When a corrupt schema is loaded using writable_schema=ON, the CHECK constraints

(or other expressions in the table definition) might not be fully resolved.
Ensure that the code generator can deal with this if the table is subsequently
used in a DML statement.  dbsqlfuzz find.

FossilOrigin-Name: ea721b34477ab8b49d182352c4bc198245933b850e9b6248b4f97600e80bb44b

1 files changed, 10 insertions, 4 deletions

diff --git a/src/expr.c b/src/expr.c
index e1efeba2b..21fa97d8e 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -3649,9 +3649,14 @@ expr_code_doover:
           Table *pTab = pExpr->y.pTab;
           int iSrc;
           int iCol = pExpr->iColumn;
+          if( pTab==0 ){
+            assert( CORRUPT_DB );
+            sqlite3VdbeAddOp2(v, OP_Null, 0, target);
+            return target;
+          }
           assert( pTab!=0 );
           assert( iCol>=XN_ROWID );
-          assert( iCol<pExpr->y.pTab->nCol );
+          assert( iCol<pTab->nCol );
           if( iCol<0 ){
             return -1-pParse->iSelfTab;
           }
@@ -3717,9 +3722,10 @@ expr_code_doover:
     default: {
       /* Make NULL the default case so that if a bug causes an illegal
       ** Expr node to be passed into this function, it will be handled
-      ** sanely and not crash.  But keep an assert() to bring the problem
-      ** to the attention of the developers. */
-      assert( op==TK_NULL );
+      ** sanely and not crash.  This comes up, for example, if a corrupt
+      ** database schema is loaded using PRAGMA writable_schema=ON. */
+      assert( op==TK_NULL || CORRUPT_DB );
+      testcase( op!=TK_NULL );
       sqlite3VdbeAddOp2(v, OP_Null, 0, target);
       return target;
     }