From 607dd6e6080c260e73dbacf777cf43d9cd22bd18 Mon Sep 17 00:00:00 2001
From: dan <dan@noemail.net>
Date: Fri, 3 Jan 2020 14:27:08 +0000
Subject: [PATCH] Fix a possible NULL pointer dereference caused by using a
 "VALUES(...)" as a component of a compound SELECT with non-integer ORDER BY
 clause terms.

FossilOrigin-Name: 9d791116420f4e3f613775569e0a0cba2fc22da568b2fb2df920bcf9c9002938
---
 manifest           | 16 ++++++++--------
 manifest.uuid      |  2 +-
 src/resolve.c      |  7 ++-----
 test/orderby1.test |  4 ++++
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/manifest b/manifest
index f7378272ed..e435770e4a 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sthe\sOP_Copy-coalesce\soptimization\sso\sthat\sif\sthe\sprevious\srow\shappens\nto\send\swith\sOP_Copy\sbut\sis\snot\sa\scandidate\sfor\sthe\soptimization\sdue\sto\sjumps,\nthen\sthe\soptimization\sis\scorrectly\sbypassed.
-D 2020-01-03T14:16:43.141
+C Fix\sa\spossible\sNULL\spointer\sdereference\scaused\sby\susing\sa\s"VALUES(...)"\sas\sa\scomponent\sof\sa\scompound\sSELECT\swith\snon-integer\sORDER\sBY\sclause\sterms.
+D 2020-01-03T14:27:08.910
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -526,7 +526,7 @@ F src/pragma.h ec3b31eac9b1df040f1cc8cb3d89bc06605c3b4cb3d76f833de8d6d6c3f77f04
 F src/prepare.c 6049beb71385f017af6fc320d2c75a4e50b75e280c54232442b785fbb83df057
 F src/printf.c 9be6945837c839ba57837b4bc3af349eba630920fa5532aa518816defe42a7d4
 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
-F src/resolve.c 938295261d556dc173e7c4b85c921b565b25c38656b924bdf03c3ff8f37e24ab
+F src/resolve.c 31dc20837034491e5a043f411425a507b306ceedf40d666af5fc87b13020ff3d
 F src/rowset.c d977b011993aaea002cab3e0bb2ce50cf346000dff94e944d547b989f4b1fe93
 F src/select.c 64bf450dc0f2b37be8d2be6ff7d25a70de37ef6fb64527c68f767fe9fe47bc55
 F src/shell.c.in 90b002bf0054399cbbfac62dd752a9b05770427ba141bcba75eefbb0098f4280
@@ -1199,7 +1199,7 @@ F test/openv2.test 0d3040974bf402e19b7df4b783e447289d7ab394
 F test/optfuzz-db01.c a0c256905c8ac79f9a5de2f374a3d9f757bef0dca2a238dc7c10cc8a38031834
 F test/optfuzz-db01.txt 21f6bdeadc701cf11528276e2a55c70bfcb846ba42df327f979bd9e7b6ce7041
 F test/optfuzz.c 50e330304eb1992e15ddd11f3daaad9bcc0d9aaad09cb2bcc77f9515df2e88b1
-F test/orderby1.test e4501f54721f804ca56922e253403ac6775f88e9f07569994ce99212b3ca5b10
+F test/orderby1.test 6bf0ce45cbfb1cf4779dd418ac5e8cf66abfa04de2c1d2edf1e0e85f1520d8f3
 F test/orderby2.test bc11009f7cd99d96b1b11e57b199b00633eb5b04
 F test/orderby3.test 8619d06a3debdcd80a27c0fdea5c40b468854b99
 F test/orderby4.test 4d39bfbaaa3ae64d026ca2ff166353d2edca4ba4
@@ -1853,7 +1853,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 4889cbf898d7ec54f061b21b6d3621b22fc482cbeaa7115d40995a4cc30e41db
-R 08e8e017bd785f9894e0fa9f6ebc60bd
-U drh
-Z c0b2c81a3a0405edc8e28815ea102073
+P b36126c1889e323c9a8f04b4f4884576993c845e7d393e5e73aaa6ab5158c1f9
+R 75718b3ecb40084b909fa43386a332aa
+U dan
+Z 2bca40ae05d6e85633d3e5915ae4749d
diff --git a/manifest.uuid b/manifest.uuid
index 3ae53d260f..a35df94030 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b36126c1889e323c9a8f04b4f4884576993c845e7d393e5e73aaa6ab5158c1f9
\ No newline at end of file
+9d791116420f4e3f613775569e0a0cba2fc22da568b2fb2df920bcf9c9002938
\ No newline at end of file
diff --git a/src/resolve.c b/src/resolve.c
index f69f9ef311..31b443ed83 100644
--- a/src/resolve.c
+++ b/src/resolve.c
@@ -453,8 +453,7 @@ static int lookupName(
       for(j=0; j<pEList->nExpr; j++){
         char *zAs = pEList->a[j].zEName;
         if( pEList->a[j].eEName==ENAME_NAME
-         && ALWAYS(zAs!=0)
-         && sqlite3StrICmp(zAs, zCol)==0
+         && sqlite3_stricmp(zAs, zCol)==0
         ){
           Expr *pOrig;
           assert( pExpr->pLeft==0 && pExpr->pRight==0 );
@@ -1123,10 +1122,8 @@ static int resolveAsName(
   if( pE->op==TK_ID ){
     char *zCol = pE->u.zToken;
     for(i=0; i<pEList->nExpr; i++){
-      char *zAs = pEList->a[i].zEName;
       if( pEList->a[i].eEName==ENAME_NAME
-       && ALWAYS(zAs!=0)
-       && sqlite3StrICmp(zAs, zCol)==0
+       && sqlite3_stricmp(pEList->a[i].zEName, zCol)==0
       ){
         return i+1;
       }
diff --git a/test/orderby1.test b/test/orderby1.test
index 836ca4b83b..5152ffaf89 100644
--- a/test/orderby1.test
+++ b/test/orderby1.test
@@ -558,5 +558,9 @@ do_execsql_test 10.0 {
   SELECT b, rowid, '^' FROM t10 ORDER BY b, a LIMIT 4;
 } {2 1 ^ 4 3 ^ 4 4 ^ 7 5 ^}
 
+do_catchsql_test 11.0 {
+  VALUES(2) EXCEPT SELECT '' ORDER BY abc
+} {1 {1st ORDER BY term does not match any column in the result set}}
+
 
 finish_test