Fix a (almost always harmless) read past the end of a memory allocation

that comes about because the Expr.pTab field is checked on an EXPR_REDUCEDSIZE Expr object before checking the Expr.op field to know that the Expr.pTab field is meaningless. FossilOrigin-Name: e098de691002a78270540430b0df1e120582b53f
author: drh <drh@noemail.net> 2015-01-27 13:17:05 +0000
committer: drh <drh@noemail.net> 2015-01-27 13:17:05 +0000
commit: a58d4a9612f0ca27344b0802169dca467faa13ca (patch)
tree: 74bb5eacf583fd0eac40552d6764bd5684ea7b94 /src/expr.c
parent: 1466e84187c15ee808a9f04e6da5a46086c4802b (diff)
download: sqlite-a58d4a9612f0ca27344b0802169dca467faa13ca.tar.gz
sqlite-a58d4a9612f0ca27344b0802169dca467faa13ca.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/expr.c b/src/expr.c
index 64fb3c5fd..25bd958ce 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -132,9 +132,9 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
       pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
       break;
     }
-    if( p->pTab!=0
-     && (op==TK_AGG_COLUMN || op==TK_COLUMN
+    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
           || op==TK_REGISTER || op==TK_TRIGGER)
+     && p->pTab!=0
     ){
       /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
       ** a TK_COLUMN but was previously evaluated and cached in a register */
author	drh <drh@noemail.net>	2015-01-27 13:17:05 +0000
committer	drh <drh@noemail.net>	2015-01-27 13:17:05 +0000
commit	a58d4a9612f0ca27344b0802169dca467faa13ca (patch)
tree	74bb5eacf583fd0eac40552d6764bd5684ea7b94 /src/expr.c
parent	1466e84187c15ee808a9f04e6da5a46086c4802b (diff)
download	sqlite-a58d4a9612f0ca27344b0802169dca467faa13ca.tar.gz sqlite-a58d4a9612f0ca27344b0802169dca467faa13ca.zip