Blame SOURCES/sqlite-3.26.0-CVE-2020-15358.patch

a417f0
Subject: [PATCH] Fix a defect in the query-flattener optimization
a417f0
a417f0
---
a417f0
 src/select.c      |  8 ++++----
a417f0
 src/sqliteInt.h   |  1 +
a417f0
 test/selectA.test | 22 ++++++++++++++++++++++
a417f0
 3 files changed, 27 insertions(+), 4 deletions(-)
a417f0
a417f0
diff --git a/src/select.c b/src/select.c
a417f0
index 88a43df..a513d36 100644
a417f0
--- a/src/select.c
a417f0
+++ b/src/select.c
a417f0
@@ -2686,9 +2686,7 @@ static int multiSelect(
a417f0
                           selectOpName(p->op)));
a417f0
         rc = sqlite3Select(pParse, p, &uniondest);
a417f0
         testcase( rc!=SQLITE_OK );
a417f0
-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
a417f0
-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
a417f0
-        sqlite3ExprListDelete(db, p->pOrderBy);
a417f0
+        assert( p->pOrderBy==0 );
a417f0
         pDelete = p->pPrior;
a417f0
         p->pPrior = pPrior;
a417f0
         p->pOrderBy = 0;
a417f0
@@ -4010,7 +4008,7 @@ static int flattenSubquery(
a417f0
     ** We look at every expression in the outer query and every place we see
a417f0
     ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
a417f0
     */
a417f0
-    if( pSub->pOrderBy ){
a417f0
+    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
a417f0
       /* At this point, any non-zero iOrderByCol values indicate that the
a417f0
       ** ORDER BY column expression is identical to the iOrderByCol'th
a417f0
       ** expression returned by SELECT statement pSub. Since these values
a417f0
@@ -5633,6 +5631,8 @@ int sqlite3Select(
a417f0
     sqlite3ExprListDelete(db, p->pOrderBy);
a417f0
     p->pOrderBy = 0;
a417f0
     p->selFlags &= ~SF_Distinct;
a417f0
+    p->selFlags |= SF_NoopOrderBy;
a417f0
+
a417f0
   }
a417f0
   sqlite3SelectPrep(pParse, p, 0);
a417f0
   if( pParse->nErr || db->mallocFailed ){
a417f0
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
a417f0
index 76337f7..60b2ebd 100644
a417f0
--- a/src/sqliteInt.h
a417f0
+++ b/src/sqliteInt.h
a417f0
@@ -2874,6 +2874,7 @@ struct Select {
a417f0
 #define SF_Converted      0x10000  /* By convertCompoundSelectToSubquery() */
a417f0
 #define SF_IncludeHidden  0x20000  /* Include hidden columns in output */
a417f0
 #define SF_ComplexResult  0x40000  /* Result contains subquery or function */
a417f0
+#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
a417f0
 
a417f0
 /*
a417f0
 ** The results of a SELECT can be distributed in several ways, as defined
a417f0
diff --git a/test/selectA.test b/test/selectA.test
a417f0
index 838e5f4..2626008 100644
a417f0
--- a/test/selectA.test
a417f0
+++ b/test/selectA.test
a417f0
@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 {
a417f0
   SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
a417f0
 } {12345}
a417f0
 
a417f0
+# 2020-06-15 ticket 8f157e8010b22af0
a417f0
+#
a417f0
+reset_db
a417f0
+do_execsql_test 7.1 {
a417f0
+  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
a417f0
+  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
a417f0
+  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
a417f0
+  CREATE VIEW t4 AS SELECT c3 FROM t3;
a417f0
+  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
a417f0
+}
a417f0
+do_execsql_test 7.2 {
a417f0
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
a417f0
+} {123 123}
a417f0
+do_execsql_test 7.3 {
a417f0
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
a417f0
+} {123 123}
a417f0
+do_execsql_test 7.4 {
a417f0
+  CREATE TABLE a(b);
a417f0
+  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
a417f0
+  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
a417f0
+} {}
a417f0
+
a417f0
 
a417f0
 finish_test
a417f0
-- 
a417f0
2.24.1
a417f0