Return an SQLITE_CORRUPT error if the content size field of a table record

extends off the end of a page. FossilOrigin-Name: b48c4e402125fb8d2208d358f6e9bbc351f3a49d
2025-08-07 02:42:48 +03:00 · 2013-11-25 20:14:13 +00:00
parent ebf10b1fb4
commit 9b2fc61d25
3 changed files with 11 additions and 9 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -4219,7 +4219,7 @@ static const unsigned char *fetchPayload(
  assert( cursorHoldsMutex(pCur) );
  pPage = pCur->apPage[pCur->iPage];
  assert( pCur->aiIdx[pCur->iPage]<pPage->nCell );
-  if( pCur->info.nSize==0 ){
+  if( NEVER(pCur->info.nSize==0) ){
    btreeParseCell(pCur->apPage[pCur->iPage], pCur->aiIdx[pCur->iPage],
                   &pCur->info);
  }
@@ -4670,7 +4670,9 @@ int sqlite3BtreeMovetoUnpacked(
        i64 nCellKey;
        pCell = findCell(pPage, idx) + pPage->childPtrSize;
        if( pPage->hasData ){
-          while( 0x80 <= *(pCell++) && pCell<pPage->aDataEnd ){}
+          while( 0x80 <= *(pCell++) ){
+            if( pCell>=pPage->aDataEnd ) return SQLITE_CORRUPT_BKPT;
+          }
        }
        getVarint(pCell, (u64*)&nCellKey);
        if( nCellKey<intKey ){