database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-07 02:42:48 +03:00
Code Activity

Always check for cell overflow before returning a slot from the

Browse Source 
pageFindSlot routine in btree.c.

FossilOrigin-Name: 9f035c45a4b84203e67b6e1b23cf11691dc43f1e
This commit is contained in:
drh
2015-06-02 19:36:29 +00:00
parent 4c393a82df
commit 24dee9d214
4 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/btree.c
View File

@@ -1272,7 +1272,10 @@ static u8 *pageFindSlot(MemPage *pPg, int nByte, int *pRc, int *pbDefrag){
int x = size - nByte;
testcase( x==4 );
testcase( x==3 );
if( x<4 ){
if( pc < pPg->cellOffset+2*pPg->nCell || size+pc > usableSize ){
*pRc = SQLITE_CORRUPT_BKPT;
return 0;
}else if( x<4 ){
/* EVIDENCE-OF: R-11498-58022 In a well-formed b-tree page, the total
** number of bytes in fragments may not exceed 60. */
if( aData[hdr+7]>=60 ){
@@ -1283,9 +1286,6 @@ static u8 *pageFindSlot(MemPage *pPg, int nByte, int *pRc, int *pbDefrag){
** fragmented bytes within the page. */
memcpy(&aData[iAddr], &aData[pc], 2);
aData[hdr+7] += (u8)x;
}else if( pc < pPg->cellOffset+2*pPg->nCell || size+pc > usableSize ){
*pRc = SQLITE_CORRUPT_BKPT;
return 0;
}else{
/* The slot remains on the free-list. Reduce its size to account
** for the portion used by the new allocation. */