Fix a case of a corrupt database causing SQLite to read from up to 4 bytes before...

FossilOrigin-Name: 7d2c4f7b6695806ab8ce0c6f49d8bc1d77a4320b

diff --git a/manifest b/manifest
index bf3cc78749e776c6055a83bb71b00529e02a7fbf..bf53b3065fa5fe3f7ff14718f466466c171a7672 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Have\sthe\sb-tree\slayer\sreturn\sSQLITE_CORRUPT\sto\sany\sattempt\sto\sopen\sa\scursor\swith\sa\sroot\spage\snumber\sless\sthan\s1.
-D 2015-05-25T19:24:36.961
+C Fix\sa\scase\sof\sa\scorrupt\sdatabase\scausing\sSQLite\sto\sread\sfrom\sup\sto\s4\sbytes\sbefore\sthe\sstart\sof\sa\smemory\sallocation.
+D 2015-05-25T20:04:15.531
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 0a6ae26396ec696221021780dffbb894ff3cead7
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -192,7 +192,7 @@ F src/auth.c b56c78ebe40a2110fd361379f7e8162d23f92240
 F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3
 F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d
 F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79
-F src/btree.c a5beb7f19f9bacbad2bd5ebf8e34e327de7a6656
+F src/btree.c a7d627f89e8382cea8645cc2eec6927b203fdb31
 F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1
 F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4
 F src/build.c d5d9090788118178190c5724c19f93953b8c7a4e
@@ -1278,7 +1278,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 8fa0937a2f3476dd280259e252d6f422c33d38ee
-R 1745897e1e5c334cb77f7423f9fe4000
+P aa18c8e9d1676b1caa53bc5f5c1dc5f201089b88
+R 2543e1ce5d351c3852d827d2b79794af
 U dan
-Z 702c8f83eb7e3fb57102175733730dbd
+Z bdd86a9186a2d4ac711797171541a410

diff --git a/manifest.uuid b/manifest.uuid
index 988034ee1fcbbb420096831865ebf3cfd9399893..878c55a588f80b79b9b5f5030a5d3aa19589334d 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-aa18c8e9d1676b1caa53bc5f5c1dc5f201089b88
\ No newline at end of file
+7d2c4f7b6695806ab8ce0c6f49d8bc1d77a4320b
\ No newline at end of file

diff --git a/src/btree.c b/src/btree.c
index 1e27a9cde41bdb15e62baf4e49747517d4774e67..d6c86be5471640ad3982c3b99a72e1835fc45cb5 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -7777,6 +7777,7 @@ int sqlite3BtreeDelete(BtCursor *pCur){
     unsigned char *pTmp;
 
     pCell = findCell(pLeaf, pLeaf->nCell-1);
+    if( pCell<&pLeaf->aData[4] ) return SQLITE_CORRUPT_BKPT;
     nCell = cellSizePtr(pLeaf, pCell);
     assert( MX_CELL_SIZE(pBt) >= nCell );
     pTmp = pBt->pTmpSpace;