sqlite/6055-Fix-CVE-2018-20505.patch

Index: src/wherecode.c
==================================================================
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -424,11 +424,11 @@
     Select *pSelect;            /* Pointer to the SELECT on the RHS */
 
     for(i=iEq; i<pLoop->nLTerm; i++){
       if( pLoop->aLTerm[i]->pExpr==pX ){
         int iField = pLoop->aLTerm[i]->iField - 1;
-        assert( pOrigRhs->a[iField].pExpr!=0 );
+        if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
         pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
         pOrigRhs->a[iField].pExpr = 0;
         assert( pOrigLhs->a[iField].pExpr!=0 );
         pLhs = sqlite3ExprListAppend(pParse, pLhs, pOrigLhs->a[iField].pExpr);
         pOrigLhs->a[iField].pExpr = 0;

Index: test/rowvalue.test
==================================================================
--- a/test/rowvalue.test
+++ b/test/rowvalue.test
@@ -543,7 +543,18 @@
 # 2018-02-18: Memory leak nexted row-value.  Detected by OSSFuzz.
 #
 do_catchsql_test 20.1 {
   SELECT 1 WHERE (2,(2,0)) IS (2,(2,0));
 } {0 1}
+
+# 2018-11-03: Ticket https://www.sqlite.org/src/info/1a84668dcfdebaf1
+# Assertion fault when doing row-value operations on a primary key
+# containing duplicate columns.
+#
+do_execsql_test 21.0 {
+  DROP TABLE IF EXISTS t1;
+  CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
+  INSERT INTO t1 VALUES(1,2),(3,4),(5,6);
+  SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));
+} {1 2}
 
 finish_test