1 files changed, 12 insertions, 4 deletions

diff --git a/src/select.c b/src/select.c
index 57d0b93fb..eabbcc8c9 100644
--- a/src/select.c
+++ b/src/select.c
@@ -5124,15 +5124,23 @@ int sqlite3Select(
     SelectDest dest;
     Select *pSub;
 
-    /* Issue SQLITE_READ authorizations with a NULL column name for any tables that
+    /* Issue SQLITE_READ authorizations with a fake column name for any tables that
     ** are referenced but from which no values are extracted. Examples of where these
     ** kinds of null SQLITE_READ authorizations would occur:
     **
-    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1 null
-    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2 null
+    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1.""
+    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2.""
+    **
+    ** The fake column name is an empty string.  It is possible for a table to
+    ** have a column named by the empty string, in which case there is no way to
+    ** distinguish between an unreferenced table and an actual reference to the
+    ** "" column.  The original design was for the fake column name to be a NULL,
+    ** which would be unambiguous.  But legacy authorization callbacks might
+    ** assume the column name is non-NULL and segfault.  The use of an empty string
+    ** for the fake column name seems safer.
     */
     if( pItem->colUsed==0 ){
-      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, pItem->zDatabase, 0);
+      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, "", pItem->zDatabase);
     }
 
 #if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)