Fix a (almost always harmless) read past the end of a memory allocation

that comes about because the Expr.pTab field is checked on an
EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to
know that the Expr.pTab field is meaningless.

FossilOrigin-Name: e098de691002a78270540430b0df1e120582b53f

manifest

@@ -1,5 +1,5 @@
-C The\sva_list\sargument\scannot\stake\son\sa\sNULL\svalue\sand\scannot\sbe\scompared\swith\nNULL\son\ssome\splatforms\s(ex:\sARM).\s\sSo\sdo\snot\sattempt\sto\sdo\sso.
-D 2015-01-25T20:19:53.843
+C Fix\sa\s(almost\salways\sharmless)\sread\spast\sthe\send\sof\sa\smemory\sallocation\nthat\scomes\sabout\sbecause\sthe\sExpr.pTab\sfield\sis\schecked\son\san\nEXPR_REDUCEDSIZE\sExpr\sobject\sbefore\schecking\sthe\sExpr.op\sfield\sto\nknow\sthat\sthe\sExpr.pTab\sfield\sis\smeaningless.
+D 2015-01-27T13:17:05.225
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5407a688f4d77a05c18a8142be8ae5a2829dd610
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -182,7 +182,7 @@ F src/complete.c 198a0066ba60ab06fc00fba1998d870a4d575463
 F src/ctime.c 98f89724adc891a1a4c655bee04e33e716e05887
 F src/date.c e4d50b3283696836ec1036b695ead9a19e37a5ac
 F src/delete.c bd1a91ddd247ce13004075251e0b7fe2bf9925ef
-F src/expr.c 33a4518b2c786903cb185dbdc66e071ac38d467e
+F src/expr.c abe930897ccafae3819fd2855cbc1b00c262fd12
 F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb
 F src/fkey.c e0444b61bed271a76840cbe6182df93a9baa3f12
 F src/func.c 6d3c4ebd72aa7923ce9b110a7dc15f9b8c548430
@@ -734,7 +734,7 @@ F test/minmax.test 42fbad0e81afaa6e0de41c960329f2b2c3526efd
 F test/minmax2.test b44bae787fc7b227597b01b0ca5575c7cb54d3bc
 F test/minmax3.test cc1e8b010136db0d01a6f2a29ba5a9f321034354
 F test/minmax4.test 936941484ebdceb8adec7c86b6cd9b6e5e897c1f
-F test/misc1.test 1201a037c24f982cc0e956cdaa34fcaf6439c417
+F test/misc1.test 4864f2834b203cad7f688df8a5f725e4bab08029
 F test/misc2.test 00d7de54eda90e237fc9a38b9e5ccc769ebf6d4d
 F test/misc3.test cf3dda47d5dda3e53fc5804a100d3c82be736c9d
 F test/misc4.test 9c078510fbfff05a9869a0b6d8b86a623ad2c4f6
@@ -1237,7 +1237,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 2a9ea9b4a7d6904efb2112e32efe84123dfa75d7
-R c61f1e2c587edb0aaed1944a39bd65a6
+P 1964e656b4b420e8d6a4ba12d270ed02db292b88
+R 5d4aecd212970d14e41b3c7464003655
 U drh
-Z 4e92b2f1fb46383d9f32b9035c98c869
+Z 469718f07e1956a0a1c83ab2938852ec

manifest.uuid

@@ -1 +1 @@
-1964e656b4b420e8d6a4ba12d270ed02db292b88
+e098de691002a78270540430b0df1e120582b53f

src/expr.c

@@ -132,9 +132,9 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
       pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
       break;
     }
-    if( p->pTab!=0
-     && (op==TK_AGG_COLUMN || op==TK_COLUMN
+    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
           || op==TK_REGISTER || op==TK_TRIGGER)
+     && p->pTab!=0
     ){
       /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
       ** a TK_COLUMN but was previously evaluated and cached in a register */

test/misc1.test

@@ -621,4 +621,14 @@ do_test misc1-19.2 {
   set fault_callbacks
 } {0}
 
+# 2015-01-26:  Valgrind-detected over-read.
+# Reported on sqlite-users@sqlite.org by Michal Zalewski.  Found by afl-fuzz
+# presumably.
+#
+do_execsql_test misc1-20.1 {
+  CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
+  REPLACE INTO t0(x) VALUES('');
+  SELECT rowid, quote(x) FROM t0;
+} {1 ''}
+
 finish_test