Fix a problem causing an infinite loop in the recovery extension when processing a corrupt free-block list.

FossilOrigin-Name: 5a516c6c7a25cec4d0a0cca530017a3299f7a332319f3e1f7cf12f53c32b88ca
2025-07-29 08:01:23 +03:00 · 2023-05-31 11:03:17 +00:00
parent 8eb9c06e65
commit d8091fe979
4 changed files with 192 additions and 11 deletions
--- a/ext/recover/sqlite3recover.c
+++ b/ext/recover/sqlite3recover.c
@ -2103,7 +2103,7 @@ static int recoverIsValidPage(u8 *aTmp, const u8 *a, int n){
    if( iFree>(n-4) ) return 0;
    iNext = recoverGetU16(&a[iFree]);
    nByte = recoverGetU16(&a[iFree+2]);
-    if( iFree+nByte>n ) return 0;
+    if( iFree+nByte>n || nByte<4 ) return 0;
    if( iNext && iNext<iFree+nByte ) return 0;
    memset(&aUsed[iFree], 0xFF, nByte);
    iFree = iNext;