From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 20:37:32 +0000
Subject: [PATCH] Fix CVE-2019-19924
 When an error occurs while rewriting the parser tree for
 window functions in the sqlite3WindowRewrite() routine, make sure that
 pParse->nErr is set, and make sure that this shuts down any subsequent code
 generation that might depend on the transformations that were implemented. 
 This fixes a problem discovered by the Yongheng and Rui fuzzer.

FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f

Change by Weifeng <suweifeng1@huawei.com>:
    Fit for version 3.24.0
---
 src/expr.c    | 2 ++
 src/vdbeaux.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/expr.c b/src/expr.c
index 36ca515..8fd8af9 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -344,6 +344,8 @@ static int codeCompare(
   int addr;
   CollSeq *p4;
 
+  if( pParse->nErr ) return 0;
+
   p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
   p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
   addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index ba2396c..df8bcc2 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
 */
 static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
   assert( p->nOp>0 || p->aOp==0 );
-  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
+  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
+          || p->pParse->nErr>0 );
   if( p->nOp ){
     assert( p->aOp );
     sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
-- 
2.19.1