sqlite/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch

From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 20:37:32 +0000
Subject: [PATCH] Fix CVE-2019-19924
 When an error occurs while rewriting the parser tree for
 window functions in the sqlite3WindowRewrite() routine, make sure that
 pParse->nErr is set, and make sure that this shuts down any subsequent code
 generation that might depend on the transformations that were implemented. 
 This fixes a problem discovered by the Yongheng and Rui fuzzer.

FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f

Change by Weifeng <suweifeng1@huawei.com>:
    Fit for version 3.24.0
---
 src/expr.c    | 2 ++
 src/vdbeaux.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/expr.c b/src/expr.c
index 36ca515..8fd8af9 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -344,6 +344,8 @@ static int codeCompare(
   int addr;
   CollSeq *p4;
 
+  if( pParse->nErr ) return 0;
+
   p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
   p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
   addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index ba2396c..df8bcc2 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
 */
 static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
   assert( p->nOp>0 || p->aOp==0 );
-  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
+  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
+          || p->pParse->nErr>0 );
   if( p->nOp ){
     assert( p->aOp );
     sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
-- 
2.19.1
repackage and fix cves 2020-01-08 10:32:47 +08:00			`From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001`
			`From: drh <drh@noemail.net>`
			`Date: Thu, 19 Dec 2019 20:37:32 +0000`
			`Subject: [PATCH] Fix CVE-2019-19924`
			`When an error occurs while rewriting the parser tree for`
			`window functions in the sqlite3WindowRewrite() routine, make sure that`
			`pParse->nErr is set, and make sure that this shuts down any subsequent code`
			`generation that might depend on the transformations that were implemented.`
			`This fixes a problem discovered by the Yongheng and Rui fuzzer.`

			`FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f`

			`Change by Weifeng <suweifeng1@huawei.com>:`
			`Fit for version 3.24.0`
			`---`
			`src/expr.c \| 2 ++`
			`src/vdbeaux.c \| 3 ++-`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/src/expr.c b/src/expr.c`
			`index 36ca515..8fd8af9 100644`
			`--- a/src/expr.c`
			`+++ b/src/expr.c`
			`@@ -344,6 +344,8 @@ static int codeCompare(`
			`int addr;`
			`CollSeq *p4;`

			`+ if( pParse->nErr ) return 0;`
			`+`
			`p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);`
			`p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);`
			`addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,`
			`diff --git a/src/vdbeaux.c b/src/vdbeaux.c`
			`index ba2396c..df8bcc2 100644`
			`--- a/src/vdbeaux.c`
			`+++ b/src/vdbeaux.c`
			`@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse pParse, Index pIdx){`
			`*/`
			`static void vdbeVComment(Vdbe p, const char zFormat, va_list ap){`
			`assert( p->nOp>0 \|\| p->aOp==0 );`
			`- assert( p->aOp==0 \|\| p->aOp[p->nOp-1].zComment==0 \|\| p->db->mallocFailed );`
			`+ assert( p->aOp==0 \|\| p->aOp[p->nOp-1].zComment==0 \|\| p->db->mallocFailed`
			`+ \|\| p->pParse->nErr>0 );`
			`if( p->nOp ){`
			`assert( p->aOp );`
			`sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);`
			`--`
			`2.19.1`