Add more corruption checking to the cell overwrite logic.

FossilOrigin-Name: 58d14afe1e1288d114ea213458b3121e0a95670887861928858b7f143c76f789
author: drh <drh@noemail.net> 2018-05-03 13:56:23 +0000
committer: drh <drh@noemail.net> 2018-05-03 13:56:23 +0000
commit: 4f84e9c7e24ceddc645e19491b35d64ec47974f8 (patch)
tree: 1ce137a12d2b0f0e25960446252cef0ab64f5224 /src/btree.c
parent: 9b03192e15b45ac1d448b958be6d35d1ea9cf9ff (diff)
download: sqlite-4f84e9c7e24ceddc645e19491b35d64ec47974f8.tar.gz
sqlite-4f84e9c7e24ceddc645e19491b35d64ec47974f8.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/btree.c b/src/btree.c
index e920d8902..041c88c76 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -8201,6 +8201,9 @@ static int btreeOverwriteCell(BtCursor *pCur, const BtreePayload *pX){
   Pgno ovflPgno;                      /* Next overflow page to write */
   u32 ovflPageSize;                   /* Size to write on overflow page */
 
+  if( pCur->info.pPayload + pCur->info.nLocal > pPage->aDataEnd ){
+    return SQLITE_CORRUPT_BKPT;
+  }
   /* Overwrite the local portion first */
   rc = btreeOverwriteContent(pPage, pCur->info.pPayload, pX,
                              0, pCur->info.nLocal);
@@ -8215,6 +8218,9 @@ static int btreeOverwriteCell(BtCursor *pCur, const BtreePayload *pX){
   do{
     rc = btreeGetPage(pBt, ovflPgno, &pPage, 0);
     if( rc ) return rc;
+    if( sqlite3PagerPageRefcount(pPage->pDbPage)!=1 ){
+      return SQLITE_CORRUPT_BKPT;
+    }
     if( iOffset+ovflPageSize<nTotal ){
       ovflPgno = get4byte(pPage->aData);
     }else{
author	drh <drh@noemail.net>	2018-05-03 13:56:23 +0000
committer	drh <drh@noemail.net>	2018-05-03 13:56:23 +0000
commit	4f84e9c7e24ceddc645e19491b35d64ec47974f8 (patch)
tree	1ce137a12d2b0f0e25960446252cef0ab64f5224 /src/btree.c
parent	9b03192e15b45ac1d448b958be6d35d1ea9cf9ff (diff)
download	sqlite-4f84e9c7e24ceddc645e19491b35d64ec47974f8.tar.gz sqlite-4f84e9c7e24ceddc645e19491b35d64ec47974f8.zip