Fix a case of a corrupt database causing SQLite to read from up to 4 bytes before the start of a memory allocation.

FossilOrigin-Name: 7d2c4f7b6695806ab8ce0c6f49d8bc1d77a4320b
2025-08-07 02:42:48 +03:00 · 2015-05-25 20:04:15 +00:00
parent 08f901b008
commit c3e8ef1d0e
3 changed files with 8 additions and 7 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -7777,6 +7777,7 @@ int sqlite3BtreeDelete(BtCursor *pCur){
    unsigned char *pTmp;

    pCell = findCell(pLeaf, pLeaf->nCell-1);
+    if( pCell<&pLeaf->aData[4] ) return SQLITE_CORRUPT_BKPT;
    nCell = cellSizePtr(pLeaf, pCell);
    assert( MX_CELL_SIZE(pBt) >= nCell );
    pTmp = pBt->pTmpSpace;