From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Thu, 8 Apr 2021 14:19:51 -0400
Subject: [PATCH] fix CVE-2020-9327

Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on
 commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
 to fit the current version.

---
 src/expr.c      | 15 +++++++++++----
 src/sqliteInt.h |  3 +++
 src/whereexpr.c |  9 ++++++---
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/expr.c b/src/expr.c
index 8fd8af9..73a8187 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
     case TK_LT:
     case TK_LE:
     case TK_GT:
-    case TK_GE:
+    case TK_GE: {
+      Expr *pLeft = pExpr->pLeft;
+      Expr *pRight = pExpr->pRight;
       testcase( pExpr->op==TK_EQ );
       testcase( pExpr->op==TK_NE );
       testcase( pExpr->op==TK_LT );
       testcase( pExpr->op==TK_LE );
       testcase( pExpr->op==TK_GT );
       testcase( pExpr->op==TK_GE );
-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab))
-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab))
+      /* The pTab=0 assignment in wherecode.c always happens after the
+      ** impliesNotNullRow() test */
+      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0)
+                               && IsVirtual(pLeft->pTab))
+       || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0)
+                               && IsVirtual(pRight->pTab))
       ){
-       return WRC_Prune;
+        return WRC_Prune;
       }
+    }
     default:
       return WRC_Continue;
   }
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 91fde72..d79ab28 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -1955,8 +1955,11 @@ struct Table {
 */
 #ifndef SQLITE_OMIT_VIRTUALTABLE
 #  define IsVirtual(X)      ((X)->nModuleArg)
+#  define ExprIsVtab(X)  \
+              ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg)
 #else
 #  define IsVirtual(X)      0
+#  define ExprIsVtab(X)     0
 #endif
 
 /*
diff --git a/src/whereexpr.c b/src/whereexpr.c
index 2975008..e61dfff 100644
--- a/src/whereexpr.c
+++ b/src/whereexpr.c
@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator(
       return 0;
     }
     pCol = pList->a[1].pExpr;
-    if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){
+    testcase( pCol->op==TK_COLUMN && pCol->pTab==0 );
+    if( !ExprIsVtab(pCol) ){
       return 0;
     }
     for(i=0; i<ArraySize(aOp); i++){
@@ -377,10 +378,12 @@ static int isAuxiliaryVtabOperator(
     int res = 0;
     Expr *pLeft = pExpr->pLeft;
     Expr *pRight = pExpr->pRight;
-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){
+    testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 );
+    if( ExprIsVtab(pLeft) ){
       res++;
     }
-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){
+    testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 );
+    if( pRight && ExprIsVtab(pRight) ){
       res++;
       SWAP(Expr*, pLeft, pRight);
     }
-- 
1.8.3.1