blob: 5a655a54d6dd68e54a57b8343d1f2b4e639bdc40 [file] [log] [blame]
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darwin Huang <huangdarwin@chromium.org>
Date: Wed, 15 May 2019 18:32:47 -0700
Subject: [PATCH 5/8] Detect errors in byte offset
Backports https://www.sqlite.org/src/vdiff?from=3c75605b4652ae88&to=ad8fc5d8b440c49d
Bug: 956481
---
third_party/sqlite/patched/src/btree.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/third_party/sqlite/patched/src/btree.c b/third_party/sqlite/patched/src/btree.c
index 1b2cc2f91e62..70c26373baa2 100644
--- a/third_party/sqlite/patched/src/btree.c
+++ b/third_party/sqlite/patched/src/btree.c
@@ -1628,7 +1628,7 @@ static int allocateSpace(MemPage *pPage, int nByte, int *pIdx){
** However, that integer is too large to be stored in a 2-byte unsigned
** integer, so a value of 0 is used in its place. */
top = get2byte(&data[hdr+5]);
- assert( top<=(int)pPage->pBt->usableSize ); /* Prevent by getAndInitPage() */
+ assert( top<=(int)pPage->pBt->usableSize ); /* by btreeComputeFreeSpace() */
if( gap>top ){
if( top==0 && pPage->pBt->usableSize==65536 ){
top = 65536;
@@ -1925,7 +1925,7 @@ static int btreeComputeFreeSpace(MemPage *pPage){
** serves to verify that the offset to the start of the cell-content
** area, according to the page header, lies within the page.
*/
- if( nFree>usableSize ){
+ if( nFree>usableSize || nFree<iCellFirst ){
return SQLITE_CORRUPT_PAGE(pPage);
}
pPage->nFree = (u16)(nFree - iCellFirst);
--
2.21.0