Handle a special case of corruption that can present if "PRAGMA writable_schema=1" is set. Fix for dbsqlfuzz test case 6229ad63de49e3ba0630aaf0058868f36008bcca.

FossilOrigin-Name: 58f36af2271517abafa9f4a46f2a5f97e66c001675c17868282197d599603d1b

1 files changed, 14 insertions, 3 deletions

diff --git a/src/btree.c b/src/btree.c
index 82caeff0f..88b4d61b1 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -8698,9 +8698,20 @@ int sqlite3BtreeInsert(
   assert( (flags & (BTREE_SAVEPOSITION|BTREE_APPEND|BTREE_PREFORMAT))==flags );
   assert( (flags & BTREE_PREFORMAT)==0 || seekResult || pCur->pKeyInfo==0 );
 
-  if( pCur->eState==CURSOR_FAULT ){
-    assert( pCur->skipNext!=SQLITE_OK );
-    return pCur->skipNext;
+  if( pCur->eState>=CURSOR_REQUIRESEEK ){
+    /* The cursor can be in REQUIRESEEK state when seekResult is non-zero
+    ** only if the schema is corrupt such that there is more than one table or
+    ** index with the same root page as used by the cursor. Which can only
+    ** happen if the SQLITE_NoSchemaError flag was set when the schema was
+    ** loaded. This cannot be asserted though, as a user might set the flag,
+    ** load the schema, and then unset the flag.  */
+    assert( pCur->eState==CURSOR_REQUIRESEEK || pCur->eState==CURSOR_FAULT );
+    assert( pCur->eState==CURSOR_REQUIRESEEK || pCur->skipNext!=SQLITE_OK );
+    if( pCur->eState==CURSOR_REQUIRESEEK ){
+      if( seekResult ) return SQLITE_CORRUPT_BKPT;
+    }else{
+      return pCur->skipNext;
+    }
   }
 
   assert( cursorOwnsBtShared(pCur) );