Earlier detections of errors in the byte-offset-to-cell-content integer at

offset 5 in the header of a btree page.

FossilOrigin-Name: a0819086a521fb0ca4ffd12f959b168a89ea2e30a2844bbbd39831b2b9ecf29b

1 files changed, 4 insertions, 4 deletions

diff --git a/src/btree.c b/src/btree.c
index d0be54990..42867168e 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -1628,9 +1628,9 @@ static int allocateSpace(MemPage *pPage, int nByte, int *pIdx){
   ** However, that integer is too large to be stored in a 2-byte unsigned
   ** integer, so a value of 0 is used in its place. */
   top = get2byte(&data[hdr+5]);
-  assert( top<=(int)pPage->pBt->usableSize ); /* Prevent by getAndInitPage() */
+  assert( top<=(int)pPage->pBt->usableSize ); /* by btreeComputeFreeSpace() */
   if( gap>top ){
-    if( top==0 && pPage->pBt->usableSize==65536 ){
+    if( top==0 && ALWAYS(pPage->pBt->usableSize==65536) ){
       top = 65536;
     }else{
       return SQLITE_CORRUPT_PAGE(pPage);
@@ -1925,7 +1925,7 @@ static int btreeComputeFreeSpace(MemPage *pPage){
   ** serves to verify that the offset to the start of the cell-content
   ** area, according to the page header, lies within the page.
   */
-  if( nFree>usableSize ){
+  if( nFree>usableSize || nFree<iCellFirst ){
     return SQLITE_CORRUPT_PAGE(pPage);
   }
   pPage->nFree = (u16)(nFree - iCellFirst);
@@ -8068,7 +8068,7 @@ static int balance_nonroot(
     assert( sz<=pBt->maxLocal+23 );
     assert( iOvflSpace <= (int)pBt->pageSize );
     insertCell(pParent, nxDiv+i, pCell, sz, pTemp, pNew->pgno, &rc);
-    if( rc!=SQLITE_OK ) goto balance_cleanup;
+    if( NEVER(rc!=SQLITE_OK) ) goto balance_cleanup;
     assert( sqlite3PagerIswriteable(pParent->pDbPage) );
   }