Improved detection of database corruption in freeSpace().

FossilOrigin-Name: 29bcb56887f862a1f06677a7b4bfae6475d29732

diff --git a/manifest b/manifest
index ad2205da37b99a80e871e6db0d52bc515d4f9974..6366e547e08992eb22fc6283a5fea9ac1f47779a 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Comment\stypo\sfix.\s\sNo\scode\schanges.
-D 2015-06-15T10:49:01.943
+C Improved\sdetection\sof\sdatabase\scorruption\sin\sfreeSpace().
+D 2015-06-15T12:58:15.259
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 1063c58075b7400d93326b0eb332b48a54f53025
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -192,7 +192,7 @@ F src/auth.c b56c78ebe40a2110fd361379f7e8162d23f92240
 F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3
 F src/bitvec.c 5eb7958c3bf65210211cbcfc44eff86d0ded7c9d
 F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79
-F src/btree.c 5166c27883c24768c2f7f53479714f03ef34c612
+F src/btree.c e269b13c9ad70177cc24e9506c91705c53f1425b
 F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1
 F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4
 F src/build.c 6770b74ccb51cb485e81057c625f77455d5ddc06
@@ -660,7 +660,7 @@ F test/fuzz_malloc.test 328f70aaca63adf29b4c6f06505ed0cf57ca7c26
 F test/fuzzcheck.c a60f926e3fa86c8d33908406d75eec868c22b9ca
 F test/fuzzdata1.db b60254eeb6bc11474071b883059662a73c48da7f
 F test/fuzzdata2.db f03a420d3b822cc82e4f894ca957618fbe9c4973
-F test/fuzzdata3.db a6e9bf75b8bfad0b7e60e57038908f4237b9c5d2
+F test/fuzzdata3.db f4ca6fa92973501cec63ac5d1992ef88f6a78e7f
 F test/fuzzer1.test d4c52aaf3ef923da293a2653cfab33d02f718a36
 F test/fuzzerfault.test 8792cd77fd5bce765b05d0c8e01b9edcf8af8536
 F test/genesis.tcl 1e2e2e8e5cc4058549a154ff1892fe5c9de19f98
@@ -1286,7 +1286,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P caf8f574e5c64da461c6dfba8a06cf3fb18aaa42
-R aba3870768022563ba244dff8ac08eff
+P 17f185adb960b1fa4faa13cdf685b92a20a52072
+R 9841ab7ddff94ef28e5c7f312f08cf08
 U drh
-Z abfc9d17f4897829cc21d3b706c43334
+Z 8fda4c4c0358babdd19a81217bb5c4c6

diff --git a/manifest.uuid b/manifest.uuid
index 6e6cb8c58bdffe8a03d8d3203e212415a7fbac33..1f5f5b3ab93024b9a6fdde33880f45e56f76f5e2 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-17f185adb960b1fa4faa13cdf685b92a20a52072
\ No newline at end of file
+29bcb56887f862a1f06677a7b4bfae6475d29732
\ No newline at end of file

diff --git a/src/btree.c b/src/btree.c
index 53e0ebbfc1750ddd3c95638fa795e4d888166d58..4a32c07884c72029689c0bc3e9bc28f247cdc8ce 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -1449,6 +1449,7 @@ static int freeSpace(MemPage *pPage, u16 iStart, u16 iSize){
       nFrag = iFreeBlk - iEnd;
       if( iEnd>iFreeBlk ) return SQLITE_CORRUPT_BKPT;
       iEnd = iFreeBlk + get2byte(&data[iFreeBlk+2]);
+      if( iEnd > pPage->pBt->usableSize ) return SQLITE_CORRUPT_BKPT;
       iSize = iEnd - iStart;
       iFreeBlk = get2byte(&data[iFreeBlk]);
     }

diff --git a/test/fuzzdata3.db b/test/fuzzdata3.db
index 29be55e7a6df4ee35ae2d5e27cc0e1a4ed75ea77..335879c148a18c3f37992eeeda74ed8ed2e018cc 100644 (file)
Binary files a/test/fuzzdata3.db and b/test/fuzzdata3.db differ