From 156cc9423d4c4bade28468b2232226e2cd61aa6c Mon Sep 17 00:00:00 2001
From: shenkai8 <shenkai8@huawei.com>
Date: Thu, 16 Apr 2020 17:04:17 +0000
Subject: [PATCH] backport-Fix-CVE-2020-11655

In the event of a semantic error in an aggregate query,
early-out the resetAccumulator() function to prevent
problems due to incomplete or incorrect initialization
of the AggInfo object. Fix for ticket [af4556bb5c285c08].

Signed-off-by: drh <drh@noemail.net>
---
 src/select.c      | 1 +
 test/window1.test | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/src/select.c b/src/select.c
index 595b6eb..b5e5a75 100644
--- a/src/select.c
+++ b/src/select.c
@@ -5352,6 +5352,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
   struct AggInfo_func *pFunc;
   int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
   if( nReg==0 ) return;
+  if( pParse->nErr ) return;
 #ifdef SQLITE_DEBUG
   /* Verify that all AggInfo registers are within the range specified by
   ** AggInfo.mnReg..AggInfo.mxReg */
diff --git a/test/window1.test b/test/window1.test
index 833e211..18b9bdc 100644
--- a/test/window1.test
+++ b/test/window1.test
@@ -1593,5 +1593,14 @@ do_execsql_test 48.1 {
     FROM (SELECT (SELECT sum(a) FROM t1 GROUP BY a) AS x FROM t1);
 } {2 2 2}
 
+# 2020-04-03 ticket af4556bb5c285c08
+#
+reset_db
+do_catchsql_test 51.1 {
+  CREATE TABLE a(b, c);
+  SELECT c FROM a GROUP BY c
+    HAVING(SELECT(sum(b) OVER(ORDER BY b),
+                  sum(b) OVER(PARTITION BY min(DISTINCT c), c ORDER BY b)));
+} {1 {row value misused}}
 
 finish_test
-- 
1.8.3.1