When parsing the schema, detect out-of-bounds rootpage values and throw an

error.

FossilOrigin-Name: 6c3a2727dc912ed800146e07db5d15d0f3468d13701165ba763c4b114c3e18e8

src/prepare.c

@@ -116,6 +116,10 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){
     assert( db->init.busy );
     db->init.iDb = iDb;
     sqlite3GetUInt32(argv[3], &db->init.newTnum);
+    if( db->init.newTnum>pData->mxPage && pData->mxPage!=0 ){
+      corruptSchema(pData, argv[1], "invalid rootpage");
+      return 0;
+    }
     db->init.orphanTrigger = 0;
     db->init.azInit = argv;
     pStmt = 0;
@@ -151,6 +155,7 @@ int sqlite3InitCallback(void *pInit, int argc, char **argv, char **NotUsed){
     if( pIndex==0
      || sqlite3GetUInt32(argv[3],&pIndex->tnum)==0
      || pIndex->tnum<2
+     || (pIndex->tnum>pData->mxPage && pData->mxPage!=0)
      || sqlite3IndexHasDuplicateRootPage(pIndex)
     ){
       corruptSchema(pData, argv[1], pIndex?"invalid rootpage":"orphan index");
@@ -207,6 +212,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){
   initData.pzErrMsg = pzErrMsg;
   initData.mInitFlags = mFlags;
   initData.nInitRow = 0;
+  initData.mxPage = 0;
   sqlite3InitCallback(&initData, 5, (char **)azArg, 0);
   db->mDbFlags &= mask;
   if( initData.rc ){
@@ -329,6 +335,7 @@ int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg, u32 mFlags){
   /* Read the schema information out of the schema tables
   */
   assert( db->init.busy );
+  initData.mxPage = sqlite3BtreeLastPage(pDb->pBt);
   {
     char *zSql;
     zSql = sqlite3MPrintf(db,