Do not allow pointer arithmetic to move a pointer across a memory allocation

boundary. FossilOrigin-Name: 85b979319bcb8ec301ae39b36ad60348e4515be7
2025-08-07 02:42:48 +03:00 · 2016-04-05 13:19:19 +00:00
parent 73a6bb5851
commit cca6698408
3 changed files with 8 additions and 8 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -6545,8 +6545,8 @@ static int pageInsertArray(
    u8 *pSlot;
    sz = cachedCellSize(pCArray, i);
    if( (aData[1]==0 && aData[2]==0) || (pSlot = pageFindSlot(pPg,sz,&rc))==0 ){
+      if( (pData - pBegin)<sz ) return 1;
      pData -= sz;
-      if( pData<pBegin ) return 1;
      pSlot = pData;
    }
    /* pSlot and pCArray->apCell[i] will never overlap on a well-formed