From 9b063329ebbd9aafdad82ebf0b9103ce2dd1af18 Mon Sep 17 00:00:00 2001
From: shenkai8 <shenkai8@huawei.com>
Date: Thu, 16 Apr 2020 17:22:49 +0000
Subject: [PATCH] backport Fix CVE-2020-11656

Fix a case when a pointer might be used after being freed in
the ALTER TABLE code. Fix for [4722bdab08cb1].
(check-in: d09f8c36 user: dan tags: trunk)

Do not suppress errors when resolving references in an ORDER BY
 clause belonging to a compound SELECT within a view or trigger
 within ALTER TABLE. Fix for ticket [a10a14e9b4ba2].
(check-in: 68429388 user: dan tags: trunk)

Signed-off-by: dan <<dan@noemail.net>>
---
 src/alter.c        | 16 ++++++++++++++++
 src/resolve.c      |  2 +-
 test/altertab.test | 31 ++++++++++++++++++++++++++++++-
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/src/alter.c b/src/alter.c
index ee193d1..918df77 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -756,6 +756,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
 }
 
 /*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
+
+/*
 ** Walker callback used by sqlite3RenameExprUnmap().
 */
 static int renameUnmapSelectCb(Walker *pWalker, Select *p){
@@ -776,6 +791,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
     for(i=0; i<pSrc->nSrc; i++){
       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
     }
   }
 
diff --git a/src/resolve.c b/src/resolve.c
index 119a07f..894958c 100644
--- a/src/resolve.c
+++ b/src/resolve.c
@@ -1177,7 +1177,7 @@ static int resolveOrderByTermToExprList(
   nc.nErr = 0;
   db = pParse->db;
   savedSuppErr = db->suppressErr;
-  db->suppressErr = 1;
+  if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
   rc = sqlite3ResolveExprNames(&nc, pE);
   db->suppressErr = savedSuppErr;
   if( rc ) return 0;
diff --git a/test/altertab.test b/test/altertab.test
index 7dcf8a5..01dd61a 100644
--- a/test/altertab.test
+++ b/test/altertab.test
@@ -594,7 +594,6 @@ reset_db
 do_execsql_test 18.1.0 {
   CREATE TABLE t0 (c0 INTEGER, PRIMARY KEY(c0)) WITHOUT ROWID;
 }
-breakpoint
 do_execsql_test 18.1.1 {
   ALTER TABLE t0 RENAME COLUMN c0 TO c1;
 }
@@ -613,4 +612,34 @@ do_execsql_test 18.2.2 {
   SELECT sql FROM sqlite_master;
 } {{CREATE TABLE t0 (c1 INTEGER, PRIMARY KEY(c1))}}
 
+# Ticket 4722bdab08cb14
+reset_db
+do_execsql_test 20.0 {
+  CREATE TABLE a(a);
+  CREATE VIEW b AS SELECT(SELECT *FROM c JOIN a USING(d, a, a, a) JOIN a) IN();
+}
+
+do_execsql_test 20.1 {
+  ALTER TABLE a RENAME a TO e;
+} {}
+
+reset_db
+do_execsql_test 21.0 {
+  CREATE TABLE a(b);
+  CREATE VIEW c AS
+      SELECT NULL INTERSECT
+      SELECT NULL ORDER BY
+      likelihood(NULL, (d, (SELECT c)));
+} {}
+do_catchsql_test 21.1 {
+  SELECT likelihood(NULL, (d, (SELECT c)));
+} {1 {second argument to likelihood() must be a constant between 0.0 and 1.0}}
+do_catchsql_test 21.2 {
+  SELECT * FROM c;
+} {1 {1st ORDER BY term does not match any column in the result set}}
+
+do_catchsql_test 21.3 {
+  ALTER TABLE a RENAME TO e;
+} {1 {error in view c: 1st ORDER BY term does not match any column in the result set}}
+
 finish_test
-- 
1.8.3.1