Hi, all

I found a divide-by-zero bug in *whereLoopAddBtreeIndex* function in
version 3.29.0.

The GDB debug traces are:

> #0  0x0000561757f1e842 in whereLoopAddBtreeIndex (pBuilder=0x7ffea0f422a0,
> pSrc=0x56175954b070, pProbe=0x561759565e78, nInMul=0) at sqlite3.c:143263
> #1  0x0000561757f1faeb in whereLoopAddBtree (pBuilder=0x7ffea0f422a0,
> mPrereq=0) at sqlite3.c:143653
> #2  0x0000561757f212ed in whereLoopAddAll (pBuilder=0x7ffea0f422a0) at
> sqlite3.c:144172
> #3  0x0000561757f24297 in sqlite3WhereBegin (pParse=0x7ffea0f43210,
> pTabList=0x56175954b068, pWhere=0x561759557548, pOrderBy=0x0,
> pResultSet=0x561759550018, wctrlFlags=0, iAuxArg=320) at sqlite3.c:145367
> #4  0x0000561757f03e99 in sqlite3Select (pParse=0x7ffea0f43210,
> p=0x561759554b18, pDest=0x7ffea0f426d0) at sqlite3.c:131229
> #5  0x0000561757f2d731 in yy_reduce (yypParser=0x7ffea0f42810,
> yyruleno=80, yyLookahead=1, yyLookaheadToken=..., pParse=0x7ffea0f43210) at
> sqlite3.c:152165
> #6  0x0000561757f32464 in sqlite3Parser (yyp=0x7ffea0f42810, yymajor=1,
> yyminor=...) at sqlite3.c:153461
> #7  0x0000561757f33a69 in sqlite3RunParser (pParse=0x7ffea0f43210,
> zSql=0x56175953abcf "", pzErrMsg=0x7ffea0f431e8) at sqlite3.c:154597
> #8  0x0000561757ef535b in sqlite3Prepare (db=0x56175953ae48,
> zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a
> IN(SELECT 0)", nBytes=-1, prepFlags=128, pReprepare=0x0,
> ppStmt=0x7ffea0f434c8, pzTail=0x7ffea0f434d0) at sqlite3.c:124831
> #9  0x0000561757ef5718 in sqlite3LockAndPrepare (db=0x56175953ae48,
> zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a
> IN(SELECT 0)", nBytes=-1, prepFlags=128, pOld=0x0, ppStmt=0x7ffea0f434c8,
> pzTail=0x7ffea0f434d0) at sqlite3.c:124924
> #10 0x0000561757ef5a90 in sqlite3_prepare_v2 (db=0x56175953ae48,
> zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a
> IN(SELECT 0)", nBytes=-1, ppStmt=0x7ffea0f434c8, pzTail=0x7ffea0f434d0) at
> sqlite3.c:125008
> #11 0x0000561757e2ea66 in shell_exec (pArg=0x7ffea0f45250,
> zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a
> IN(SELECT 0)", pzErrMsg=0x7ffea0f43538) at shell.c:11585
> #12 0x0000561757e40361 in runOneSqlLine (p=0x7ffea0f45250,
> zSql=0x56175953a8d0 "CREATE TABLE t1(a,b);INSERT INTO t1 VALUES(0,0);INSERT
> INTO t1 VALUES(0,0);INSERT INTO t1 SELECT 0,0;INSERT INTO t1
> SELECT+0,0;CREATE TABLE t0(c,d);INSERT INTO t0 SELECT 0,0;PRAGMA a;SELECT
> 0;SELECT(0"..., in=0x56175950b6e0, startline=1) at shell.c:18110
> #13 0x0000561757e4095a in process_input (p=0x7ffea0f45250) at shell.c:18224
> #14 0x0000561757e3c4ae in do_meta_command (zLine=0x56175952d300 ".read",
> p=0x7ffea0f45250) at shell.c:16799
> #15 0x0000561757e4066a in process_input (p=0x7ffea0f45250) at shell.c:18177
> #16 0x0000561757e42445 in main (argc=1, argv=0x7ffea0f46848) at
> shell.c:18963


The bug occurs in "*rCostIdx = pNew->nOut + 1 +
(15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;*" statement, where szTabRow
variable is zero.

Attach is the poc sql file.
I used the following command:

> ./sqlite3
> sqlite> .read crash.sql


-- 
Best regards,
Xingwei Lin
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to