Fix another integer overflow triggered by a corrupt database in recently modified vacuum code.

FossilOrigin-Name: 4e2dd2a53364f1fed48b995fd5d2642472585f6da5e4735e9da193ba7ff45514
2025-08-08 14:02:16 +03:00 · 2020-12-15 19:27:20 +00:00
parent 0bf333467c
commit 7f60706691
4 changed files with 115 additions and 8 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -8966,7 +8966,7 @@ int sqlite3BtreeTransferRow(BtCursor *pDest, BtCursor *pSrc, i64 iKey){
  u8 *aOut = pBt->pTmpSpace;    /* Pointer to next output buffer */
  const u8 *aIn;                /* Pointer to next input buffer */
  int nIn;                      /* Size of input buffer aIn[] */
-  int nRem;                     /* Bytes of data still to copy */
+  u32 nRem;                     /* Bytes of data still to copy */

  getCellInfo(pSrc);
  aOut += putVarint32(aOut, pSrc->info.nPayload);