Take steps to avoid a potential integer overflow in sessionBufferGrow().

FossilOrigin-Name: f7affa2e708d1b4c7c47157bcb18e9f79611ca45a93ebc88de6dc96f84a677e7
author: dan <dan@noemail.net> 2018-10-18 15:17:18 +0000
committer: dan <dan@noemail.net> 2018-10-18 15:17:18 +0000
commit: 9c18ef09a57a4c0244cd41942e088c73526f03bb (patch)
tree: 7cc7e25061150cd2a8d2b62e64cf71374a4cf678 /ext/session/sqlite3session.c
parent: 44748f27a6c966b7ceef693e1fbc4bd089e73866 (diff)
download: sqlite-9c18ef09a57a4c0244cd41942e088c73526f03bb.tar.gz
sqlite-9c18ef09a57a4c0244cd41942e088c73526f03bb.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
index 20810ee4f..a1ca9a78b 100644
--- a/ext/session/sqlite3session.c
+++ b/ext/session/sqlite3session.c
@@ -1794,12 +1794,12 @@ int sqlite3session_attach(
 static int sessionBufferGrow(SessionBuffer *p, int nByte, int *pRc){
   if( *pRc==SQLITE_OK && p->nAlloc-p->nBuf<nByte ){
     u8 *aNew;
-    int nNew = p->nAlloc ? p->nAlloc : 128;
+    i64 nNew = p->nAlloc ? p->nAlloc : 128;
     do {
       nNew = nNew*2;
-    }while( nNew<(p->nBuf+nByte) );
+    }while( (nNew-p->nBuf)<nByte );
 
-    aNew = (u8 *)sqlite3_realloc(p->aBuf, nNew);
+    aNew = (u8 *)sqlite3_realloc64(p->aBuf, nNew);
     if( 0==aNew ){
       *pRc = SQLITE_NOMEM;
     }else{
author	dan <dan@noemail.net>	2018-10-18 15:17:18 +0000
committer	dan <dan@noemail.net>	2018-10-18 15:17:18 +0000
commit	9c18ef09a57a4c0244cd41942e088c73526f03bb (patch)
tree	7cc7e25061150cd2a8d2b62e64cf71374a4cf678 /ext/session/sqlite3session.c
parent	44748f27a6c966b7ceef693e1fbc4bd089e73866 (diff)
download	sqlite-9c18ef09a57a4c0244cd41942e088c73526f03bb.tar.gz sqlite-9c18ef09a57a4c0244cd41942e088c73526f03bb.zip