMN_IN is omitted is important, as we are + ** not able to do early evaluation of bloom filters that make use of + ** the IN operator */ break; } }