Blame SOURCES/sqlite-3.26.0-CVE-2020-13435.patch

113387
Subject: [PATCH] When rewriting a query for window functions, if the rewrite 
113387
changes the depth of TK_AGG_FUNCTION nodes, be sure to adjust the Expr.op2 
113387
field appropriately.
113387
113387
diff --git a/src/resolve.c b/src/resolve.c
113387
index cdcf4d9..c47f6bb 100644
113387
--- a/src/resolve.c
113387
+++ b/src/resolve.c
113387
@@ -24,6 +24,8 @@
113387
 **
113387
 ** incrAggFunctionDepth(pExpr,n) is the main routine.  incrAggDepth(..)
113387
 ** is a helper function - a callback for the tree walker.
113387
+**
113387
+** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c
113387
 */
113387
 static int incrAggDepth(Walker *pWalker, Expr *pExpr){
113387
   if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n;
113387
diff --git a/src/select.c b/src/select.c
113387
index a6d1757..6f5570c 100644
113387
--- a/src/select.c
113387
+++ b/src/select.c
113387
@@ -1961,7 +1961,7 @@ int sqlite3ColumnsFromExprList(
113387
         assert( pColExpr!=0 );
113387
       }
113387
       assert( pColExpr->op!=TK_AGG_COLUMN );
113387
-      if( pColExpr->op==TK_COLUMN ){
113387
+      if( pColExpr->op==TK_COLUMN && pColExpr->y.pTab ){
113387
         /* For columns use the column name name */
113387
         int iCol = pColExpr->iColumn;
113387
         Table *pTab = pColExpr->y.pTab;
113387
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
113387
index 1cf6937..ea9a7ae 100644
113387
--- a/src/sqliteInt.h
113387
+++ b/src/sqliteInt.h
113387
@@ -3579,6 +3579,8 @@ void sqlite3WindowUpdate(Parse*, Window*, Window*, FuncDef*);
113387
 Window *sqlite3WindowDup(sqlite3 *db, Expr *pOwner, Window *p);
113387
 Window *sqlite3WindowListDup(sqlite3 *db, Window *p);
113387
 void sqlite3WindowFunctions(void);
113387
+int sqlite3WalkerDepthIncrease(Walker*,Select*);
113387
+void sqlite3WalkerDepthDecrease(Walker*,Select*);
113387
 #else
113387
 # define sqlite3WindowDelete(a,b)
113387
 # define sqlite3WindowFunctions()
113387
diff --git a/src/walker.c b/src/walker.c
113387
index c31d94f..8cd3b65 100644
113387
--- a/src/walker.c
113387
+++ b/src/walker.c
113387
@@ -165,3 +165,16 @@ int sqlite3WalkSelect(Walker *pWalker, Select *p){
113387
   }while( p!=0 );
113387
   return WRC_Continue;
113387
 }
113387
+
113387
+/* Increase the walkerDepth when entering a subquery, and
113387
+** descrease when leaving the subquery.
113387
+*/
113387
+int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){
113387
+  UNUSED_PARAMETER(pSelect);
113387
+  pWalker->walkerDepth++;
113387
+  return WRC_Continue;
113387
+}
113387
+void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){
113387
+  UNUSED_PARAMETER(pSelect);
113387
+  pWalker->walkerDepth--;
113387
+}
113387
\ No newline at end of file
113387
diff --git a/src/window.c b/src/window.c
113387
index c65eadd..48d8090 100644
113387
--- a/src/window.c
113387
+++ b/src/window.c
113387
@@ -738,6 +738,23 @@ static ExprList *exprListAppendList(
113387
   return pList;
113387
 }
113387
 
113387
+/*
113387
+** When rewriting a query, if the new subquery in the FROM clause
113387
+** contains TK_AGG_FUNCTION nodes that refer to an outer query,
113387
+** then we have to increase the Expr->op2 values of those nodes
113387
+** due to the extra subquery layer that was added.
113387
+**
113387
+** See also the incrAggDepth() routine in resolve.c
113387
+*/
113387
+static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){
113387
+  if( pExpr->op==TK_AGG_FUNCTION
113387
+   && pExpr->op2>=pWalker->walkerDepth
113387
+  ){
113387
+    pExpr->op2++;
113387
+  }
113387
+  return WRC_Continue;
113387
+}
113387
+
113387
 /*
113387
 ** If the SELECT statement passed as the second argument does not invoke
113387
 ** any SQL window functions, this function is a no-op. Otherwise, it 
113387
@@ -827,14 +844,24 @@ int sqlite3WindowRewrite(Parse *pParse, Select *p){
113387
     p->pSrc = sqlite3SrcListAppend(db, 0, 0, 0);
113387
     assert( p->pSrc || db->mallocFailed );
113387
     if( p->pSrc ){
113387
+      Table *pTab2;
113387
+      Walker w;
113387
       p->pSrc->a[0].pSelect = pSub;
113387
       sqlite3SrcListAssignCursors(pParse, p->pSrc);
113387
-      if( sqlite3ExpandSubquery(pParse, &p->pSrc->a[0]) ){
113387
+      pTab2 = sqlite3ResultSetOfSelect(pParse, pSub);
113387
+      if( pTab2==0 ){
113387
         rc = SQLITE_NOMEM;
113387
       }else{
113387
         pSub->selFlags |= SF_Expanded;
113387
         p->selFlags &= ~SF_Aggregate;
113387
         sqlite3SelectPrep(pParse, pSub, 0);
113387
+        pTab2->tabFlags |= TF_Ephemeral;
113387
+        p->pSrc->a[0].pTab = pTab2;
113387
+        memset(&w, 0, sizeof(w));
113387
+        w.xExprCallback = sqlite3WindowExtraAggFuncDepth;
113387
+        w.xSelectCallback = sqlite3WalkerDepthIncrease;
113387
+        w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
113387
+        sqlite3WalkSelect(&w, pSub);
113387
       }
113387
 
113387
       sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr);
113387
diff --git a/test/window1.test b/test/window1.test
113387
index a8399a8..13ecc32 100644
113387
--- a/test/window1.test
113387
+++ b/test/window1.test
113387
@@ -594,4 +594,20 @@ do_execsql_test 13.5 {
113387
 } {
113387
 }
113387
 
113387
+# 2020-05-23
113387
+# ticket 7a5279a25c57adf1
113387
+#
113387
+reset_db
113387
+do_execsql_test 53.0 {
113387
+  CREATE TABLE a(c UNIQUE);
113387
+  INSERT INTO a VALUES(4),(0),(9),(-9);
113387
+  SELECT a.c
113387
+    FROM a
113387
+    JOIN a AS b ON a.c=4
113387
+    JOIN a AS e ON a.c=e.c
113387
+   WHERE a.c=(SELECT (SELECT coalesce(lead(2) OVER(),0) + sum(d.c))
113387
+                FROM a AS d
113387
+               WHERE a.c);
113387
+} {4 4 4 4}
113387
+
113387
 finish_test