From: drh <drh@noemail.net>
Date: Fri, 3 Apr 2020 13:29:42 +0000 (+0000)
Subject: Fix a case when a pointer might be used after being freed in the ALTER TABLE code... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=787224f2d0e7b4d94db5a3bc3661156b1ded6710;p=thirdparty%2Fsqlite.git

Fix a case when a pointer might be used after being freed in the ALTER TABLE code. Fix for [4722bdab08cb1].

FossilOrigin-Name: 52f800fa93dd2b2d1e52fed74bff8a1c7e68699edc3fb0e74a40dc0544a3a51e
---

diff --git a/manifest b/manifest
index 9416aa195d..43970401bd 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Prevent\sthe\sread-only\sexpressions\sheld\sin\sthe\sschema\sfrom\sbeing\spassed\sdown\ninto\scode\sgenerating\ssubroutines\swhere\sthey\smight\sbe\schanged.\s\sPass\sa\scopy\nof\sthe\sexpression\sinstead.
-D 2020-03-10T19:23:48.698
+C Fix\sa\scase\swhen\sa\spointer\smight\sbe\sused\safter\sbeing\sfreed\sin\sthe\sALTER\sTABLE\scode.\sFix\sfor\s[4722bdab08cb1].
+D 2020-04-03T13:29:42.254
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -465,7 +465,7 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca
 F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
-F src/alter.c f48a4423c8f198d7f1ae4940f74b606707d05384ac79fb219be8e3323af2a2de
+F src/alter.c ac9d737cace62b5cd88bff5310e53e299bc0919f08b5934a2bd0f8e8e65d770e
 F src/analyze.c b3ceec3fc052df8a96ca8a8c858d455dc5029ba681b4be98bb5c5a9162cfa58c
 F src/attach.c 9fd451d7b9ac5b2138e60f858e99b07bdfb9bf6c6132d0dcbb078a4519de12d0
 F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
@@ -639,7 +639,7 @@ F test/altercol.test 1d6a6fe698b81e626baea4881f5717f9bc53d7d07f1cd23ee7ad1b931f1
 F test/alterlegacy.test 82022721ce0de29cedc9a7af63bc9fcc078b0ee000f8283b4b6ea9c3eab2f44b
 F test/altermalloc.test 167a47de41b5c638f5f5c6efb59784002b196fff70f98d9b4ed3cd74a3fb80c9
 F test/altermalloc2.test fa7b1c1139ea39b8dec407cf1feb032ca8e0076bd429574969b619175ad0174b
-F test/altertab.test bd61e5b73d495ec4707133db91b07f09d57e339d988de5ec5a76d34a2198e8f2
+F test/altertab.test 2c41e347c0b37725d2c27641056f12f136ce43027d3aca664f380183fdd1c610
 F test/altertab2.test b0d62f323ca5dab42b0bc028c52e310ebdd13e655e8fac070fe622bad7852c2b
 F test/altertab3.test 155b8dc225ce484454a7fb4c8ba745680b6fa0fc3e08919cbbc19f9309d128ff
 F test/amatch1.test b5ae7065f042b7f4c1c922933f4700add50cdb9f
@@ -1857,10 +1857,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9c77bfe41e1b786dbe649bffddc2500202884de1a19bbbee63831ba583ce0878
-Q +03d201c041c17579e791c73fe6babd60b9f892a84ffd1470851f8eb2857d3990
-Q +a2d6f108c5d07559b125823a04c9cb072c80be80d7913097891a6192c7e1e225
-Q +f45f5de000834da5b23cdcf12c3f0e3073287756afe06bdb77b95fb65b250258
-R 1d618ce0babf0dcd8549b9e38ae82278
+P 2b750b0f74e5a11621997267d419c567cd860dd8bc7306d58fe037200c0d7679
+Q +d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
+R cd741393c31bb5b08323a67e2bbb3248
 U drh
-Z c7e30f1a90f7884a4ee53b80c7e8481a
+Z ec5d62482aa30c952550e062816164c1
diff --git a/manifest.uuid b/manifest.uuid
index 9428d2765a..4935b6517f 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-2b750b0f74e5a11621997267d419c567cd860dd8bc7306d58fe037200c0d7679
\ No newline at end of file
+52f800fa93dd2b2d1e52fed74bff8a1c7e68699edc3fb0e74a40dc0544a3a51e
\ No newline at end of file
diff --git a/src/alter.c b/src/alter.c
index ee193d18bf..7114757a27 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -755,6 +755,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
   }
 }
 
+/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
+
 /*
 ** Walker callback used by sqlite3RenameExprUnmap().
 */
@@ -776,6 +791,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
     for(i=0; i<pSrc->nSrc; i++){
       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
     }
   }
 
@@ -984,6 +1000,7 @@ static void renameColumnIdlistNames(
   }
 }
 
+
 /*
 ** Parse the SQL statement zSql using Parse object (*p). The Parse object
 ** is initialized by this function before it is used.
diff --git a/test/altertab.test b/test/altertab.test
index 7dcf8a5e0d..68c52d604b 100644
--- a/test/altertab.test
+++ b/test/altertab.test
@@ -613,4 +613,32 @@ do_execsql_test 18.2.2 {
   SELECT sql FROM sqlite_master;
 } {{CREATE TABLE t0 (c1 INTEGER, PRIMARY KEY(c1))}}
 
+# 2020-02-23 ticket f50af3e8a565776b
+reset_db
+do_execsql_test 19.100 {
+  CREATE TABLE t1(x);
+  CREATE VIEW t2 AS SELECT 1 FROM t1, (t1 AS a0, t1);
+  ALTER TABLE t1 RENAME TO t3;
+  SELECT sql FROM sqlite_master;
+} {{CREATE TABLE "t3"(x)} {CREATE VIEW t2 AS SELECT 1 FROM "t3", ("t3" AS a0, "t3")}}
+do_execsql_test 19.110 {
+  INSERT INTO t3(x) VALUES(123);
+  SELECT * FROM t2;
+} {1}
+do_execsql_test 19.120 {
+  INSERT INTO t3(x) VALUES('xyz');
+  SELECT * FROM t2;
+} {1 1 1 1 1 1 1 1}
+
+# Ticket 4722bdab08cb14
+reset_db
+do_execsql_test 20.0 {
+  CREATE TABLE a(a);
+  CREATE VIEW b AS SELECT(SELECT *FROM c JOIN a USING(d, a, a, a) JOIN a) IN();
+}
+
+do_execsql_test 20.1 {
+  ALTER TABLE a RENAME a TO e;
+} {}
+
 finish_test