Avoid reading off the front of a page buffer when balancing a corrupt

btree page. FossilOrigin-Name: cb50509020d952fa9efed8df7fa08b07b71ae9bdbdefea216b6e660863291039
2025-08-05 15:55:57 +03:00 · 2019-01-14 05:48:10 +00:00
parent b10a50e7f8
commit d12db3dabb
3 changed files with 15 additions and 8 deletions
--- a/src/btree.c
+++ b/src/btree.c
@@ -6663,9 +6663,16 @@ static void insertCell(
    assert( idx >= pPage->cellOffset+2*pPage->nCell+2 || CORRUPT_DB );
    assert( idx+sz <= (int)pPage->pBt->usableSize );
    pPage->nFree -= (u16)(2 + sz);
-    memcpy(&data[idx], pCell, sz);
    if( iChild ){
+      /* In a corrupt database where an entry in the cell index section of
+      ** a btree page has a value of 3 or less, the pCell value might point
+      ** as many as 4 bytes in front of the start of the aData buffer for
+      ** the source page.  Make sure this does not cause problems by not
+      ** reading the first 4 bytes */
+      memcpy(&data[idx+4], pCell+4, sz-4);
      put4byte(&data[idx], iChild);
+    }else{
+      memcpy(&data[idx], pCell, sz);
    }
    pIns = pPage->aCellIdx + i*2;
    memmove(pIns+2, pIns, 2*(pPage->nCell - i));