Improved detection of corruption on the freeblock list of a btree page.

FossilOrigin-Name: 4b00799bdf107fce8a9dd84fd5bf6597e4f3373659b89aae4a1242be5964726f
2025-08-05 15:55:57 +03:00 · 2019-08-05 16:22:20 +00:00
parent 72d1eac673
commit 2b96b6969a
3 changed files with 15 additions and 12 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -1647,9 +1647,12 @@ static int allocateSpace(MemPage *pPage, int nByte, int *pIdx){
  if( (data[hdr+2] || data[hdr+1]) && gap+2<=top ){
    u8 *pSpace = pageFindSlot(pPage, nByte, &rc);
    if( pSpace ){
-      assert( pSpace>=data && (pSpace - data)<65536 );
-      *pIdx = (int)(pSpace - data);
-      return SQLITE_OK;
+      assert( pSpace+nByte<=data+pPage->pBt->usableSize );
+      if( (*pIdx = (int)(pSpace-data))<=gap ){
+        return SQLITE_CORRUPT_PAGE(pPage);
+      }else{
+        return SQLITE_OK;
+      }
    }else if( rc ){
      return rc;
    }
@@ -6896,7 +6899,7 @@ static int rebuildPage(

  assert( i<iEnd );
  j = get2byte(&aData[hdr+5]);
-  if( j>(u32)usableSize ){ j = 0; }
+  if( NEVER(j>(u32)usableSize) ){ j = 0; }
  memcpy(&pTmp[j], &aData[j], usableSize - j);

  for(k=0; pCArray->ixNx[k]<=i && ALWAYS(k<NB*2); k++){}