Blame SOURCES/sqlite-3.26.0-CVE-2020-13435.patch

77bd1e
Subject: [PATCH] When rewriting a query for window functions, if the rewrite 
77bd1e
changes the depth of TK_AGG_FUNCTION nodes, be sure to adjust the Expr.op2 
77bd1e
field appropriately.
77bd1e
77bd1e
diff --git a/src/resolve.c b/src/resolve.c
77bd1e
index cdcf4d9..c47f6bb 100644
77bd1e
--- a/src/resolve.c
77bd1e
+++ b/src/resolve.c
77bd1e
@@ -24,6 +24,8 @@
77bd1e
 **
77bd1e
 ** incrAggFunctionDepth(pExpr,n) is the main routine.  incrAggDepth(..)
77bd1e
 ** is a helper function - a callback for the tree walker.
77bd1e
+**
77bd1e
+** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c
77bd1e
 */
77bd1e
 static int incrAggDepth(Walker *pWalker, Expr *pExpr){
77bd1e
   if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n;
77bd1e
diff --git a/src/select.c b/src/select.c
77bd1e
index a6d1757..6f5570c 100644
77bd1e
--- a/src/select.c
77bd1e
+++ b/src/select.c
77bd1e
@@ -1961,7 +1961,7 @@ int sqlite3ColumnsFromExprList(
77bd1e
         assert( pColExpr!=0 );
77bd1e
       }
77bd1e
       assert( pColExpr->op!=TK_AGG_COLUMN );
77bd1e
-      if( pColExpr->op==TK_COLUMN ){
77bd1e
+      if( pColExpr->op==TK_COLUMN && pColExpr->y.pTab ){
77bd1e
         /* For columns use the column name name */
77bd1e
         int iCol = pColExpr->iColumn;
77bd1e
         Table *pTab = pColExpr->y.pTab;
77bd1e
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
77bd1e
index 1cf6937..ea9a7ae 100644
77bd1e
--- a/src/sqliteInt.h
77bd1e
+++ b/src/sqliteInt.h
77bd1e
@@ -3579,6 +3579,8 @@ void sqlite3WindowUpdate(Parse*, Window*, Window*, FuncDef*);
77bd1e
 Window *sqlite3WindowDup(sqlite3 *db, Expr *pOwner, Window *p);
77bd1e
 Window *sqlite3WindowListDup(sqlite3 *db, Window *p);
77bd1e
 void sqlite3WindowFunctions(void);
77bd1e
+int sqlite3WalkerDepthIncrease(Walker*,Select*);
77bd1e
+void sqlite3WalkerDepthDecrease(Walker*,Select*);
77bd1e
 #else
77bd1e
 # define sqlite3WindowDelete(a,b)
77bd1e
 # define sqlite3WindowFunctions()
77bd1e
diff --git a/src/walker.c b/src/walker.c
77bd1e
index c31d94f..8cd3b65 100644
77bd1e
--- a/src/walker.c
77bd1e
+++ b/src/walker.c
77bd1e
@@ -165,3 +165,16 @@ int sqlite3WalkSelect(Walker *pWalker, Select *p){
77bd1e
   }while( p!=0 );
77bd1e
   return WRC_Continue;
77bd1e
 }
77bd1e
+
77bd1e
+/* Increase the walkerDepth when entering a subquery, and
77bd1e
+** descrease when leaving the subquery.
77bd1e
+*/
77bd1e
+int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){
77bd1e
+  UNUSED_PARAMETER(pSelect);
77bd1e
+  pWalker->walkerDepth++;
77bd1e
+  return WRC_Continue;
77bd1e
+}
77bd1e
+void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){
77bd1e
+  UNUSED_PARAMETER(pSelect);
77bd1e
+  pWalker->walkerDepth--;
77bd1e
+}
77bd1e
\ No newline at end of file
77bd1e
diff --git a/src/window.c b/src/window.c
77bd1e
index c65eadd..48d8090 100644
77bd1e
--- a/src/window.c
77bd1e
+++ b/src/window.c
77bd1e
@@ -738,6 +738,23 @@ static ExprList *exprListAppendList(
77bd1e
   return pList;
77bd1e
 }
77bd1e
 
77bd1e
+/*
77bd1e
+** When rewriting a query, if the new subquery in the FROM clause
77bd1e
+** contains TK_AGG_FUNCTION nodes that refer to an outer query,
77bd1e
+** then we have to increase the Expr->op2 values of those nodes
77bd1e
+** due to the extra subquery layer that was added.
77bd1e
+**
77bd1e
+** See also the incrAggDepth() routine in resolve.c
77bd1e
+*/
77bd1e
+static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){
77bd1e
+  if( pExpr->op==TK_AGG_FUNCTION
77bd1e
+   && pExpr->op2>=pWalker->walkerDepth
77bd1e
+  ){
77bd1e
+    pExpr->op2++;
77bd1e
+  }
77bd1e
+  return WRC_Continue;
77bd1e
+}
77bd1e
+
77bd1e
 /*
77bd1e
 ** If the SELECT statement passed as the second argument does not invoke
77bd1e
 ** any SQL window functions, this function is a no-op. Otherwise, it 
77bd1e
@@ -827,14 +844,24 @@ int sqlite3WindowRewrite(Parse *pParse, Select *p){
77bd1e
     p->pSrc = sqlite3SrcListAppend(db, 0, 0, 0);
77bd1e
     assert( p->pSrc || db->mallocFailed );
77bd1e
     if( p->pSrc ){
77bd1e
+      Table *pTab2;
77bd1e
+      Walker w;
77bd1e
       p->pSrc->a[0].pSelect = pSub;
77bd1e
       sqlite3SrcListAssignCursors(pParse, p->pSrc);
77bd1e
-      if( sqlite3ExpandSubquery(pParse, &p->pSrc->a[0]) ){
77bd1e
+      pTab2 = sqlite3ResultSetOfSelect(pParse, pSub);
77bd1e
+      if( pTab2==0 ){
77bd1e
         rc = SQLITE_NOMEM;
77bd1e
       }else{
77bd1e
         pSub->selFlags |= SF_Expanded;
77bd1e
         p->selFlags &= ~SF_Aggregate;
77bd1e
         sqlite3SelectPrep(pParse, pSub, 0);
77bd1e
+        pTab2->tabFlags |= TF_Ephemeral;
77bd1e
+        p->pSrc->a[0].pTab = pTab2;
77bd1e
+        memset(&w, 0, sizeof(w));
77bd1e
+        w.xExprCallback = sqlite3WindowExtraAggFuncDepth;
77bd1e
+        w.xSelectCallback = sqlite3WalkerDepthIncrease;
77bd1e
+        w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
77bd1e
+        sqlite3WalkSelect(&w, pSub);
77bd1e
       }
77bd1e
 
77bd1e
       sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr);
77bd1e
diff --git a/test/window1.test b/test/window1.test
77bd1e
index a8399a8..13ecc32 100644
77bd1e
--- a/test/window1.test
77bd1e
+++ b/test/window1.test
77bd1e
@@ -594,4 +594,20 @@ do_execsql_test 13.5 {
77bd1e
 } {
77bd1e
 }
77bd1e
 
77bd1e
+# 2020-05-23
77bd1e
+# ticket 7a5279a25c57adf1
77bd1e
+#
77bd1e
+reset_db
77bd1e
+do_execsql_test 53.0 {
77bd1e
+  CREATE TABLE a(c UNIQUE);
77bd1e
+  INSERT INTO a VALUES(4),(0),(9),(-9);
77bd1e
+  SELECT a.c
77bd1e
+    FROM a
77bd1e
+    JOIN a AS b ON a.c=4
77bd1e
+    JOIN a AS e ON a.c=e.c
77bd1e
+   WHERE a.c=(SELECT (SELECT coalesce(lead(2) OVER(),0) + sum(d.c))
77bd1e
+                FROM a AS d
77bd1e
+               WHERE a.c);
77bd1e
+} {4 4 4 4}
77bd1e
+
77bd1e
 finish_test