Index: src/expr.c
==================================================================
--- src/expr.c
+++ src/expr.c
@@ -130,13 +130,13 @@
     }
     if( op==TK_COLLATE || (op==TK_REGISTER && p->op2==TK_COLLATE) ){
       pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken);
       break;
     }
-    if( p->pTab!=0
-     && (op==TK_AGG_COLUMN || op==TK_COLUMN
+    if( (op==TK_AGG_COLUMN || op==TK_COLUMN
           || op==TK_REGISTER || op==TK_TRIGGER)
+     && p->pTab!=0
     ){
       /* op==TK_REGISTER && p->pTab!=0 happens when pExpr was originally
       ** a TK_COLUMN but was previously evaluated and cached in a register */
       int j = p->iColumn;
       if( j>=0 ){

Index: test/misc1.test
==================================================================
--- test/misc1.test
+++ test/misc1.test
@@ -618,7 +618,17 @@
 } {0}
 do_test misc1-19.2 {
   sqlite3_test_control_fault_install
   set fault_callbacks
 } {0}
+
+# 2015-01-26:  Valgrind-detected over-read.
+# Reported on sqlite-users@sqlite.org by Michal Zalewski.  Found by afl-fuzz
+# presumably.
+#
+do_execsql_test misc1-20.1 {
+  CREATE TABLE t0(x INTEGER DEFAULT(0==0) NOT NULL);
+  REPLACE INTO t0(x) VALUES('');
+  SELECT rowid, quote(x) FROM t0;
+} {1 ''}
 
 finish_test