From c6f36fa33ad4d2f8642331516ba1a7ed7af60b1b Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Sat, 5 May 2018 16:50:35 +0000
Subject: [PATCH] In an ORDER BY LIMIT, make sure the ORDER BY expression
 evaluator does not try to reuse values from the result set if the result set
 has not yet be computed.  This fixes a bug in the recent deferred-row loading
 optimization, check-in [c381f0ea57002a264fd958b28e]. OSSFuzz discovered the
 problem.

FossilOrigin-Name: 5d61e75f32de09c81dbe844443209f063cccb005d60b846900de5b023643fc3b
---
 manifest           | 14 +++++++-------
 manifest.uuid      |  2 +-
 src/select.c       |  8 +++++---
 test/orderby1.test | 10 ++++++++++
 4 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/manifest b/manifest
index d6da0b8eb1..6ea3748e5f 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sslightly\sincorrect\scorruption\sdetection\sbranch\sin\sthe\sbtree\slogic.
-D 2018-05-05T01:23:28.506
+C In\san\sORDER\sBY\sLIMIT,\smake\ssure\sthe\sORDER\sBY\sexpression\sevaluator\sdoes\snot\ntry\sto\sreuse\svalues\sfrom\sthe\sresult\sset\sif\sthe\sresult\sset\shas\snot\syet\nbe\scomputed.\s\sThis\sfixes\sa\sbug\sin\sthe\srecent\sdeferred-row\sloading\s\noptimization,\scheck-in\s[c381f0ea57002a264fd958b28e].\nOSSFuzz\sdiscovered\sthe\sproblem.
+D 2018-05-05T16:50:35.778
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 5ce9343cba9c189046f1afe6d2bcc1f68079439febc05267b98aec6ecc752439
@@ -493,7 +493,7 @@ F src/printf.c d3b7844ddeb11fbbdd38dd84d09c9c1ac171d21fb038473c3aa97981201cc660
 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
 F src/resolve.c 6415381a0e9d22c0e7cba33ca4a53f81474190862f5d4838190f5eb5b0b47bc9
 F src/rowset.c 7b7e7e479212e65b723bf40128c7b36dc5afdfac
-F src/select.c bf9185f40cbb98a1342c0149f66dff3fbadf262081305519927523b4ec7b876e
+F src/select.c a35d462ee7a3c0856ad7a9d9c8921fbf3d91d911a8f39ad9d61302eb43b24a71
 F src/shell.c.in 29309f2ab656c8817fbc3b7910b9af8464557b91cba75277a03669399c8e2730
 F src/sqlite.h.in 469aed42e75193b7f5d88d812befa961c04746869475f96fcf434c9f67079f66
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
@@ -1118,7 +1118,7 @@ F test/openv2.test 0d3040974bf402e19b7df4b783e447289d7ab394
 F test/optfuzz-db01.c a0c256905c8ac79f9a5de2f374a3d9f757bef0dca2a238dc7c10cc8a38031834
 F test/optfuzz-db01.txt 21f6bdeadc701cf11528276e2a55c70bfcb846ba42df327f979bd9e7b6ce7041
 F test/optfuzz.c 50e330304eb1992e15ddd11f3daaad9bcc0d9aaad09cb2bcc77f9515df2e88b1
-F test/orderby1.test bb8535f52c42e91cfa110622ccff70597e531198bb4b033185ad84c11522ab1b
+F test/orderby1.test e4501f54721f804ca56922e253403ac6775f88e9f07569994ce99212b3ca5b10
 F test/orderby2.test bc11009f7cd99d96b1b11e57b199b00633eb5b04
 F test/orderby3.test 8619d06a3debdcd80a27c0fdea5c40b468854b99
 F test/orderby4.test 4d39bfbaaa3ae64d026ca2ff166353d2edca4ba4
@@ -1727,7 +1727,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 7fdad122a21e4b01bd678198fd5131dc32febe3af366bd6368505398255f9822
-R c749c0665814a70e6af52cc6400bfbb1
+P 9191ff670cb7f36e0b2dac4a22888679b639845687aef8edcc3c05e35ba71eda
+R a56d2b47132e721ba501356936c97e91
 U drh
-Z e525a0897d0f2a68d316a072398c9145
+Z 1741a532a82a49137514437ac680f600
diff --git a/manifest.uuid b/manifest.uuid
index 062607e404..0b9467a81c 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9191ff670cb7f36e0b2dac4a22888679b639845687aef8edcc3c05e35ba71eda
\ No newline at end of file
+5d61e75f32de09c81dbe844443209f063cccb005d60b846900de5b023643fc3b
\ No newline at end of file
diff --git a/src/select.c b/src/select.c
index c5d4612032..3818ef5170 100644
--- a/src/select.c
+++ b/src/select.c
@@ -627,9 +627,10 @@ static void pushOntoSorter(
   **       case regData==regOrigData.
   **   (3) Some output columns are omitted from the sort record due to
   **       the SQLITE_ENABLE_SORTER_REFERENCE optimization, or due to the
-  **       SQLITE_ECEL_OMITREF optimization.  In that case, regOrigData==0
-  **       to prevent this routine from trying to copy values that might
-  **       not exist.
+  **       SQLITE_ECEL_OMITREF optimization, or due to the 
+  **       SortCtx.pDeferredRowLoad optimiation.  In any of these cases
+  **       regOrigData is 0 to prevent this routine from trying to copy
+  **       values that might not yet exist.
   */
   assert( nData==1 || regData==regOrigData || regOrigData==0 );
 
@@ -1010,6 +1011,7 @@ static void selectInnerLoop(
       assert( pSort!=0 );
       assert( hasDistinct==0 );
       pSort->pDeferredRowLoad = &sRowLoadInfo;
+      regOrig = 0;
     }else{
       innerLoopLoadRow(pParse, p, &sRowLoadInfo);
     }
diff --git a/test/orderby1.test b/test/orderby1.test
index 13bd7bfb5a..836ca4b83b 100644
--- a/test/orderby1.test
+++ b/test/orderby1.test
@@ -548,5 +548,15 @@ do_execsql_test 9.0 {
   SELECT (SELECT x||y FROM t2, t1 ORDER BY x, y);
 } {13}
 
+# Problem found by OSSFuzz on 2018-05-05.  This was caused by a new
+# optimization that had not been previously released.
+#
+do_execsql_test 10.0 {
+  CREATE TABLE t10(a,b);
+  INSERT INTO t10 VALUES(1,2),(8,9),(3,4),(5,4),(0,7);
+  CREATE INDEX t10b ON t10(b);
+  SELECT b, rowid, '^' FROM t10 ORDER BY b, a LIMIT 4;
+} {2 1 ^ 4 3 ^ 4 4 ^ 7 5 ^}
+
 
 finish_test
-- 
2.47.2