Add the exprNodeCopy() routine that will safely memcpy() an Expr node that
might be a size-reduced node.
FossilOrigin-Name: a874c649960ba2e2b2fd380d08c02a45884a1060d3922be8847729008ca6766e
diff --git a/src/expr.c b/src/expr.c
index 91bb7e9..8754bbe 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -1100,6 +1100,16 @@
}
/*
+** Copy the complete content of an Expr node, taking care not to read
+** past the end of the structure for a reduced-size version of the source
+** Expr.
+*/
+static void exprNodeCopy(Expr *pDest, Expr *pSrc){
+ memset(pDest, 0, sizeof(Expr));
+ memcpy(pDest, pSrc, exprStructSize(pSrc));
+}
+
+/*
** The dupedExpr*Size() routines each return the number of bytes required
** to store a copy of an expression or expression tree. They differ in
** how much of the tree is measured.
@@ -4051,7 +4061,7 @@
nExpr = pEList->nExpr;
endLabel = sqlite3VdbeMakeLabel(pParse);
if( (pX = pExpr->pLeft)!=0 ){
- tempX = *pX;
+ exprNodeCopy(&tempX, pX);
testcase( pX->op==TK_COLUMN );
exprToRegister(&tempX, exprCodeVector(pParse, &tempX, ®Free1));
testcase( regFree1==0 );
@@ -4372,13 +4382,12 @@
Expr exprX; /* The x subexpression */
int regFree1 = 0; /* Temporary use register */
-
memset(&compLeft, 0, sizeof(Expr));
memset(&compRight, 0, sizeof(Expr));
memset(&exprAnd, 0, sizeof(Expr));
assert( !ExprHasProperty(pExpr, EP_xIsSelect) );
- exprX = *pExpr->pLeft;
+ exprNodeCopy(&exprX, pExpr->pLeft);
exprAnd.op = TK_AND;
exprAnd.pLeft = &compLeft;
exprAnd.pRight = &compRight;