Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function.

---
 ext/fts3/fts3.c        |  1 +
 test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 test/fts3snippet2.test

diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
index 84fc8a5..9ddd201 100644
--- a/ext/fts3/fts3.c
+++ b/ext/fts3/fts3.c
@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow(
                 fts3EvalNextRow(pCsr, pLeft, pRc);
               }
             }
+            pRight->bEof = pLeft->bEof = 1;
           }
         }
         break;
diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test
new file mode 100644
index 0000000..607b01e
--- /dev/null
+++ b/test/fts3snippet2.test
@@ -0,0 +1,59 @@
+# 2020-05-14
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice, here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#*************************************************************************
+#
+# The tests in this file test the FTS3 auxillary functions offsets(), 
+# snippet() and matchinfo() work. At time of writing, running this file 
+# provides full coverage of fts3_snippet.c.
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+set testprefix fts3snippet
+
+# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
+ifcapable !fts3 { finish_test ; return }
+source $testdir/fts3_common.tcl
+
+set sqlite_fts3_enable_parentheses 1
+#-------------------------------------------------------------------------
+# Request a snippet from a query with more than 64 phrases.
+#
+reset_db
+do_execsql_test 1.0 {
+  CREATE VIRTUAL TABLE f USING fts3(b);
+  INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
+}
+
+do_execsql_test 1.1 {
+  SELECT  length(snippet(f))>0  FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
+} {1}
+
+reset_db
+do_execsql_test 2.0 {
+  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
+  INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
+  SELECT snippet(t0)  FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ;
+} {<b>1</b>}
+
+reset_db
+do_execsql_test 2.1 {
+  CREATE VIRTUAL TABLE t0 USING fts3(
+      col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY
+  );
+  INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb');
+}
+do_execsql_test 2.2 {
+  SELECT snippet(t0)  FROM t0 WHERE t0 MATCH 
+  '(def AND (one NEAR abc)) OR one'
+} {<b>one</b>}
+
+set sqlite_fts3_enable_parentheses 0
+finish_test
-- 
2.24.1