Fix a potential buffer overread in the dbstat virtual table when processing

a corrupt database file. FossilOrigin-Name: a62e6b593b59eae44d299842a4d02b9346a0c72a3e1206882f304ab40f2cd5c5
author: drh <drh@noemail.net> 2018-11-13 20:21:52 +0000
committer: drh <drh@noemail.net> 2018-11-13 20:21:52 +0000
commit: f9dc5f7726b867a7d2bc505a9ed5ad83865f0660 (patch)
tree: dce80e51654340b50a5803638cb4f212147d7458 /src/dbstat.c
parent: 91a21f4d08c09307ecbf394c1e2a03f26697b874 (diff)
download: sqlite-f9dc5f7726b867a7d2bc505a9ed5ad83865f0660.tar.gz
sqlite-f9dc5f7726b867a7d2bc505a9ed5ad83865f0660.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/dbstat.c b/src/dbstat.c
index a2c6fe089..e49ace11f 100644
--- a/src/dbstat.c
+++ b/src/dbstat.c
@@ -397,6 +397,7 @@ static int statDecodePage(Btree *pBt, StatPage *p){
         if( nPayload>(u32)nLocal ){
           int j;
           int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4);
+          if( iOff+nLocal>nUsable ) goto statPageIsCorrupt;
           pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4);
           pCell->nOvfl = nOvfl;
           pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl);
author	drh <drh@noemail.net>	2018-11-13 20:21:52 +0000
committer	drh <drh@noemail.net>	2018-11-13 20:21:52 +0000
commit	f9dc5f7726b867a7d2bc505a9ed5ad83865f0660 (patch)
tree	dce80e51654340b50a5803638cb4f212147d7458 /src/dbstat.c
parent	91a21f4d08c09307ecbf394c1e2a03f26697b874 (diff)
download	sqlite-f9dc5f7726b867a7d2bc505a9ed5ad83865f0660.tar.gz sqlite-f9dc5f7726b867a7d2bc505a9ed5ad83865f0660.zip