From: drh <drh@noemail.net>
Date: Tue, 10 Mar 2020 02:57:37 +0000 (+0000)
Subject: The sqlite3ExprCodeFactorable() routine should make a copy of non-factorable
X-Git-Tag: version-3.32.0~124
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=088489e8d9ebbcbbbd99093a83bc93bfcd1a39a0;p=thirdparty%2Fsqlite.git

The sqlite3ExprCodeFactorable() routine should make a copy of non-factorable
expressions, as they might be coming from a DEFAULT or generated column
in a table constraint.

FossilOrigin-Name: a2d6f108c5d07559b125823a04c9cb072c80be80d7913097891a6192c7e1e225
---

diff --git a/manifest b/manifest
index 9f3c8dd408..67a73f554c 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Cleaner\sseparation\sof\sthe\sSTAT4-specific\slogic\sin\sthe\simplementation\sof\nANALYZE.
-D 2020-03-09T18:26:11.821
+C The\ssqlite3ExprCodeFactorable()\sroutine\sshould\smake\sa\scopy\sof\snon-factorable\nexpressions,\sas\sthey\smight\sbe\scoming\sfrom\sa\sDEFAULT\sor\sgenerated\scolumn\nin\sa\stable\sconstraint.
+D 2020-03-10T02:57:37.726
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -483,7 +483,7 @@ F src/date.c 6c408fdd2e9ddf6e8431aba76315a2d061bea2cec8fbb75e25d7c1ba08274712
 F src/dbpage.c 8a01e865bf8bc6d7b1844b4314443a6436c07c3efe1d488ed89e81719047833a
 F src/dbstat.c 0f55297469d4244ab7df395849e1af98eb5e95816af7c661e7d2d8402dea23da
 F src/delete.c 11000121c4281c0bce4e41db29addfaea0038eaa127ece02557c9207bc3e541d
-F src/expr.c 4b25db7f9472b3532560242193bc4eefaefc7720dc4f2d7ec9a89ada410c6ea2
+F src/expr.c 4efd019be610f8e24008a6e89c6c5dbf204edaeaade0cc996a88f285ce1d4a06
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 4b575423b0a5d4898b1a7868ce985cf1a8ad91c741c9abbb108ff02536d20f41
 F src/func.c 108577cebe8a50c86d849a93b99493a54e348dd0b846f00d13b52ca973d5baf4
@@ -810,7 +810,7 @@ F test/dbfuzz2.c c2c9cb40082a77b7e95ffb8b2da1e93322efadfb1c8c1e0001c95a0af1e156c
 F test/dbpage.test 650234ba683b9d82b899c6c51439819787e7609f17a0cc40e0080a7b6443bc38
 F test/dbstatus.test 4a4221a883025ffd39696b3d1b3910b928fb097d77e671351acb35f3aed42759
 F test/dbstatus2.test f5fe0afed3fa45e57cfa70d1147606c20d2ba23feac78e9a172f2fe8ab5b78ef
-F test/default.test 3e46c421eebefd2787c2f96673efabf792d360f3a1d5073918cbe450ce672a62
+F test/default.test 9687cfb16717e4b8238c191697c98be88c0b16e568dd5368cd9284154097ef50
 F test/delete.test 31832b0c45ecb51a54348c68db173be462985901e6ed7f403d6d7a8f70ab4ef0
 F test/delete2.test 3a03f2cca1f9a67ec469915cb8babd6485db43fa
 F test/delete3.test 555e84a00a99230b7d049d477a324a631126a6ab
@@ -1860,7 +1860,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P cab1834cfc71f71bfed3c5170a0ba40a39385c3b2c50b7c6b6f09cc830dd1b1e
-R c62e646df7b5e5719c4a0602837bf1ef
+P 3df07e5a9a3781a4cf866fc6ee0e5c6f9cd7ca35ce0a6eb3aa7f5f3502e0ffae
+R 7d49dd66db353572ddc6eafd9c0a8b97
 U drh
-Z 8147aa7ce1e35e16be35124cd1704d38
+Z 57a026e3bb6ad1f9a47d83e58f8523e1
diff --git a/manifest.uuid b/manifest.uuid
index e08451b6b2..9fcda7ce22 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-3df07e5a9a3781a4cf866fc6ee0e5c6f9cd7ca35ce0a6eb3aa7f5f3502e0ffae
\ No newline at end of file
+a2d6f108c5d07559b125823a04c9cb072c80be80d7913097891a6192c7e1e225
\ No newline at end of file
diff --git a/src/expr.c b/src/expr.c
index 8b939de24f..01cc37cc0c 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -2850,6 +2850,7 @@ void sqlite3CodeRhsOfIN(
 
     /* Begin coding the subroutine */
     ExprSetProperty(pExpr, EP_Subrtn);
+    assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
     pExpr->y.sub.regReturn = ++pParse->nMem;
     pExpr->y.sub.iAddr =
       sqlite3VdbeAddOp2(v, OP_Integer, 0, pExpr->y.sub.regReturn) + 1;
@@ -4604,7 +4605,7 @@ void sqlite3ExprCodeFactorable(Parse *pParse, Expr *pExpr, int target){
   if( pParse->okConstFactor && sqlite3ExprIsConstantNotJoin(pExpr) ){
     sqlite3ExprCodeAtInit(pParse, pExpr, target);
   }else{
-    sqlite3ExprCode(pParse, pExpr, target);
+    sqlite3ExprCodeCopy(pParse, pExpr, target);
   }
 }
 
diff --git a/test/default.test b/test/default.test
index d691303485..06a180c1de 100644
--- a/test/default.test
+++ b/test/default.test
@@ -128,4 +128,13 @@ do_catchsql_test default-4.4 {
   CREATE TABLE t2(a TEXT, b TEXT DEFAULT(98+coalesce(5,:xyz)));
 } {1 {default value of column [b] is not constant}}
 
+# 2020-03-09 out-of-bounds memory access discovered by "Eternal Sakura"
+# and reported to chromium.
+#
+reset_db
+do_catchsql_test default-5.1 {
+  CREATE TABLE t1 (a,b DEFAULT(random() NOTNULL IN (RAISE(IGNORE),2,3)));
+  INSERT INTO t1(a) VALUES(1);
+} {1 {RAISE() may only be used within a trigger-program}}
+
 finish_test