Detect row-value comparison size mismatches even when the size of one

operand is obscured by an unexpanded subquery.

FossilOrigin-Name: 2c4d167ccd4be591487f404de9ee629fd484c8bf

manifest

@@ -1,5 +1,5 @@
-C Fix\sa\scrash\sthat\scould\soccur\sfollowing\san\sOOM\sin\sthe\sgroup_concat()\sfunction\nif\sthe\ssecond\sargument\sis\san\sSQLITE_BLOB\svalue.
-D 2016-12-30T17:40:14.373
+C Detect\srow-value\scomparison\ssize\smismatches\seven\swhen\sthe\ssize\sof\sone\noperand\sis\sobscured\sby\san\sunexpanded\ssubquery.
+D 2017-01-01T12:44:07.208
 F Makefile.in 41bd4cad981487345c4a84081074bcdb876e4b2e
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc b8ca53350ae545e3562403d5da2a69cec79308da
@@ -341,7 +341,7 @@ F src/ctime.c 9f2296a4e5d26ebf0e0d95a0af4628f1ea694e7a
 F src/date.c dc3f1391d9297f8c748132813aaffcb117090d6e
 F src/dbstat.c 19ee7a4e89979d4df8e44cfac7a8f905ec89b77d
 F src/delete.c c8bc10d145c9666a34ae906250326fdaa8d58fa5
-F src/expr.c a90e37bc542abe33890cafccacbf8a7db9cb5401
+F src/expr.c 3b662f58b50ba12c004b2d9bd8d3ff5fddbbae7f
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 2e9aabe1aee76273aff8a84ee92c464e095400ae
 F src/func.c d8582ee91975975645f206db332c38f534b783ad
@@ -1035,7 +1035,7 @@ F test/rollbackfault.test 0e646aeab8840c399cfbfa43daab46fd609cf04a
 F test/rowallock.test 3f88ec6819489d0b2341c7a7528ae17c053ab7cc
 F test/rowhash.test 0bc1d31415e4575d10cacf31e1a66b5cc0f8be81
 F test/rowid.test 5b7509f384f4f6fae1af3c8c104c8ca299fea18d
-F test/rowvalue.test cacc565ed7e3ac467866af6705dd99020fdf2ee2
+F test/rowvalue.test 1701fb786188e9fb7934a7c155bd9cc587d9b677
 F test/rowvalue2.test 060d238b7e5639a7c5630cb5e63e311b44efef2b
 F test/rowvalue3.test 3068f508753af69884b12125995f023da0dbb256
 F test/rowvalue4.test 4b556d7de161a0dd8cff095c336e913986398bea
@@ -1541,7 +1541,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P a0971e713682a73d8c7c20511db256c20d2f6388
-R b2119513a85656f5ab1ba46bed3bca22
-U dan
-Z b8d94ab9819b45ed8f5f9b27f33e84f7
+P 14d855d2b2b5b3485e0673d11405db7266b34c6d
+R b92eb609c667e98735c96cb1ee09a168
+U drh
+Z 9505a22a16b780a1bca3bac5d386a771

manifest.uuid

@@ -1 +1 @@
-14d855d2b2b5b3485e0673d11405db7266b34c6d
+2c4d167ccd4be591487f404de9ee629fd484c8bf

src/expr.c

@@ -527,7 +527,10 @@ static void codeVectorCompare(
   u8 opx = op;
   int addrDone = sqlite3VdbeMakeLabel(v);
 
-  assert( nLeft==sqlite3ExprVectorSize(pRight) );
+  if( nLeft!=sqlite3ExprVectorSize(pRight) ){
+    sqlite3ErrorMsg(pParse, "row value misused");
+    return;
+  }
   assert( pExpr->op==TK_EQ || pExpr->op==TK_NE 
        || pExpr->op==TK_IS || pExpr->op==TK_ISNOT 
        || pExpr->op==TK_LT || pExpr->op==TK_GT 

test/rowvalue.test

@@ -315,5 +315,23 @@ foreach {tn n sql} {
   do_catchsql_test 14.2.$tn $sql [list 1 $err]
 }
 
+#--------------------------------------------------------------------------
+# Test for vector size mismatches concealed by unexpanded subqueries.
+#
+do_catchsql_test 15.1 {
+  DETACH (SELECT * FROM (SELECT 1,2))<3;
+} {1 {row value misused}}
+do_catchsql_test 15.2 {
+  UPDATE x1 SET a=(SELECT * FROM (SELECT b,2))<3;
+} {1 {row value misused}}
+do_catchsql_test 15.3 {
+  UPDATE x1 SET a=NULL WHERE  a<(SELECT * FROM (SELECT b,2));
+} {1 {sub-select returns 2 columns - expected 1}}
+do_catchsql_test 15.4 {
+  DELETE FROM x1 WHERE  a<(SELECT * FROM (SELECT b,2));
+} {1 {sub-select returns 2 columns - expected 1}}
+do_catchsql_test 15.5 {
+  INSERT INTO x1(a,b) VALUES(1,(SELECT * FROM (SELECT 1,2))<3);
+} {1 {row value misused}}
 
 finish_test