Fix an integer overflow problem with the dbstat virtual table that comes up

when trying to analyze a corrupt database. FossilOrigin-Name: 1d64f4a8af81fe1235fffa54884d8f842a48ff6a33d6172f0cd65bf42fe8b2a1
2025-11-19 21:43:15 +03:00 · 2020-03-19 17:27:52 +00:00
parent 91a23dc299
commit f0a2172d1d
4 changed files with 14 additions and 14 deletions
--- a/src/dbstat.c
+++ b/src/dbstat.c
@@ -452,7 +452,9 @@ static int statDecodePage(Btree *pBt, StatPage *p){
        if( nPayload>(u32)nLocal ){
          int j;
          int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4);
-          if( iOff+nLocal>nUsable ) goto statPageIsCorrupt;
+          if( iOff+nLocal>nUsable || nPayload>0x7fffffff ){
+            goto statPageIsCorrupt;
+          }
          pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4);
          pCell->nOvfl = nOvfl;
          pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl);