Protect access to the WhereLoop.u union using nearby assert()s and

branches.

FossilOrigin-Name: bdd840216cc4c5293c112f182a189f7562b3cc0f6270e3c4af5eb2e8bd61ccc9

manifest

@@ -1,5 +1,5 @@
-C Update\srequirement\smarks.\s\sNo\schanges\sto\scode.
+C Protect\saccess\sto\sthe\sWhereLoop.u\sunion\susing\snearby\sassert()s\sand\nbranches.
-D 2021-10-14T17:30:32.382
+D 2021-10-14T19:28:28.548
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -636,9 +636,9 @@ F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
 F src/wal.c 2be08331d798237ad5d7ae0b252700ffb2b63189cb18d993496d009a93e2f81c
 F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
 F src/walker.c f890a3298418d7cba3b69b8803594fdc484ea241206a8dfa99db6dd36f8cbb3b
-F src/where.c 85109b6c33b83b9b93139a1eea633cf1dfdc1c43a0b45192cf7e8d85dd209bc8
+F src/where.c 782d333e2102eaf965d42d7835672bd851b933c8b7b1e2d1e53213a746acaa3d
-F src/whereInt.h 9248161dd004f625ce5d3841ca9b99fed3fc8d61522cf76340fc5217dbe1375b
+F src/whereInt.h 83877a75a1bce056ea44aff02f1dfa958ad1d6038c213ddadb8652003b45151d
-F src/wherecode.c 0bb4a2a82fc9ccfce105fb2ff2921de373c62aa60c770029f95bd8b685f3498a
+F src/wherecode.c 5a7d3c80d32a81c6d8a26e0d8554d3b61fcb4d94ae5b0809766080f95b1592a5
 F src/whereexpr.c 4514a162d878b6523a698fac1d760991b5728be0d7e2b2b0687aa175144dcf15
 F src/window.c 0dff6fedf61493490d21ced5d7a7b4321d4c0db6c8123f0179c46080a860850a
 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
@@ -1929,7 +1929,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P e944d71760e3ee3de5dd518a04dad54d66ae4d40dac172b64d16c508471e30a1
+P 3a6887a543ac348d1a0d4b7f54b13c9dae929c3fa3408c5a44420943ba8c116f
-R 8aff759bdf7f5121e0e5f9e0e8dbf377
+R 673443d76cb12f9ee8ca0ee572ac630d
 U drh
-Z fd0ac77d8c1083b5757fad84014925e1
+Z cceb5778afe29939367351c58384fb04

manifest.uuid

@@ -1 +1 @@
-3a6887a543ac348d1a0d4b7f54b13c9dae929c3fa3408c5a44420943ba8c116f
+bdd840216cc4c5293c112f182a189f7562b3cc0f6270e3c4af5eb2e8bd61ccc9

src/where.c

@@ -1984,7 +1984,8 @@ static void whereInfoFree(sqlite3 *db, WhereInfo *pWInfo){
   assert( pWInfo!=0 );
   for(i=0; i<pWInfo->nLevel; i++){
     WhereLevel *pLevel = &pWInfo->a[i];
-    if( pLevel->pWLoop && (pLevel->pWLoop->wsFlags & WHERE_IN_ABLE) ){
+    if( pLevel->pWLoop && (pLevel->pWLoop->wsFlags & WHERE_IN_ABLE)!=0 ){
+      assert( (pLevel->pWLoop->wsFlags & WHERE_MULTI_OR)==0 );
       sqlite3DbFree(db, pLevel->u.in.aInLoop);
     }
   }
@@ -5473,7 +5474,7 @@ void sqlite3WhereEnd(WhereInfo *pWInfo){
     }else{
       sqlite3VdbeResolveLabel(v, pLevel->addrCont);
     }
-    if( pLoop->wsFlags & WHERE_IN_ABLE && pLevel->u.in.nIn>0 ){
+    if( (pLoop->wsFlags & WHERE_IN_ABLE)!=0 && pLevel->u.in.nIn>0 ){
       struct InLoop *pIn;
       int j;
       sqlite3VdbeResolveLabel(v, pLevel->addrNxt);
@@ -5542,10 +5543,10 @@ void sqlite3WhereEnd(WhereInfo *pWInfo){
         sqlite3VdbeAddOp1(v, OP_NullRow, pLevel->iTabCur);
       }
       if( (ws & WHERE_INDEXED) 
-       || ((ws & WHERE_MULTI_OR) && pLevel->u.pCovidx) 
+       || ((ws & WHERE_MULTI_OR) && pLevel->u.pCoveringIdx) 
       ){
         if( ws & WHERE_MULTI_OR ){
-          Index *pIx = pLevel->u.pCovidx;
+          Index *pIx = pLevel->u.pCoveringIdx;
           int iDb = sqlite3SchemaToIndex(db, pIx->pSchema);
           sqlite3VdbeAddOp3(v, OP_ReopenIdx, pLevel->iIdxCur, pIx->tnum, iDb);
           sqlite3VdbeSetP4KeyInfo(pParse, pIx);
@@ -5626,7 +5627,7 @@ void sqlite3WhereEnd(WhereInfo *pWInfo){
     if( pLoop->wsFlags & (WHERE_INDEXED|WHERE_IDX_ONLY) ){
       pIdx = pLoop->u.btree.pIndex;
     }else if( pLoop->wsFlags & WHERE_MULTI_OR ){
-      pIdx = pLevel->u.pCovidx;
+      pIdx = pLevel->u.pCoveringIdx;
     }
     if( pIdx
      && !db->mallocFailed

src/whereInt.h

@@ -78,7 +78,7 @@ struct WhereLevel {
         u8 eEndLoopOp;         /* IN Loop terminator. OP_Next or OP_Prev */
       } *aInLoop;           /* Information about each nested IN operator */
     } in;                 /* Used when pWLoop->wsFlags&WHERE_IN_ABLE */
-    Index *pCovidx;       /* Possible covering index for WHERE_MULTI_OR */
+    Index *pCoveringIdx;  /* Possible covering index for WHERE_MULTI_OR */
   } u;
   struct WhereLoop *pWLoop;  /* The selected WhereLoop object */
   Bitmask notReady;          /* FROM entries not usable at this level */

src/wherecode.c

@@ -567,8 +567,8 @@ static int codeEqualityTerm(
     sqlite3VdbeAddOp2(v, bRev ? OP_Last : OP_Rewind, iTab, 0);
     VdbeCoverageIf(v, bRev);
     VdbeCoverageIf(v, !bRev);
-    assert( (pLoop->wsFlags & WHERE_MULTI_OR)==0 );
 
+    assert( (pLoop->wsFlags & WHERE_MULTI_OR)==0 );
     pLoop->wsFlags |= WHERE_IN_ABLE;
     if( pLevel->u.in.nIn==0 ){
       pLevel->addrNxt = sqlite3VdbeMakeLabel(pParse);
@@ -1430,7 +1430,12 @@ Bitmask sqlite3WhereCodeOneLoopStart(
     pLevel->p1 = iCur;
     pLevel->op = pWInfo->eOnePass ? OP_Noop : OP_VNext;
     pLevel->p2 = sqlite3VdbeCurrentAddr(v);
+    assert( (pLoop->wsFlags & WHERE_MULTI_OR)==0 );
+    if( pLoop->wsFlags & WHERE_IN_ABLE ){
       iIn = pLevel->u.in.nIn;
+    }else{
+      iIn = 0;
+    }
     for(j=nConstraint-1; j>=0; j--){
       pTerm = pLoop->aLTerm[j];
       if( (pTerm->eOperator & WO_IN)!=0 ) iIn--;
@@ -2319,7 +2324,10 @@ Bitmask sqlite3WhereCodeOneLoopStart(
       }
     }
     ExplainQueryPlanPop(pParse);
-    pLevel->u.pCovidx = pCov;
+    assert( pLevel->pWLoop==pLoop );
+    assert( (pLoop->wsFlags & WHERE_MULTI_OR)!=0 );
+    assert( (pLoop->wsFlags & WHERE_IN_ABLE)==0 );
+    pLevel->u.pCoveringIdx = pCov;
     if( pCov ) pLevel->iIdxCur = iCovCur;
     if( pAndExpr ){
       pAndExpr->pLeft = 0;