From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001

From: Ondrej Dubaj <odubaj@redhat.com>

Date: Thu, 26 Mar 2020 09:43:43 +0100

Subject: [PATCH] NULL pointer dereference and segmentation fault because of

 generated column optimizations

Take care when checking the table of a TK_COLUMN expression node to

see if the table is a virtual table to first ensure that the

Expr.y.pTab pointer is not null due to generated column optimizations.

---

 src/expr.c      | 13 ++++++++++---

 src/sqliteInt.h |  3 +++

 src/whereexpr.c | 12 ++++++++----

 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/expr.c b/src/expr.c

index b081ca2..5f98f76 100644

--- a/src/expr.c

+++ b/src/expr.c

@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){

     case TK_LT:

     case TK_LE:

     case TK_GT:

-    case TK_GE:

+    case TK_GE: {

+      Expr *pLeft = pExpr->pLeft;

+      Expr *pRight = pExpr->pRight;

       testcase( pExpr->op==TK_EQ );

       testcase( pExpr->op==TK_NE );

       testcase( pExpr->op==TK_LT );

       testcase( pExpr->op==TK_LE );

       testcase( pExpr->op==TK_GT );

       testcase( pExpr->op==TK_GE );

-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))

-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))

+      /* The y.pTab=0 assignment in wherecode.c always happens after the

+      ** impliesNotNullRow() test */

+      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)

+                               && IsVirtual(pLeft->y.pTab))

+       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)

+                               && IsVirtual(pRight->y.pTab))

       ){

        return WRC_Prune;

       }

+    }

     default:

       return WRC_Continue;

   }

diff --git a/src/sqliteInt.h b/src/sqliteInt.h

index 051aa40..5f5f3cc 100644

--- a/src/sqliteInt.h

+++ b/src/sqliteInt.h

@@ -2014,8 +2014,11 @@ struct Table {

 */

 #ifndef SQLITE_OMIT_VIRTUALTABLE

 #  define IsVirtual(X)      ((X)->nModuleArg)

+#  define ExprIsVtab(X)  \

+              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)

 #else

 #  define IsVirtual(X)      0

+#  define ExprIsVtab(X)     0

 #endif

 /*

diff --git a/src/whereexpr.c b/src/whereexpr.c

index dbb7f0d..9d2813a 100644

--- a/src/whereexpr.c

+++ b/src/whereexpr.c

@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator(

     **       MATCH(expression,vtab_column)

     */

     pCol = pList->a[1].pExpr;

-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){

+    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );

+    if( ExprIsVtab(pCol) ){

       for(i=0; i

         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){

           *peOp2 = aOp[i].eOp2;

@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator(

     ** with function names in an arbitrary case.

     */

     pCol = pList->a[0].pExpr;

-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){

+    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );

+    if( ExprIsVtab(pCol) ){

       sqlite3_vtab *pVtab;

       sqlite3_module *pMod;

       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);

@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator(

     int res = 0;

     Expr *pLeft = pExpr->pLeft;

     Expr *pRight = pExpr->pRight;

-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){

+    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );

+    if( ExprIsVtab(pLeft) ){

       res++;

     }

-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){

+    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );

+    if( pRight && ExprIsVtab(pRight) ){

       res++;

       SWAP(Expr*, pLeft, pRight);

     }

-- 

2.24.1