Fix a case when a pointer might be used after being freed in the ALTER TABLE code...

FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906

diff --git a/manifest b/manifest
index 1ee5448a03dc7f4135a8cd2c103f79b9b72d70de..7dd9918b9129bcc77da31162c19d321b7b804985 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\san\sobsolete\scomment\sin\sthe\sparameter\sbinding\slogic\sof\sthe\sCLI.\nNo\schanges\sto\scode.
-D 2020-04-02T13:21:10.209
+C Fix\sa\scase\swhen\sa\spointer\smight\sbe\sused\safter\sbeing\sfreed\sin\sthe\sALTER\sTABLE\scode.\sFix\sfor\s[4722bdab08cb1].
+D 2020-04-03T11:20:40.575
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -465,7 +465,7 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca
 F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
-F src/alter.c f48a4423c8f198d7f1ae4940f74b606707d05384ac79fb219be8e3323af2a2de
+F src/alter.c ac9d737cace62b5cd88bff5310e53e299bc0919f08b5934a2bd0f8e8e65d770e
 F src/analyze.c 831bb090988477a00d3b4c000746e1b0454dcc93b10b793e6ebe1c47f25d193a
 F src/attach.c ff2daea0fe62080192e3f262670e4f61f5a86c1e7bea9cec34e960fe79852aa1
 F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
@@ -639,7 +639,7 @@ F test/altercol.test 1d6a6fe698b81e626baea4881f5717f9bc53d7d07f1cd23ee7ad1b931f1
 F test/alterlegacy.test 82022721ce0de29cedc9a7af63bc9fcc078b0ee000f8283b4b6ea9c3eab2f44b
 F test/altermalloc.test 167a47de41b5c638f5f5c6efb59784002b196fff70f98d9b4ed3cd74a3fb80c9
 F test/altermalloc2.test fa7b1c1139ea39b8dec407cf1feb032ca8e0076bd429574969b619175ad0174b
-F test/altertab.test 89735fee876427c3f25dc76d887295fbe3659a91bab92468de9f0e622d48bb57
+F test/altertab.test 2c41e347c0b37725d2c27641056f12f136ce43027d3aca664f380183fdd1c610
 F test/altertab2.test b0d62f323ca5dab42b0bc028c52e310ebdd13e655e8fac070fe622bad7852c2b
 F test/altertab3.test 155b8dc225ce484454a7fb4c8ba745680b6fa0fc3e08919cbbc19f9309d128ff
 F test/amatch1.test b5ae7065f042b7f4c1c922933f4700add50cdb9f
@@ -1860,7 +1860,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P a49f8ec552bede7da731e0571ccf49de1a30e7be3a5673150436c8b411ba6ffc
-R f1e88162279da6de3fd27debc4973183
-U drh
-Z b2c8f4e4425c9e3ea23a15a961227e19
+P c9c735e201d7900d8c2b766463a6c90f547d9844352719dc650734e25e635fad
+R c7d47b4b1d0e3507c385823cf0fb10e9
+U dan
+Z 19dcbc942e2e27035df43e0cc566210a

diff --git a/manifest.uuid b/manifest.uuid
index 6ad938d1cfbb3eed5c51c3ca24cc4d420675ef42..8a8c03d74ad7480b57cf50c5fb7d62e7cd857a1b 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-c9c735e201d7900d8c2b766463a6c90f547d9844352719dc650734e25e635fad
\ No newline at end of file
+d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
\ No newline at end of file

diff --git a/src/alter.c b/src/alter.c
index ee193d18bf1aeefbaaa804d2ac1778ee15caa8b7..7114757a27afa106ecfffe586d79d5d43595a77d 100644 (file)
--- a/src/alter.c
+++ b/src/alter.c
@@ -755,6 +755,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
   }
 }
 
+/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
+
 /*
 ** Walker callback used by sqlite3RenameExprUnmap().
 */
@@ -776,6 +791,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
     for(i=0; i<pSrc->nSrc; i++){
       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
     }
   }
 
@@ -984,6 +1000,7 @@ static void renameColumnIdlistNames(
   }
 }
 
+
 /*
 ** Parse the SQL statement zSql using Parse object (*p). The Parse object
 ** is initialized by this function before it is used.

diff --git a/test/altertab.test b/test/altertab.test
index 5123c5f296c87e26bb63c574c756c1ff31cf08aa..68c52d604b1bc43c948d805fa353f88c8e7fbe21 100644 (file)
--- a/test/altertab.test
+++ b/test/altertab.test
@@ -630,4 +630,15 @@ do_execsql_test 19.120 {
   SELECT * FROM t2;
 } {1 1 1 1 1 1 1 1}
 
+# Ticket 4722bdab08cb14
+reset_db
+do_execsql_test 20.0 {
+  CREATE TABLE a(a);
+  CREATE VIEW b AS SELECT(SELECT *FROM c JOIN a USING(d, a, a, a) JOIN a) IN();
+}
+
+do_execsql_test 20.1 {
+  ALTER TABLE a RENAME a TO e;
+} {}
+
 finish_test