aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/btree.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/btree.c b/src/btree.c
index 53643fcb8..cfaffb7d7 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -6819,13 +6819,15 @@ static void dropCell(MemPage *pPage, int idx, int sz, int *pRC){
int hdr; /* Beginning of the header. 0 most pages. 100 page 1 */
if( *pRC ) return;
- assert( idx>=0 && idx<pPage->nCell );
+ assert( idx>=0 );
+ assert( idx<pPage->nCell );
assert( CORRUPT_DB || sz==cellSize(pPage, idx) );
assert( sqlite3PagerIswriteable(pPage->pDbPage) );
assert( sqlite3_mutex_held(pPage->pBt->mutex) );
assert( pPage->nFree>=0 );
data = pPage->aData;
ptr = &pPage->aCellIdx[2*idx];
+ assert( pPage->pBt->usableSize > (int)(ptr-data) );
pc = get2byte(ptr);
hdr = pPage->hdrOffset;
testcase( pc==(u32)get2byte(&data[hdr+5]) );
@@ -9254,7 +9256,12 @@ int sqlite3BtreeDelete(BtCursor *pCur, u8 flags){
iCellIdx = pCur->ix;
pPage = pCur->pPage;
pCell = findCell(pPage, iCellIdx);
- if( pPage->nFree<0 && btreeComputeFreeSpace(pPage) ) return SQLITE_CORRUPT;
+ if( pPage->nFree<0 && btreeComputeFreeSpace(pPage) ){
+ return SQLITE_CORRUPT_BKPT;
+ }
+ if( pPage->nCell<=iCellIdx ){
+ return SQLITE_CORRUPT_BKPT;
+ }
/* If the bPreserve flag is set to true, then the cursor position must
** be preserved following this delete operation. If the current delete
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 10:28:32 +0000