[Backport] Security Bug 1070012 5/5

Fix a case when a pointer might be used after being freed
in the ALTER TABLE code. Fix for [4722bdab08cb1].

FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
(cherry picked from commit fb99e388ec7f30fe43e4878236e3695ff24ae58d)

https://www.sqlite.org/src/info/d09f8c3621d5f7f8

Bug: 1070012
Change-Id: Ic2b68b4c525a34df339a765003b1d32d6adabe36
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 16 insertions, 0 deletions

diff --git a/chromium/third_party/sqlite/amalgamation/sqlite3.c b/chromium/third_party/sqlite/amalgamation/sqlite3.c
index dfaf9c0090d..911f098be07 100644
--- a/chromium/third_party/sqlite/amalgamation/sqlite3.c
+++ b/chromium/third_party/sqlite/amalgamation/sqlite3.c
@@ -105361,6 +105361,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
     }
   }
 }
+ 
+/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
 
 /*
 ** Walker callback used by sqlite3RenameExprUnmap().
@@ -105383,6 +105398,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
     for(i=0; i<pSrc->nSrc; i++){
       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
     }
   }