Fix a race condition to do with very large index keys in shared-cache mode.

FossilOrigin-Name: fc157dd7f18c94b7ae5f155e1b4a5d7714b7da8c
2025-08-10 01:02:56 +03:00 · 2014-12-11 16:38:18 +00:00
parent 0a3520c0f4
commit 857536623a
7 changed files with 119 additions and 16 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -3913,7 +3913,7 @@ int sqlite3BtreeCloseCursor(BtCursor *pCur){
      releasePage(pCur->apPage[i]);
    }
    unlockBtreeIfUnused(pBt);
-    sqlite3DbFree(pBtree->db, pCur->aOverflow);
+    sqlite3_free(pCur->aOverflow);
    /* sqlite3_free(pCur); */
    sqlite3BtreeLeave(pBtree);
  }
@@ -4208,6 +4208,7 @@ static int accessPayload(
    offset -= pCur->info.nLocal;
  }

+
  if( rc==SQLITE_OK && amt>0 ){
    const u32 ovflSize = pBt->usableSize - 4;  /* Bytes content per ovfl page */
    Pgno nextPage;
@@ -4225,8 +4226,8 @@ static int accessPayload(
    if( eOp!=2 && (pCur->curFlags & BTCF_ValidOvfl)==0 ){
      int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize;
      if( nOvfl>pCur->nOvflAlloc ){
-        Pgno *aNew = (Pgno*)sqlite3DbRealloc(
-            pCur->pBtree->db, pCur->aOverflow, nOvfl*2*sizeof(Pgno)
+        Pgno *aNew = (Pgno*)sqlite3Realloc(
+            pCur->aOverflow, nOvfl*2*sizeof(Pgno)
        );
        if( aNew==0 ){
          rc = SQLITE_NOMEM;
@@ -4273,6 +4274,7 @@ static int accessPayload(
        */
        assert( eOp!=2 );
        assert( pCur->curFlags & BTCF_ValidOvfl );
+        assert( pCur->pBtree->db==pBt->db );
        if( pCur->aOverflow[iIdx+1] ){
          nextPage = pCur->aOverflow[iIdx+1];
        }else{