database/sqlite
1
0
Fork 0
mirror of https://github.com/sqlite/sqlite.git synced 2025-08-07 02:42:48 +03:00
Code Activity

Fix a case where SQLite may write past the end of a buffer as a result of a corrupted database file.

Browse Source 
FossilOrigin-Name: 43321a556031942389ca11b033c1eae46ac6141b
This commit is contained in:
dan
2009-08-14 17:01:22 +00:00
parent 04616bb703
commit 4361e79f14
4 changed files with 41 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/btree.c
View File

@@ -1409,13 +1409,14 @@ static int btreeInitPage(MemPage *pPage){
while( pc>0 ){
u16 next, size;
if( pc<iCellFirst || pc>iCellLast ){
/* Free block is off the page */
/* Start of free block is off the page */
return SQLITE_CORRUPT_BKPT;
}
next = get2byte(&data[pc]);
size = get2byte(&data[pc+2]);
if( next>0 && next<=pc+size+3 ){
/* Free blocks must be in ascending order */
if( (next>0 && next<=pc+size+3) || pc+size>usableSize ){
/* Free blocks must be in ascending order. And the last byte of
** the free-block must lie on the database page. */
return SQLITE_CORRUPT_BKPT;
}
nFree = nFree + size;