main/sqlite: fix CVE-2019-16168

ref #10868

Closes !421

1 files changed, 24 insertions, 0 deletions

diff --git a/main/sqlite/CVE-2019-16168.patch b/main/sqlite/CVE-2019-16168.patch
new file mode 100644
index 0000000000..d1be258aec
--- /dev/null
+++ b/main/sqlite/CVE-2019-16168.patch
@@ -0,0 +1,24 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index c607252..7c01bbf 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -104242,7 +104242,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sz);
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+@@ -141020,6 +141022,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+