Avoid some buffer overreads detected by valgrind while running corruptC.test. (CVS 5898)

FossilOrigin-Name: faa6bd7b615837c920b5b3b027115caa2f56ec15

manifest

@@ -1,5 +1,5 @@
-C Version\s3.6.5\s(CVS\s5897)
+C Avoid\ssome\sbuffer\soverreads\sdetected\sby\svalgrind\swhile\srunning\scorruptC.test.\s(CVS\s5898)
-D 2008-11-12T15:38:53
+D 2008-11-12T18:21:36
 F Makefile.arm-wince-mingw32ce-gcc fcd5e9cd67fe88836360bb4f9ef4cb7f8e2fb5a0
 F Makefile.in 48172b58e444a9725ec482e0c022a564749acab4
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@@ -99,7 +99,7 @@ F src/attach.c 208881c87160d9e2c73a46cf86116c5a6d66f9d7
 F src/auth.c c8b2ab5c8bad4bd90ed7c294694f48269162c627
 F src/bitvec.c 9e922b2577b7e46d8f95349bca6a52f7674d7582
 F src/btmutex.c 3a90096c3080b9057dc570b8e16e46511e1c788a
-F src/btree.c 7505a73bd9b7c36a816543c4a71437d8c2f7539a
+F src/btree.c 7c06d81faa3a44116968987a5189b4a2f6a37962
 F src/btree.h 179c3ea813780df78a289a8f5130db18e6d4616e
 F src/btreeInt.h e38e9b2b285f40f5bc0a6664f630d4a141622f16
 F src/build.c 98a6884d47c3cc12faeb2e9a926018d3a7382133
@@ -265,7 +265,7 @@ F test/corrupt8.test 9992ef7f67cefc576b92373f6bf5ab8775280f51
 F test/corrupt9.test 794d284109c65c8f10a2b275479045e02d163bae
 F test/corruptA.test 99e95620b980161cb3e79f06a884a4bb8ae265ff
 F test/corruptB.test 505331779fe7a96fe38ecbb817f19c63bc27d171
-F test/corruptC.test d73d70aa2919fae2e0032043e85d00949e1d556a
+F test/corruptC.test bcedf37afa205aff7cf1729a32b862c6a037fb5f
 F test/crash.test 1b6ac8410689ff78028887f445062dc897c9ac89
 F test/crash2.test 5b14d4eb58b880e231361d3b609b216acda86651
 F test/crash3.test 776f9363554c029fcce71d9e6600fa0ba6359ce7
@@ -656,7 +656,7 @@ F tool/speedtest16.c c8a9c793df96db7e4933f0852abb7a03d48f2e81
 F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff
 F tool/speedtest8.c 2902c46588c40b55661e471d7a86e4dd71a18224
 F tool/speedtest8inst1.c 293327bc76823f473684d589a8160bde1f52c14e
-P f41dd2053c8a297a05b47d0ef631b4d9a7db2fff
+P 369f74983bb1b6a6426260148018cdc084fc2b49
-R 217eb8bceae810089ca0de92c63eed2e
+R 1f4429807d31bf0a13a5939ab83fd57a
-U drh
+U danielk1977
-Z d3949478ddaafe6e3d8afbf1d2a260a7
+Z ced029dc2e076de2b81cab7ea9f2d078

manifest.uuid

@@ -1 +1 @@
-369f74983bb1b6a6426260148018cdc084fc2b49
+faa6bd7b615837c920b5b3b027115caa2f56ec15

src/btree.c

@@ -9,7 +9,7 @@
 **    May you share freely, never taking more than you give.
 **
 *************************************************************************
-** $Id: btree.c,v 1.533 2008/11/12 08:49:52 danielk1977 Exp $
+** $Id: btree.c,v 1.534 2008/11/12 18:21:36 danielk1977 Exp $
 **
 ** This file implements a external (disk-based) database using BTrees.
 ** See the header comment on "btreeInt.h" for additional information.
@@ -734,14 +734,15 @@ static int defragmentPage(MemPage *pPage){
     u8 *pAddr;     /* The i-th cell pointer */
     pAddr = &data[cellOffset + i*2];
     pc = get2byte(pAddr);
-    if (pc >= pPage->pBt->usableSize) {
+    if( pc>=pPage->pBt->usableSize ){
       return SQLITE_CORRUPT_BKPT;
     }
     size = cellSizePtr(pPage, &temp[pc]);
     cbrk -= size;
-    if ((cbrk < cellOffset+2*nCell) || (cbrk+size>pPage->pBt->usableSize)) {
+    if( cbrk<cellOffset+2*nCell || pc+size>usableSize ){
       return SQLITE_CORRUPT_BKPT;
     }
+    assert( cbrk+size<=usableSize && cbrk>=0 );
     memcpy(&data[cbrk], &temp[pc], size);
     put2byte(pAddr, cbrk);
   }
@@ -3181,7 +3182,7 @@ static int accessPayload(
   u32 nKey;
   int iIdx = 0;
   MemPage *pPage = pCur->apPage[pCur->iPage]; /* Btree page of current entry */
-  BtShared *pBt;                              /* Btree this cursor belongs to */
+  BtShared *pBt = pCur->pBt;                  /* Btree this cursor belongs to */
 
   assert( pPage );
   assert( pCur->eState==CURSOR_VALID );
@@ -3196,7 +3197,9 @@ static int accessPayload(
   if( skipKey ){
     offset += nKey;
   }
-  if( offset+amt > nKey+pCur->info.nData ){
+  if( offset+amt > nKey+pCur->info.nData 
+   || &aPayload[pCur->info.nLocal] > &pPage->aData[pBt->usableSize]
+  ){
     /* Trying to read or write past the end of the data is an error */
     return SQLITE_CORRUPT_BKPT;
   }
@@ -3215,7 +3218,6 @@ static int accessPayload(
     offset -= pCur->info.nLocal;
   }
 
-  pBt = pCur->pBt;
   if( rc==SQLITE_OK && amt>0 ){
     const int ovflSize = pBt->usableSize - 4;  /* Bytes content per ovfl page */
     Pgno nextPage;

test/corruptC.test

@@ -15,7 +15,7 @@
 # data base file, then tests that single byte corruptions in 
 # increasingly larger quantities are handled gracefully.
 #
-# $Id: corruptC.test,v 1.7 2008/11/12 14:22:25 danielk1977 Exp $
+# $Id: corruptC.test,v 1.8 2008/11/12 18:21:36 danielk1977 Exp $
 
 catch {file delete -force test.db test.db-journal test.bu}
 
@@ -150,8 +150,8 @@ do_test corruptC-2.5 {
   catchsql {PRAGMA integrity_check}
 } {0 {{*** in database main ***
 Corruption detected in cell 710 on page 4
-Multiple uses for byte 116 of page 4
+Multiple uses for byte 661 of page 4
-Fragmented space is 0 byte reported as 21 on page 4}}}
+Fragmented space is 249 byte reported as 21 on page 4}}}
 
 # test that a corrupt free cell size is handled (seed 169595)
 do_test corruptC-2.6 {