Take steps to avoid a potential integer overflow in sessionBufferGrow().

FossilOrigin-Name: f7affa2e708d1b4c7c47157bcb18e9f79611ca45a93ebc88de6dc96f84a677e7
2025-07-30 19:03:16 +03:00 · 2018-10-18 15:17:18 +00:00
parent 44748f27a6
commit 9c18ef09a5
3 changed files with 10 additions and 10 deletions
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@ -1794,12 +1794,12 @@ int sqlite3session_attach(
 static int sessionBufferGrow(SessionBuffer *p, int nByte, int *pRc){
  if( *pRc==SQLITE_OK && p->nAlloc-p->nBuf<nByte ){
    u8 *aNew;
-    int nNew = p->nAlloc ? p->nAlloc : 128;
+    i64 nNew = p->nAlloc ? p->nAlloc : 128;
    do {
      nNew = nNew*2;
-    }while( nNew<(p->nBuf+nByte) );
+    }while( (nNew-p->nBuf)<nByte );

-    aNew = (u8 *)sqlite3_realloc(p->aBuf, nNew);
+    aNew = (u8 *)sqlite3_realloc64(p->aBuf, nNew);
    if( 0==aNew ){
      *pRc = SQLITE_NOMEM;
    }else{