Improved detection of corruption on the freeblock list of a btree page.

FossilOrigin-Name: 4b00799bdf107fce8a9dd84fd5bf6597e4f3373659b89aae4a1242be5964726f
author: drh <drh@noemail.net> 2019-08-05 16:22:20 +0000
committer: drh <drh@noemail.net> 2019-08-05 16:22:20 +0000
commit: 2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5 (patch)
tree: d4199c61808f5ac69764f212a6e6030bef4a0c45 /src/btree.c
parent: 72d1eac673f66ddc68b6716fe21e6147d07afff7 (diff)
download: sqlite-2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5.tar.gz
sqlite-2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5.zip
1 files changed, 7 insertions, 4 deletions
diff --git a/src/btree.c b/src/btree.c
index a6b4a551b..8ebe0ccb3 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -1647,9 +1647,12 @@ static int allocateSpace(MemPage *pPage, int nByte, int *pIdx){
   if( (data[hdr+2] || data[hdr+1]) && gap+2<=top ){
     u8 *pSpace = pageFindSlot(pPage, nByte, &rc);
     if( pSpace ){
-      assert( pSpace>=data && (pSpace - data)<65536 );
-      *pIdx = (int)(pSpace - data);
-      return SQLITE_OK;
+      assert( pSpace+nByte<=data+pPage->pBt->usableSize );
+      if( (*pIdx = (int)(pSpace-data))<=gap ){
+        return SQLITE_CORRUPT_PAGE(pPage);
+      }else{
+        return SQLITE_OK;
+      }
     }else if( rc ){
       return rc;
     }
@@ -6896,7 +6899,7 @@ static int rebuildPage(
 
   assert( i<iEnd );
   j = get2byte(&aData[hdr+5]);
-  if( j>(u32)usableSize ){ j = 0; }
+  if( NEVER(j>(u32)usableSize) ){ j = 0; }
   memcpy(&pTmp[j], &aData[j], usableSize - j);
 
   for(k=0; pCArray->ixNx[k]<=i && ALWAYS(k<NB*2); k++){}
author	drh <drh@noemail.net>	2019-08-05 16:22:20 +0000
committer	drh <drh@noemail.net>	2019-08-05 16:22:20 +0000
commit	2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5 (patch)
tree	d4199c61808f5ac69764f212a6e6030bef4a0c45 /src/btree.c
parent	72d1eac673f66ddc68b6716fe21e6147d07afff7 (diff)
download	sqlite-2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5.tar.gz sqlite-2b96b6969ae7f2f8dfa6a07b97fea1057dbcdab5.zip