Ensure that all expressions that are to be evaluated once at the start of

a prepared statement (the Parse.pConstExpr expressions) pass the
sqlite3ExprIsConstantNotJoin() test. It is not sufficient to pass just the
sqlite3ExprIsConstant() test as that would allow through column references
that are bound to constants by the WHERE clause in the constant propagation
optimization.  This fixes a problem discovered by OSSFuzz.

FossilOrigin-Name: 8bc7f84c39f913b0b0f5e9f5fd9d7dd8bda8422248c069712b6992c32c759a83

1 files changed, 4 insertions, 2 deletions

diff --git a/src/expr.c b/src/expr.c
index e469bda0f..0c6744d92 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -4352,7 +4352,7 @@ void sqlite3ExprCodeCopy(Parse *pParse, Expr *pExpr, int target){
 ** might choose to code the expression at initialization time.
 */
 void sqlite3ExprCodeFactorable(Parse *pParse, Expr *pExpr, int target){
-  if( pParse->okConstFactor && sqlite3ExprIsConstant(pExpr) ){
+  if( pParse->okConstFactor && sqlite3ExprIsConstantNotJoin(pExpr) ){
     sqlite3ExprCodeAtInit(pParse, pExpr, target);
   }else{
     sqlite3ExprCode(pParse, pExpr, target);
@@ -4434,7 +4434,9 @@ int sqlite3ExprCodeExprList(
       }else{
         sqlite3VdbeAddOp2(v, copyOp, j+srcReg-1, target+i);
       }
-    }else if( (flags & SQLITE_ECEL_FACTOR)!=0 && sqlite3ExprIsConstant(pExpr) ){
+    }else if( (flags & SQLITE_ECEL_FACTOR)!=0
+           && sqlite3ExprIsConstantNotJoin(pExpr)
+    ){
       sqlite3ExprCodeAtInit(pParse, pExpr, target+i);
     }else{
       int inReg = sqlite3ExprCodeTarget(pParse, pExpr, target+i);