The MemPage.aDataEnd field should point to the end of the data buffer for

the page, not just the end of the usable portion of that buffer. The purpose aDataEnd is to detect cells that overflow the page, and that won't work on a page with reserved bytes and a cell that starts in the reserved region, unless the boundary is at the very end of the page. Chromium issue 1276294. FossilOrigin-Name: f839c0bc8388a31f6db5081906b66b9e129855ba27a13cf13bd995b083f7386e
2025-08-08 14:02:16 +03:00 · 2022-03-01 20:15:04 +00:00
parent 3b4cb719c0
commit a055abb8c4
4 changed files with 13 additions and 11 deletions
--- a/src/btreeInt.h
+++ b/src/btreeInt.h
@@ -293,7 +293,9 @@ struct MemPage {
  u8 *apOvfl[4];       /* Pointers to the body of overflow cells */
  BtShared *pBt;       /* Pointer to BtShared that this page is part of */
  u8 *aData;           /* Pointer to disk image of the page data */
-  u8 *aDataEnd;        /* One byte past the end of usable data */
+  u8 *aDataEnd;        /* One byte past the end of the entire page - not just
+                       ** the usable space, the entire page.  Used to prevent
+                       ** corruption-induced of buffer overflow. */
  u8 *aCellIdx;        /* The cell index area */
  u8 *aDataOfst;       /* Same as aData for leaves.  aData+4 for interior */
  DbPage *pDbPage;     /* Pager page handle */