From: drh <drh@noemail.net>
Date: Mon, 20 Jul 2020 18:07:35 +0000 (+0000)
Subject: Fix a corner-case error in the new UPDATE FROM logic helpfully discovered
X-Git-Tag: version-3.33.0~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09cf569292aaf37a7678524f8c8270c1f6612c67;p=thirdparty%2Fsqlite.git

Fix a corner-case error in the new UPDATE FROM logic helpfully discovered
by OSSFuzz.

FossilOrigin-Name: 5cc200939d3a33566ddb858fc74c878acc72cfe5cf4c9b1d08e7b13e4d5ff566
---

diff --git a/manifest b/manifest
index 887f099cbb..6d0802502a 100644
--- a/manifest
+++ b/manifest
@@ -1,6 +1,6 @@
 B 7a876209a678a34c198b54ceef9e3c041f128a14dc73357f6a57cadadaa6cf7b
-C Faster\scolumn\sname\slookup\sin\sthe\scolumnIndex()\sroutine\susing\shashing.
-D 2020-07-20T13:11:19.877
+C Fix\sa\scorner-case\serror\sin\sthe\snew\sUPDATE\sFROM\slogic\shelpfully\sdiscovered\nby\sOSSFuzz.
+D 2020-07-20T18:07:35.022
 F Makefile.in 19374a5db06c3199ec1bab71ab74a103d8abf21053c05e9389255dc58083f806
 F Makefile.msc 48f5a3fc32672c09ad73795749f6253e406a31526935fbbffd8f021108d54574
 F autoconf/Makefile.am a8d1d24affe52ebf8d7ddcf91aa973fa0316618ab95bb68c87cabf8faf527dc8
@@ -28,7 +28,7 @@ F src/parse.y 5bdb760a29c0b25caf7e80e82210b81cd2ea3066d5199ca29e6eac40b34bc184
 F src/pragma.c ae499b5ab8f4e833f67e28bf2322500e9aa612aadf12581d1324333f848d8b51
 F src/pragma.h 8dc78ab7e9ec6ce3ded8332810a2066f1ef6267e2e03cd7356ee00276125c6cf
 F src/resolve.c 2dd6821aac2cd27de9fcf6aa6d1f8c41b4b5841c9bc58bf1c9109008009a3a2e
-F src/select.c 835a86f1064b5b744c22166ef10a9f598be266feccef3128122ad5f8e9bd9dbc
+F src/select.c 39c6b63d996f9a24b34d2ccf38f67a7283355056011c2bb1b135daed7a715cf5
 F src/shell.c.in 81fa23ac1a3d6ac9ed13e9ae711a3d8806396ca7cc12c5d6a2e2536f70b0c7ad
 F src/sqliteInt.h 9682c3ce6b970b3a997d65c140bdb5b286a04188e4e1c8489b64a525161ecb30
 F src/test1.c fe56c4bcaa2685ca9aa25d817a0ee9345e189aff4a5a71a3d8ba946c7776feb8
@@ -57,7 +57,7 @@ F test/speedtest1.c a8b5afe72d78ff365012aba48d3f0c579e957facb7630f765f58a6ae4656
 F test/tester.tcl 174f668fcb4569a775bf24534ac8e59ce47d3a56d37c3465d1857f027e7ec136
 F test/triggerupfrom.test d25961fa70a99b6736193da7b49a36d8c1d28d56188f0be6406d4366315cd6e4
 F test/upfrom1.tcl 8859d9d437f03b44174c4524a7a734a391fd4526fcff65be08285dafc9dc9041
-F test/upfrom1.test c0a99a3f44b42beaca37c62e05332d64768c326c75b4edf976533a2d1ef76895
+F test/upfrom1.test d18f69f7c691bc791e7f31bf0e354eeff04cf2f44edc32d6b1928bad71697073
 F test/upfrom2.test 6ebd3be8c3fac984e89a177d823686f04605b512fc167392bce6d8ba2ba63325
 F test/upfrom3.test 7dab379d128e8dd7beb2055b295fb113c7ba93e8c2038f5ddb7a4a10f0ebb348
 F test/upfromfault.test 70ecf8eb85559727a487283f69374e3ae39879e994d8a2437c49d7c05ecb70c9
@@ -70,7 +70,7 @@ F tool/mksqlite3c.tcl f4ef476510eca4124c874a72029f1e01bc54a896b1724e8f9eef0d8bfa
 F tool/mksqlite3h.tcl 1f5e4a1dbbbc43c83cc6e74fe32c6c620502240b66c7c0f33a51378e78fc4edf
 F tool/showlocks.c 9cc5e66d4ebbf2d194f39db2527ece92077e86ae627ddd233ee48e16e8142564
 F tool/speed-check.sh 615cbdf50f1409ef3bbf9f682e396df80f49d97ed93ed3e61c8e91fae6afde58
-P 020dbfa2aef20e5872cc3e785d99f45903843401292114b5092b9c8aa829b9c3
-R dd7292537766c9a2f1a52ad731c64848
+P de2a90812498e504c9b8eeb83bfc48a948b45e87bdfa242c0aa9f0377d90740f
+R 63d0c6e2d5ef247c5f1458f1099377ab
 U drh
-Z b4e9384168d028fbccb483cf5527f35f
+Z b970f4086adbbc294d690e39a6ac70c0
diff --git a/manifest.uuid b/manifest.uuid
index 1a5dcc7fbc..14915032f7 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-de2a90812498e504c9b8eeb83bfc48a948b45e87bdfa242c0aa9f0377d90740f
\ No newline at end of file
+5cc200939d3a33566ddb858fc74c878acc72cfe5cf4c9b1d08e7b13e4d5ff566
\ No newline at end of file
diff --git a/src/select.c b/src/select.c
index 903b90a5d3..ebb764573e 100644
--- a/src/select.c
+++ b/src/select.c
@@ -1138,7 +1138,14 @@ static void selectInnerLoop(
       {
         int i2 = pDest->iSDParm2;
         int r1 = sqlite3GetTempReg(pParse);
-        sqlite3VdbeAddOp3(v, OP_MakeRecord,regResult+(i2<0),nResultCol-(i2<0),r1);
+
+        /* If the UPDATE FROM join is an aggregate that matches no rows, it
+        ** might still be trying to return one row, because that is what
+        ** aggregates do.  Don't record that empty row in the output table. */
+        sqlite3VdbeAddOp2(v, OP_IsNull, regResult, iBreak); VdbeCoverage(v);
+
+        sqlite3VdbeAddOp3(v, OP_MakeRecord,
+                          regResult+(i2<0), nResultCol-(i2<0), r1);
         if( i2<0 ){
           sqlite3VdbeAddOp3(v, OP_Insert, iParm, r1, regResult);
         }else{
diff --git a/test/upfrom1.test b/test/upfrom1.test
index 6153ca4588..7996f97702 100644
--- a/test/upfrom1.test
+++ b/test/upfrom1.test
@@ -164,4 +164,15 @@ do_test 2.3.2 { catch { execsql {
   UPDATE t5 AS apples SET b=1 FROM t5 AS apples;
 } } } 1
 
+# Problem found by OSSFuzz on 2020-07-20
+# https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24282
+#
+reset_db
+do_execsql_test 3.1 {
+  CREATE TABLE t0(a);
+  CREATE TABLE t1(b);
+  UPDATE t1 SET b=sum(a) FROM t0;
+  SELECT * FROM t0, t1;
+} {}
+
 finish_test