database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-07 02:42:48 +03:00
Code Activity

Fix a case where database corruption may cause SQLite to write past the end of a buffer.

Browse Source 
FossilOrigin-Name: 97806a78142b15f89878e25ee70dc5b0524d6793
This commit is contained in:
dan
2015-05-25 17:07:29 +00:00
parent cf3d17c604
commit 2fc3a6cd98
4 changed files with 62 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/btree.c
View File

@@ -1343,7 +1343,7 @@ static int allocateSpace(MemPage *pPage, int nByte, int *pIdx){
** However, that integer is too large to be stored in a 2-byte unsigned
** integer, so a value of 0 is used in its place. */
top = get2byteNotZero(&data[hdr+5]);
if( gap>top ) return SQLITE_CORRUPT_BKPT;
if( gap>top || top>pPage->pBt->usableSize ) return SQLITE_CORRUPT_BKPT;
/* If there is enough space between gap and top for one more cell pointer
** array entry offset, and if the freelist is not empty, then search the