From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001 From: drh Date: Thu, 19 Dec 2019 20:37:32 +0000 Subject: [PATCH] Fix CVE-2019-19924 When an error occurs while rewriting the parser tree for window functions in the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set, and make sure that this shuts down any subsequent code generation that might depend on the transformations that were implemented. This fixes a problem discovered by the Yongheng and Rui fuzzer. FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f Change by Weifeng : Fit for version 3.24.0 --- src/expr.c | 2 ++ src/vdbeaux.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/expr.c b/src/expr.c index 36ca515..8fd8af9 100644 --- a/src/expr.c +++ b/src/expr.c @@ -344,6 +344,8 @@ static int codeCompare( int addr; CollSeq *p4; + if( pParse->nErr ) return 0; + p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, diff --git a/src/vdbeaux.c b/src/vdbeaux.c index ba2396c..df8bcc2 100644 --- a/src/vdbeaux.c +++ b/src/vdbeaux.c @@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ */ static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ assert( p->nOp>0 || p->aOp==0 ); - assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); + assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed + || p->pParse->nErr>0 ); if( p->nOp ){ assert( p->aOp ); sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); -- 2.19.1