Fix a buffer overrun in the code for handling IN(...) operators when the LHS of the operator contains indexed columns or expressions.

FossilOrigin-Name: f41a0391b732a8c4ad188163f34a0f4a22237bb5

manifest

@@ -1,5 +1,5 @@
-C The\sprevious\sOOM\sfix\swas\sbad.\s\sBack\sit\sout\sand\sreplace\sit\swith\sa\sbetter\sone.
-D 2016-08-24T00:51:48.043
+C Fix\sa\sbuffer\soverrun\sin\sthe\scode\sfor\shandling\sIN(...)\soperators\swhen\sthe\sLHS\sof\sthe\soperator\scontains\sindexed\scolumns\sor\sexpressions.
+D 2016-08-24T12:22:17.962
 F Makefile.in cfd8fb987cd7a6af046daa87daa146d5aad0e088
 F Makefile.linux-gcc 7bc79876b875010e8c8f9502eb935ca92aa3c434
 F Makefile.msc d66d0395c38571aab3804f8db0fa20707ae4609a
@@ -466,7 +466,7 @@ F src/wal.h 6dd221ed384afdc204bc61e25c23ef7fd5a511f2
 F src/walker.c 2d2cc7fb0f320f7f415215d7247f3c584141ac09
 F src/where.c c7cdfd54f383090bb801cdd50d36de1a24684bb2
 F src/whereInt.h 14dd243e13b81cbb0a66063d38b70f93a7d6e613
-F src/wherecode.c 0c99e2e97c23ec0b0d64071b3590d3a5e6091a96
+F src/wherecode.c 5a5528c39be09593cada6ae465d7a0f48db0077f
 F src/whereexpr.c aa54bf11adf6bc7e52f56281f436ab5fd421ce16
 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
 F test/affinity2.test a6d901b436328bd67a79b41bb0ac2663918fe3bd
@@ -1019,7 +1019,7 @@ F test/rollbackfault.test 0e646aeab8840c399cfbfa43daab46fd609cf04a
 F test/rowallock.test 3f88ec6819489d0b2341c7a7528ae17c053ab7cc
 F test/rowhash.test 0bc1d31415e4575d10cacf31e1a66b5cc0f8be81
 F test/rowid.test 5b7509f384f4f6fae1af3c8c104c8ca299fea18d
-F test/rowvalue.test c2b4d043f4253711c8a2c6aa126a3f6d71182969
+F test/rowvalue.test 7d8482dde9023973615eaaca65647f33d70c1f01
 F test/rowvalue2.test 875068299fd4dd50ef0a47786462c8e1f4065f9a
 F test/rowvalue3.test 01399b7bf150b0d41abce76c18072da777c2500c
 F test/rowvalue4.test 9b40c9be9bdde30fc66cddbfdf6a5af37de4ccac
@@ -1520,7 +1520,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 25f6ed8de4df9c9890d4a352a6d11084433e82ea
-R 19a9e7a69bf070f3aad327c389d879a1
-U drh
-Z c33731cf7b01c5dd25f3f1c4114950f7
+P 1e3bc3698a4b779e6af8e3c727929c4dbddf3edb
+R 66ed27e8c4688d763f7b5bcfa14b1684
+U dan
+Z b0da933895eae6df1437a965446c74bb

manifest.uuid

@@ -1 +1 @@
-1e3bc3698a4b779e6af8e3c727929c4dbddf3edb
+f41a0391b732a8c4ad188163f34a0f4a22237bb5

src/wherecode.c

@@ -471,7 +471,7 @@ static int codeEqualityTerm(
     if( pIn ){
       int iMap = 0;               /* Index in aiMap[] */
       pIn += i;
-      for(i=iEq;i<pLoop->nLTerm; i++, pIn++){
+      for(i=iEq;i<pLoop->nLTerm; i++){
         int iOut = iReg;
         if( pLoop->aLTerm[i]->pExpr==pX ){
           if( eType==IN_INDEX_ROWID ){
@@ -489,6 +489,7 @@ static int codeEqualityTerm(
           }else{
             pIn->eEndLoopOp = OP_Noop;
           }
+          pIn++;
         }
       }
     }else{

test/rowvalue.test

@@ -219,5 +219,14 @@ foreach {tn q res} {
   do_execsql_test 9.$tn "SELECT c FROM t2 WHERE $q" $res
 } 
 
+do_execsql_test 10.0 {
+  CREATE TABLE dual(dummy); INSERT INTO dual(dummy) VALUES('X');
+  CREATE TABLE t3(a TEXT,b TEXT,c TEXT,d TEXT,e TEXT,f TEXT);
+  CREATE INDEX t3x ON t3(b,c,d,e,f);
+
+  SELECT a FROM t3
+    WHERE (c,d) IN (SELECT 'c','d' FROM dual)
+    AND (a,b,e) IN (SELECT 'a','b','d' FROM dual);
+}
 
 finish_test