From b4a4c8ae873029c69b97c3167d2d3311713eab26 Mon Sep 17 00:00:00 2001
From: dogsheng <960055655@qq.com>
Date: Wed, 25 Dec 2019 16:07:59 +0800
Subject: [PATCH] Package init

---
 6045-sqlite-CVE-2019-16168.patch | 65 ++++++++++++++++++++++++++++++++
 6046-Fix-CVE-2019-19646.patch    | 27 +++++++++++++
 sqlite.spec                      | 17 ++++++---
 3 files changed, 103 insertions(+), 6 deletions(-)
 create mode 100644 6045-sqlite-CVE-2019-16168.patch
 create mode 100644 6046-Fix-CVE-2019-19646.patch

diff --git a/6045-sqlite-CVE-2019-16168.patch b/6045-sqlite-CVE-2019-16168.patch
new file mode 100644
index 0000000..8ee464c
--- /dev/null
+++ b/6045-sqlite-CVE-2019-16168.patch
@@ -0,0 +1,65 @@
+From f555312151f716b54558776bce53bef9edb69d3a Mon Sep 17 00:00:00 2001
+From: guiyao <guiyao@huawei.com>
+Date: Mon, 14 Oct 2019 05:23:59 -0400
+Subject: [PATCH] fix CVE-2019-16168
+
+---
+ src/analyze.c      |  4 +++-
+ src/where.c        |  1 +
+ test/analyzeC.test | 13 +++++++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/analyze.c b/src/analyze.c
+index 48fd495..552330b 100644
+--- a/src/analyze.c
++++ b/src/analyze.c
+@@ -1497,7 +1497,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sz);
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+diff --git a/src/where.c b/src/where.c
+index b83915e..1df9b46 100644
+--- a/src/where.c
++++ b/src/where.c
+@@ -2585,6 +2585,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+diff --git a/test/analyzeC.test b/test/analyzeC.test
+index 02faa9c..246da89 100644
+--- a/test/analyzeC.test
++++ b/test/analyzeC.test
+@@ -132,6 +132,19 @@ do_execsql_test 4.3 {
+   SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+ 
++# 2019-08-15.
++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
++# The sz=N parameter in the sqlite_stat1 table needs to have a value of
++# 2 or more to avoid a division by zero in the query planner.
++#
++do_execsql_test 4.4 {
++  DROP TABLE IF EXISTS t44;
++  CREATE TABLE t44(a PRIMARY KEY);
++  INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
++  ANALYZE sqlite_master;
++  SELECT 0 FROM t44 WHERE a IN(1,2,3);
++} {}
++
+ 
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
+-- 
+1.8.3.1
+
diff --git a/6046-Fix-CVE-2019-19646.patch b/6046-Fix-CVE-2019-19646.patch
new file mode 100644
index 0000000..7c5422a
--- /dev/null
+++ b/6046-Fix-CVE-2019-19646.patch
@@ -0,0 +1,27 @@
+From b097449afefa53e05637aaa43197c66cece575c7 Mon Sep 17 00:00:00 2001
+From: guiyao <guiyao@huawei.com>
+Date: Tue, 17 Dec 2019 10:53:58 -0500
+Subject: [PATCH] Backport Fix CVE-2019-19646
+
+---
+ src/pragma.c  |  4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/src/pragma.c b/src/pragma.c
+index 4699c96..eda1a16 100644
+--- a/src/pragma.c
++++ b/src/pragma.c
+@@ -1571,7 +1571,9 @@ void sqlite3Pragma(
+           if( j==pTab->iPKey ) continue;
+           if( pTab->aCol[j].notNull==0 ) continue;
+           sqlite3ExprCodeGetColumnOfTable(v, pTab, iDataCur, j, 3);
+-          sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG);
++          if( sqlite3VdbeGetOp(v,-1)->opcode==OP_Column ){
++             sqlite3VdbeChangeP5(v, OPFLAG_TYPEOFARG);
++          }
+           jmp2 = sqlite3VdbeAddOp1(v, OP_NotNull, 3); VdbeCoverage(v);
+           zErr = sqlite3MPrintf(db, "NULL value in %s.%s", pTab->zName,
+                               pTab->aCol[j].zName);
+-- 
+1.8.3.1
+
diff --git a/sqlite.spec b/sqlite.spec
index 0602adc..5f44943 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -6,7 +6,7 @@
 
 Name:    sqlite
 Version: 3.24.0
-Release: 4
+Release: 5
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -69,7 +69,8 @@ Patch6041: 6041-Fix-another-segfault-that-could-occur-in-fts5-with-a.patch
 Patch6042: 6042-Fix-a-potential-memory-leak-in-RBU-if-the-rbu_fossil.patch
 Patch6043: 6043-Fix-a-potential-32-bit-integer-overflow-in-the-showd.patch
 Patch6044: 6044-sqlite-CVE-2019-8457-out-of-bounds-read.patch
-
+Patch6045: 6045-sqlite-CVE-2019-16168.patch
+Patch6046: 6046-Fix-CVE-2019-19646.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -168,8 +169,8 @@ This contains man files and HTML files for the using of sqlite.
 %patch6042 -p1
 %patch6043 -p1
 %patch6044 -p1
-
-
+%patch6045 -p1
+%patch6046 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -239,9 +240,13 @@ make test
 %doc %{name}-doc-%{extver}/*
 %{_mandir}/man*/*
 
-
-
 %changelog
+* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix CVE bug
+
 * Wed Sep 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-4
 - Type:enhancemnet
 - ID:NA