diff options
| author | drh <drh@noemail.net> | 2020-03-19 17:27:52 +0000 |
|---|---|---|
| committer | drh <drh@noemail.net> | 2020-03-19 17:27:52 +0000 |
| commit | f0a2172d1d2004ac1ac358c63cf4b464fea10bf6 (patch) | |
| tree | 683420f2a2a26317f2abe35727190feb36aa53a0 /src | |
| parent | 91a23dc2999ebbdd8041f41a11dc81c63484f39a (diff) | |
| download | sqlite-f0a2172d1d2004ac1ac358c63cf4b464fea10bf6.tar.gz sqlite-f0a2172d1d2004ac1ac358c63cf4b464fea10bf6.zip | |
Fix an integer overflow problem with the dbstat virtual table that comes up
when trying to analyze a corrupt database.
FossilOrigin-Name: 1d64f4a8af81fe1235fffa54884d8f842a48ff6a33d6172f0cd65bf42fe8b2a1
Diffstat (limited to 'src')
| -rw-r--r-- | src/dbstat.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/dbstat.c b/src/dbstat.c index 2fea48ce8..2931024e1 100644 --- a/src/dbstat.c +++ b/src/dbstat.c @@ -452,7 +452,9 @@ static int statDecodePage(Btree *pBt, StatPage *p){ if( nPayload>(u32)nLocal ){ int j; int nOvfl = ((nPayload - nLocal) + nUsable-4 - 1) / (nUsable - 4); - if( iOff+nLocal>nUsable ) goto statPageIsCorrupt; + if( iOff+nLocal>nUsable || nPayload>0x7fffffff ){ + goto statPageIsCorrupt; + } pCell->nLastOvfl = (nPayload-nLocal) - (nOvfl-1) * (nUsable-4); pCell->nOvfl = nOvfl; pCell->aOvfl = sqlite3_malloc64(sizeof(u32)*nOvfl); |