--- /dev/null
+From 3d863b5e4efb2305d64f87a2128289d1c3ce09b6 Mon Sep 17 00:00:00 2001
+From: drh <drh@noemail.net>
+Date: Thu, 14 May 2020 21:16:52 +0000
+Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
+ one of its shadows.
+
+FossilOrigin-Name: eca0ba2cf4c0fdf757bae19c6397a48245adb99e8017ddc28f01804072a30b2c
+
+Upstream-Status: Backport
+CVE: CVE-2020-13631
+
+Reference to upstream patch:
+https://github.com/sqlite/sqlite/commit/3d863b5e4efb2305d64f87a2128289d1c3ce09b6
+
+Patch converted to amalgamation format
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ sqlite3.c | 39 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index e72fabb..282e106 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -19948,8 +19948,10 @@ SQLITE_PRIVATE Module *sqlite3VtabCreateModule(
+ SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
+ #else
+ # define sqlite3ShadowTableName(A,B) 0
++# define sqlite3IsShadowTableOf(A,B,C) 0
+ #endif
+ SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
+@@ -104793,7 +104795,10 @@ SQLITE_PRIVATE void sqlite3AlterRenameTable(
+ /* Check that a table or index named 'zName' does not already exist
+ ** in database iDb. If so, this is an error.
+ */
+- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
++ if( sqlite3FindTable(db, zName, zDb)
++ || sqlite3FindIndex(db, zName, zDb)
++ || sqlite3IsShadowTableOf(db, pTab, zName)
++ ){
+ sqlite3ErrorMsg(pParse,
+ "there is already another table or index with this name: %s", zName);
+ goto exit_rename_table;
+@@ -111303,6 +111308,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ recomputeColumnsNotIndexed(pPk);
+ }
+
++
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++/*
++** Return true if pTab is a virtual table and zName is a shadow table name
++** for that virtual table.
++*/
++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
++ int nName; /* Length of zName */
++ Module *pMod; /* Module for the virtual table */
++
++ if( !IsVirtual(pTab) ) return 0;
++ nName = sqlite3Strlen30(pTab->zName);
++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
++ if( zName[nName]!='_' ) return 0;
++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
++ if( pMod==0 ) return 0;
++ if( pMod->pModule->iVersion<3 ) return 0;
++ if( pMod->pModule->xShadowName==0 ) return 0;
++ return pMod->pModule->xShadowName(zName+nName+1);
++}
++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
++
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ /*
+ ** Return true if zName is a shadow table name in the current database
+@@ -111314,8 +111341,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+ char *zTail; /* Pointer to the last "_" in zName */
+ Table *pTab; /* Table that zName is a shadow of */
+- Module *pMod; /* Module for the virtual table */
+-
+ zTail = strrchr(zName, '_');
+ if( zTail==0 ) return 0;
+ *zTail = 0;
+@@ -111323,11 +111348,7 @@ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+ *zTail = '_';
+ if( pTab==0 ) return 0;
+ if( !IsVirtual(pTab) ) return 0;
+- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+- if( pMod==0 ) return 0;
+- if( pMod->pModule->iVersion<3 ) return 0;
+- if( pMod->pModule->xShadowName==0 ) return 0;
+- return pMod->pModule->xShadowName(zTail+1);
++ return sqlite3IsShadowTableOf(db, pTab, zName);
+ }
+ #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+
