Extra space to prevent a buffer overread on corrupt STAT4 records.

dbsqlfuzz 7128d1b41ce9df2c007f9c24c1e89e2f1b2590ca.

FossilOrigin-Name: b99135288b157044e2319833e8632c89483778f876aa45ee66e46ffb6ae42ab2

1 files changed, 4 insertions, 3 deletions

diff --git a/src/analyze.c b/src/analyze.c
index 0823bcaef..a7a8b6d66 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -1849,14 +1849,15 @@ static int loadStatTbl(
     decodeIntArray((char*)sqlite3_column_text(pStmt,2),nCol,pSample->anLt,0,0);
     decodeIntArray((char*)sqlite3_column_text(pStmt,3),nCol,pSample->anDLt,0,0);
 
-    /* Take a copy of the sample. Add two 0x00 bytes the end of the buffer.
+    /* Take a copy of the sample. Add 8 extra 0x00 bytes the end of the buffer.
     ** This is in case the sample record is corrupted. In that case, the
     ** sqlite3VdbeRecordCompare() may read up to two varints past the
     ** end of the allocated buffer before it realizes it is dealing with
-    ** a corrupt record. Adding the two 0x00 bytes prevents this from causing
+    ** a corrupt record.  Or it might try to read a large integer from the
+    ** buffer.  In any case, eight 0x00 bytes prevents this from causing
     ** a buffer overread.  */
     pSample->n = sqlite3_column_bytes(pStmt, 4);
-    pSample->p = sqlite3DbMallocZero(db, pSample->n + 2);
+    pSample->p = sqlite3DbMallocZero(db, pSample->n + 8);
     if( pSample->p==0 ){
       sqlite3_finalize(pStmt);
       return SQLITE_NOMEM_BKPT;