Prevent the fetchPayload() routine from reporting a cell size that extends

off the end of the page on a pathologically corrupted database file.

FossilOrigin-Name: f71053cf658b3260a32ac06f8ba5c2cde0ea54dd

diff --git a/manifest b/manifest
index 35f1031e635e99bfa6b50da51726cdb7f44121fa..2bcb4fd1f24bf9bcbf440fe2ef07abc7408607cd 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Enhance\sthe\sshowdb\sutility\sprogram\sso\sthat\sit\scan\sread\sthe\slast\spartial\spage\nof\sa\struncated\sdatabase\sfile.
-D 2015-04-15T15:29:05.938
+C Prevent\sthe\sfetchPayload()\sroutine\sfrom\sreporting\sa\scell\ssize\sthat\sextends\noff\sthe\send\sof\sthe\spage\son\sa\spathologically\scorrupted\sdatabase\sfile.
+D 2015-04-15T17:26:55.979
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5f78b1ab81b64e7c57a75d170832443e66c0880a
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -173,7 +173,7 @@ F src/auth.c b56c78ebe40a2110fd361379f7e8162d23f92240
 F src/backup.c ff743689c4d6c5cb55ad42ed9d174b2b3e71f1e3
 F src/bitvec.c 19a4ba637bd85f8f63fc8c9bae5ade9fb05ec1cb
 F src/btmutex.c 45a968cc85afed9b5e6cf55bf1f42f8d18107f79
-F src/btree.c 67648f6532c2da79d3b3fb6853aa1a0c3ba0e1ad
+F src/btree.c c6e32d84442f79d5b96965265d65b3baa231dffc
 F src/btree.h 969adc948e89e449220ff0ff724c94bb2a52e9f1
 F src/btreeInt.h 973a22a6fd61350b454ad614832b1f0a5e25a1e4
 F src/build.c 01b969b20a44a3d9620e597d9af8242348123540
@@ -1250,7 +1250,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P b8768f124ef7d79e500b60a3ede288d46a0f529d
-R ba09996f8bd767f4c42736f26f8bc5d1
+P 61d72e17916bc043ce53c64e5ba7050a9bae554e
+R a75e3890d67000037a79bd4d7c9f248e
 U drh
-Z aee37f07b2a30818108be904ab58fa7c
+Z c0a93418012c7dd834fb5d24bb6e0682

diff --git a/manifest.uuid b/manifest.uuid
index be87706afb076cb3291aa5cca1fbb3d2a8d5abc1..ec95ab78c0f59e5269f8cd5490fae461f0adc762 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-61d72e17916bc043ce53c64e5ba7050a9bae554e
\ No newline at end of file
+f71053cf658b3260a32ac06f8ba5c2cde0ea54dd
\ No newline at end of file

diff --git a/src/btree.c b/src/btree.c
index 9faf624235601e12cdefae5ff4296334cf2fe7a3..51fca4b4bef0667b9ccb99561737cc516b6d280a 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -4451,13 +4451,18 @@ static const void *fetchPayload(
   BtCursor *pCur,      /* Cursor pointing to entry to read from */
   u32 *pAmt            /* Write the number of available bytes here */
 ){
+  u32 amt;
   assert( pCur!=0 && pCur->iPage>=0 && pCur->apPage[pCur->iPage]);
   assert( pCur->eState==CURSOR_VALID );
   assert( sqlite3_mutex_held(pCur->pBtree->db->mutex) );
   assert( cursorHoldsMutex(pCur) );
   assert( pCur->aiIdx[pCur->iPage]<pCur->apPage[pCur->iPage]->nCell );
   assert( pCur->info.nSize>0 );
-  *pAmt = pCur->info.nLocal;
+  assert( pCur->info.pPayload>pCur->apPage[pCur->iPage]->aData || CORRUPT_DB );
+  assert( pCur->info.pPayload<pCur->apPage[pCur->iPage]->aDataEnd ||CORRUPT_DB);
+  amt = (int)(pCur->apPage[pCur->iPage]->aDataEnd - pCur->info.pPayload);
+  if( pCur->info.nLocal<amt ) amt = pCur->info.nLocal;
+  *pAmt = amt;
   return (void*)pCur->info.pPayload;
 }