From: drh <drh@noemail.net>
Date: Mon, 19 May 2014 15:16:11 +0000 (+0000)
Subject: Changes to help ensure that a multiplication does not overflow when computing
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb79d7ce632a809a827c9a90c4794254dc37eb7e;p=thirdparty%2Fsqlite.git

Changes to help ensure that a multiplication does not overflow when computing
the number of bytes needed for a memory allocation, and cause a malfunction.
No problems existing problems were discovered.  However, these changes should
help to ensure that no problems arise in the future.

FossilOrigin-Name: 17349a49d2db61c70e04e19f024b47e34737e78e
---

diff --git a/manifest b/manifest
index 6c0b7335d0..31982675cc 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Internally,\suse\sa\s64-bit\sintegers\sfor\ssegment\slevel\snumbers.
-D 2014-05-17T16:56:52.166
+C Changes\sto\shelp\sensure\sthat\sa\smultiplication\sdoes\snot\soverflow\swhen\scomputing\nthe\snumber\sof\sbytes\sneeded\sfor\sa\smemory\sallocation,\sand\scause\sa\smalfunction.\nNo\sproblems\sexisting\sproblems\swere\sdiscovered.\s\sHowever,\sthese\schanges\sshould\nhelp\sto\sensure\sthat\sno\sproblems\sarise\sin\sthe\sfuture.
+D 2014-05-19T15:16:11.494
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in dd2b1aba364ff9b05de41086f74407f285c57670
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -158,37 +158,37 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca
 F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 3d8b83c91651f53472ca17599dae3457b8b89494
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
-F src/alter.c b00900877f766f116f9e16116f1ccacdc21d82f1
-F src/analyze.c 3596f863bb80126fe56ba217df5932749271efc8
-F src/attach.c 3801129015ef59d76bf23c95ef9b0069d18a0c52
+F src/alter.c 05664d98338f9afeb33640c94353edaac2121132
+F src/analyze.c 0cca10e0f7a1eedbaf83a52832b6b8a62240253d
+F src/attach.c 3f5a380a8ffd07dd75108f2a455e0799f312cc3c
 F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
 F src/backup.c a729e63cf5cd1829507cb7b8e89f99b95141bb53
 F src/bitvec.c 19a4ba637bd85f8f63fc8c9bae5ade9fb05ec1cb
 F src/btmutex.c 976f45a12e37293e32cae0281b15a21d48a8aaa7
-F src/btree.c 6c9b51abd404ce5b78b173b6f2248e8cb824758c
+F src/btree.c 6f94e30c50551c58df1fd61e608454d2463809d5
 F src/btree.h d79306df4ed9181b48916737fe8871a4392c4594
 F src/btreeInt.h cf180d86b2e9e418f638d65baa425c4c69c0e0e3
-F src/build.c 02665ca158431a0926b10cbd7d8178a4c9fc4a22
+F src/build.c 30012cb6c42ed63ee28df6dd189815365354d5d5
 F src/callback.c 174e3c8656bc29f91d710ab61550d16eea34be98
 F src/complete.c dc1d136c0feee03c2f7550bafc0d29075e36deac
 F src/ctime.c 0231df905e2c4abba4483ee18ffc05adc321df2a
-F src/date.c 593c744b2623971e45affd0bde347631bdfa4625
+F src/date.c 7535e8660c4ef3946c0478d99ead55d137dd17d0
 F src/delete.c bcf8f72126cea80fc3d5bc5494cf19b3f8935aaf
-F src/expr.c 4f9e497c66e2f25a4d139357a778c84d5713207c
+F src/expr.c 2a68a4ab60fc1ad706f8a2768fb4e2211aa0ad2a
 F src/fault.c 160a0c015b6c2629d3899ed2daf63d75754a32bb
-F src/fkey.c 5269ef07b100763134f71b889327c333bd0989cf
-F src/func.c 2e16316ec3a6365a0dc3e553c586f91b20f7f6c8
+F src/fkey.c abbf1c2636243ac3619e31e5c341590cfbef9388
+F src/func.c 3e7eca66400a68eb88e7b57d86550e7a2dbf41fa
 F src/global.c 1e4bd956dc2f608f87d2a929abc4a20db65f30e4
-F src/hash.c d139319967164f139c8d1bb8a11b14db9c4ba3cd
+F src/hash.c a3dc015f25ecad25b6de7cd536fe695a6675e7c2
 F src/hash.h 8890a25af81fb85a9ad7790d32eedab4b994da22
 F src/hwtime.h d32741c8f4df852c7d959236615444e2b1063b08
-F src/insert.c ab34bea5af4fee9f956a0805a32463fb7f674d00
+F src/insert.c d7cc294e10be6a7726dbec6c48fcb46af0ad01f6
 F src/journal.c b4124532212b6952f42eb2c12fa3c25701d8ba8d
-F src/legacy.c 0df0b1550b9cc1f58229644735e317ac89131f12
+F src/legacy.c 311f98da3e24164358fa93753e149108326ff8e7
 F src/lempar.c cdf0a000315332fc9b50b62f3b5e22e080a0952b
-F src/loadext.c 867c7b330b740c6c917af9956b13b81d0a048303
-F src/main.c 1c164c7b742f0cd60290b34dc9086df9f939f490
-F src/malloc.c 0203ebce9152c6a0e5de520140b8ba65187350be
+F src/loadext.c 84de402d4d0827761532fe141a3ccb69de874e11
+F src/main.c 5c9f16a84b1bcd4683bee1433390f4f587629465
+F src/malloc.c 6a1fbdadf00298dad6c76885beb47b9c49f5973a
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c c0c990fcaddff810ea277b4fb5d9138603dd5d4b
 F src/mem2.c dce31758da87ec2cfa52ba4c5df1aed6e07d8e8f
@@ -200,32 +200,32 @@ F src/mutex.h 5bc526e19dccc412b7ff04642f6fdad3fdfdabea
 F src/mutex_noop.c 7682796b7d8d39bf1c138248858efcd10c9e1553
 F src/mutex_unix.c c3a4e00f96ba068a8dbef34084465979aaf369cc
 F src/mutex_w32.c 9bcab6e699fdb20eae784237c36b299830fb3316
-F src/notify.c 976dd0f6171d4588e89e874fcc765e92914b6d30
+F src/notify.c 58d99e12c46e1c006fa2aa10f8951d142e56e7d6
 F src/os.c 1b147e4cf7cc39e618115c14a086aed44bc91ace
 F src/os.h 60d419395e32a8029fa380a80a3da2e9030f635e
 F src/os_common.h 92815ed65f805560b66166e3583470ff94478f04
 F src/os_setup.h c9d4553b5aaa6f73391448b265b89bed0b890faa
 F src/os_unix.c ae4b5240af4619d711301d7992396e182585269f
-F src/os_win.c 485d06a93965f306c7281fca0937829292367234
+F src/os_win.c fe93fe891b77fde1962352eb87ef50846cc85e75
 F src/os_win.h 057344a6720b4c8405d9bd98f58cb37a6ee46c25
-F src/pager.c f6bb1fa6cdf2062f2d8aec3e64db302bca519ab8
+F src/pager.c e48554539fbeafc21036d7b4bd2101dfffca2af9
 F src/pager.h ffd5607f7b3e4590b415b007a4382f693334d428
 F src/parse.y 22d6a074e5f5a7258947a1dc55a9bf946b765dd0
 F src/pcache.c d8eafac28290d4bb80332005435db44991d07fc2
 F src/pcache.h a5e4f5d9f5d592051d91212c5949517971ae6222
-F src/pcache1.c 102e6f5a2fbc646154463eb856d1fd716867b64c
+F src/pcache1.c fed7cd28e36be68ff4b28295132529e7678454f8
 F src/pragma.c 810ef31ccfaa233201dcf100637a9777cc24e897
 F src/prepare.c 677521ab7132615a8a26107a1d1c3132f44ae337
 F src/printf.c e5a0005f8b3de21f85da6a709d2fbee76775bf4b
 F src/random.c d10c1f85b6709ca97278428fd5db5bbb9c74eece
 F src/resolve.c 273d5f47c4e2c05b2d3d2bffeda939551ab59e66
 F src/rowset.c a9c9aae3234b44a6d7c6f5a3cadf90dce1e627be
-F src/select.c 089c4d46f067a5cccae93524c6377f981ba99bd9
+F src/select.c 4cf17c0960e222bf65a95bc186c4c7c2366a7adc
 F src/shell.c 2afe7a7154e97be0c74c5feacf09626bda8493be
 F src/sqlite.h.in 564fc23db33870b5096b20d72df7491ce0b8b74f
 F src/sqlite3.rc 11094cc6a157a028b301a9f06b3d03089ea37c3e
 F src/sqlite3ext.h 886f5a34de171002ad46fae8c36a7d8051c190fc
-F src/sqliteInt.h 1977f44283be0d3b40da315fb4fd9e21c79fadcc
+F src/sqliteInt.h 2b247d6b22693f13e98d756243b62f039fd2037b
 F src/sqliteLimit.h 164b0e6749d31e0daa1a4589a169d31c0dec7b3d
 F src/status.c 7ac05a5c7017d0b9f0b4bcd701228b784f987158
 F src/table.c 2cd62736f845d82200acfa1287e33feb3c15d62e
@@ -237,7 +237,7 @@ F src/test4.c 9b32d22f5f150abe23c1830e2057c4037c45b3df
 F src/test5.c 5a34feec76d9b3a86aab30fd4f6cc9c48cbab4c1
 F src/test6.c 41cacf3b0dd180823919bf9e1fbab287c9266723
 F src/test7.c 72b732baa5642f795655ba1126ea032af46ecfd2
-F src/test8.c 54ccd7b1df5062f0ecbf50a8f7b618f8b1f13b20
+F src/test8.c 610ec4c516aafe175bb612fcbf6600e323cb63c9
 F src/test9.c bea1e8cf52aa93695487badedd6e1886c321ea60
 F src/test_async.c 21e11293a2f72080eda70e1124e9102044531cd8
 F src/test_autoext.c dea8a01a7153b9adc97bd26161e4226329546e12
@@ -277,24 +277,24 @@ F src/test_vfstrace.c bab9594adc976cbe696ff3970728830b4c5ed698
 F src/test_wsd.c 41cadfd9d97fe8e3e4e44f61a4a8ccd6f7ca8fe9
 F src/tokenize.c 6da2de6e12218ccb0aea5184b56727d011f4bee7
 F src/trigger.c 66f3470b03b52b395e839155786966e3e037fddb
-F src/update.c 5b3e74a03b3811e586b4f2b4cbd7c49f01c93115
+F src/update.c f2ded39ef1a23c3719e94739c7138533cd671e63
 F src/utf.c 6dc9ec9f1b3db43ae8ba0365377f11df1ee4c01c
 F src/util.c 049fe1d3c0e2209c1bee107aec2fcff6285f909f
 F src/vacuum.c 3728d74919d4fb1356f9e9a13e27773db60b7179
-F src/vdbe.c 7f359193bf2366cc914a9ece093ebf284e56acdc
+F src/vdbe.c 0510ef1e48bcd5db800fc1a12e10733f01a51cc3
 F src/vdbe.h 394464909ed682334aa3d5831aae0c2fe2abef94
 F src/vdbeInt.h e6d83e5bfd62fc6685ba1ed6153f7099f82de9f7
 F src/vdbeapi.c 0ed6053f947edd0b30f64ce5aeb811872a3450a4
-F src/vdbeaux.c e493f38758c4b8f4ca2007cf6a700bd405d192f3
+F src/vdbeaux.c 808daddbcd3cd52f9aed80a13a78baac8ec29b00
 F src/vdbeblob.c 9205ce9d3b064d9600f8418a897fc88b5687d9ac
-F src/vdbemem.c 6fc77594c60f6155404f3f8d71bf36d1fdeb4447
-F src/vdbesort.c 4abb7c0f8f19b7d7d82f4558d5da1a30fdf9ea38
+F src/vdbemem.c c996131ae65b3631a87fdb8530ddd2b899395e26
+F src/vdbesort.c 2024607750e873c0285102615872446b51f9a714
 F src/vdbetrace.c 6f52bc0c51e144b7efdcfb2a8f771167a8816767
-F src/vtab.c 21b932841e51ebd7d075e2d0ad1415dce8d2d5fd
+F src/vtab.c cf7523838ae3d5778055e7e881a8a46c44ca2c40
 F src/wal.c 76e7fc6de229bea8b30bb2539110f03a494dc3a8
 F src/wal.h df01efe09c5cb8c8e391ff1715cca294f89668a4
 F src/walker.c 11edb74d587bc87b33ca96a5173e3ec1b8389e45
-F src/where.c fd4b525cd5ab652cea2fbc71ac15c975271ca461
+F src/where.c 5733d54dccf7aec324a602ac219d436753fea4b5
 F src/whereInt.h 6804c2e5010378568c2bb1350477537755296a46
 F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
@@ -1172,7 +1172,10 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh d1a6de74685f360ab718efda6265994b99bbea01
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 9fde5b960af39b187474e5b2909ff0e56d5e0bf9 7e60347e21a7473974061965a8d1f2eadde987e2
-R 760c47be4e4c59e75f81e88f9a3c89bc
-U dan
-Z a762a27782746cb8cee894bb7c1f28d3
+P 8180e320ee4090e41511836678e49a98c0b228e8
+R a8107f0932a0cdb06db254e30ec29b62
+T *branch * safer-malloc
+T *sym-safer-malloc *
+T -sym-trunk *
+U drh
+Z ba80a44d535d65fb144ac87fb1f1c9d7
diff --git a/manifest.uuid b/manifest.uuid
index 6307ea55eb..9a57a393d8 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-8180e320ee4090e41511836678e49a98c0b228e8
\ No newline at end of file
+17349a49d2db61c70e04e19f024b47e34737e78e
\ No newline at end of file
diff --git a/src/alter.c b/src/alter.c
index 64204b7b24..1b5ec0297f 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -796,7 +796,7 @@ void sqlite3AlterBeginAddColumn(Parse *pParse, SrcList *pSrc){
   assert( pNew->nCol>0 );
   nAlloc = (((pNew->nCol-1)/8)*8)+8;
   assert( nAlloc>=pNew->nCol && nAlloc%8==0 && nAlloc-pNew->nCol<8 );
-  pNew->aCol = (Column*)sqlite3DbMallocZero(db, sizeof(Column)*nAlloc);
+  pNew->aCol = (Column*)sqlite3DbMallocZero(db, sizeof(Column)*(i64)nAlloc);
   pNew->zName = sqlite3MPrintf(db, "sqlite_altertab_%s", pTab->zName);
   if( !pNew->aCol || !pNew->zName ){
     db->mallocFailed = 1;
diff --git a/src/analyze.c b/src/analyze.c
index 2952b364c3..77530d5532 100644
--- a/src/analyze.c
+++ b/src/analyze.c
@@ -819,7 +819,7 @@ static void statGet(
     char *z;
     int i;
 
-    char *zRet = sqlite3MallocZero(p->nCol * 25);
+    char *zRet = sqlite3MallocZero((i64)p->nCol * 25);
     if( zRet==0 ){
       sqlite3_result_error_nomem(context);
       return;
@@ -870,7 +870,7 @@ static void statGet(
     if( IsStat3 ){
       sqlite3_result_int64(context, (i64)aCnt[0]);
     }else{
-      char *zRet = sqlite3MallocZero(p->nCol * 25);
+      char *zRet = sqlite3MallocZero((i64)p->nCol * 25);
       if( zRet==0 ){
         sqlite3_result_error_nomem(context);
       }else{
@@ -998,6 +998,7 @@ static void analyzeOneTable(
     if( pIdx->pPartIdxWhere==0 ) needTableCnt = 0;
     VdbeNoopComment((v, "Begin analysis of %s", pIdx->zName));
     nCol = pIdx->nKeyCol;
+    assert( sizeof(pIdx->nKeyCol)==2 && nCol<=0xffff );
     aGotoChng = sqlite3DbMallocRaw(db, sizeof(int)*(nCol+1));
     if( aGotoChng==0 ) continue;
 
@@ -1588,8 +1589,8 @@ static int loadStatTbl(
 
     char *zIndex;   /* Index name */
     Index *pIdx;    /* Pointer to the index object */
-    int nSample;    /* Number of samples */
-    int nByte;      /* Bytes of space required */
+    i64 nSample;    /* Number of samples */
+    i64 nByte;      /* Bytes of space required */
     int i;          /* Bytes of space required */
     tRowcnt *pSpace;
 
diff --git a/src/attach.c b/src/attach.c
index 89050fd9dc..3bb705bd99 100644
--- a/src/attach.c
+++ b/src/attach.c
@@ -113,7 +113,7 @@ static void attachFunc(
     if( aNew==0 ) return;
     memcpy(aNew, db->aDb, sizeof(db->aDb[0])*2);
   }else{
-    aNew = sqlite3DbRealloc(db, db->aDb, sizeof(db->aDb[0])*(db->nDb+1) );
+    aNew = sqlite3DbRealloc(db, db->aDb, sizeof(db->aDb[0])*(i64)(db->nDb+1) );
     if( aNew==0 ) return;
   }
   db->aDb = aNew;
diff --git a/src/btree.c b/src/btree.c
index 2bf026b840..95f808ab86 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -606,7 +606,7 @@ static int saveCursorPosition(BtCursor *pCur){
   ** data.
   */
   if( 0==pCur->apPage[0]->intKey ){
-    void *pKey = sqlite3Malloc( (int)pCur->nKey );
+    void *pKey = sqlite3Malloc( pCur->nKey );
     if( pKey ){
       rc = sqlite3BtreeKey(pCur, 0, (int)pCur->nKey, pKey);
       if( rc==SQLITE_OK ){
@@ -4022,7 +4022,7 @@ static int accessPayload(
       int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize;
       if( nOvfl>pCur->nOvflAlloc ){
         Pgno *aNew = (Pgno*)sqlite3DbRealloc(
-            pCur->pBtree->db, pCur->aOverflow, nOvfl*2*sizeof(Pgno)
+            pCur->pBtree->db, pCur->aOverflow, (i64)nOvfl*2*sizeof(Pgno)
         );
         if( aNew==0 ){
           rc = SQLITE_NOMEM;
diff --git a/src/build.c b/src/build.c
index a79abed3b6..5329a22e68 100644
--- a/src/build.c
+++ b/src/build.c
@@ -1036,7 +1036,7 @@ void sqlite3AddColumn(Parse *pParse, Token *pName){
   }
   if( (p->nCol & 0x7)==0 ){
     Column *aNew;
-    aNew = sqlite3DbRealloc(db,p->aCol,(p->nCol+8)*sizeof(p->aCol[0]));
+    aNew = sqlite3DbRealloc(db,p->aCol,(i64)(p->nCol+8)*sizeof(p->aCol[0]));
     if( aNew==0 ){
       sqlite3DbFree(db, z);
       return;
@@ -1491,6 +1491,7 @@ static char *createTableStmt(sqlite3 *db, Table *p){
     zSep2 = ",\n  ";
     zEnd = "\n)";
   }
+  assert( sizeof(p->nCol)==2 );
   n += 35 + 6*p->nCol;
   zStmt = sqlite3DbMallocRaw(0, n);
   if( zStmt==0 ){
@@ -1542,10 +1543,10 @@ static char *createTableStmt(sqlite3 *db, Table *p){
 */
 static int resizeIndexObject(sqlite3 *db, Index *pIdx, int N){
   char *zExtra;
-  int nByte;
+  i64 nByte;
   if( pIdx->nColumn>=N ) return SQLITE_OK;
   assert( pIdx->isResized==0 );
-  nByte = (sizeof(char*) + sizeof(i16) + 1)*N;
+  nByte = (sizeof(char*) + sizeof(i16) + 1)*(i64)N;
   zExtra = sqlite3DbMallocZero(db, nByte);
   if( zExtra==0 ) return SQLITE_NOMEM;
   memcpy(zExtra, pIdx->azColl, sizeof(char*)*pIdx->nColumn);
@@ -2503,7 +2504,7 @@ void sqlite3CreateForeignKey(
   FKey *pFKey = 0;
   FKey *pNextTo;
   Table *p = pParse->pNewTable;
-  int nByte;
+  i64 nByte;
   int i;
   int nCol;
   char *z;
@@ -2528,7 +2529,7 @@ void sqlite3CreateForeignKey(
   }else{
     nCol = pFromCol->nExpr;
   }
-  nByte = sizeof(*pFKey) + (nCol-1)*sizeof(pFKey->aCol[0]) + pTo->n + 1;
+  nByte = sizeof(*pFKey) + (i64)(nCol-1)*sizeof(pFKey->aCol[0]) + pTo->n + 1;
   if( pToCol ){
     for(i=0; i<pToCol->nExpr; i++){
       nByte += sqlite3Strlen30(pToCol->a[i].zName) + 1;
@@ -3379,7 +3380,7 @@ void *sqlite3ArrayAllocate(
   int n = *pnEntry;
   if( (n & (n-1))==0 ){
     int sz = (n==0) ? 1 : 2*n;
-    void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry);
+    void *pNew = sqlite3DbRealloc(db, pArray, sz*(i64)szEntry);
     if( pNew==0 ){
       *pIdx = -1;
       return pArray;
@@ -3485,7 +3486,7 @@ SrcList *sqlite3SrcListEnlarge(
     int nAlloc = pSrc->nSrc+nExtra;
     int nGot;
     pNew = sqlite3DbRealloc(db, pSrc,
-               sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
+               sizeof(*pSrc) + (nAlloc-1)*(i64)sizeof(pSrc->a[0]) );
     if( pNew==0 ){
       assert( db->mallocFailed );
       return pSrc;
@@ -4202,7 +4203,7 @@ With *sqlite3WithAdd(
   }
 
   if( pWith ){
-    int nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte);
+    i64 nByte = sizeof(*pWith) + (sizeof(pWith->a[1])*(i64)pWith->nCte);
     pNew = sqlite3DbRealloc(db, pWith, nByte);
   }else{
     pNew = sqlite3DbMallocZero(db, sizeof(*pWith));
diff --git a/src/date.c b/src/date.c
index f8f4ee0a6b..9854a79f8f 100644
--- a/src/date.c
+++ b/src/date.c
@@ -942,7 +942,7 @@ static void strftimeFunc(
     sqlite3_result_error_toobig(context);
     return;
   }else{
-    z = sqlite3DbMallocRaw(db, (int)n);
+    z = sqlite3DbMallocRaw(db, n);
     if( z==0 ){
       sqlite3_result_error_nomem(context);
       return;
diff --git a/src/expr.c b/src/expr.c
index 08c121e386..b2cc97101e 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -665,7 +665,7 @@ void sqlite3ExprAssignVarNumber(Parse *pParse, Expr *pExpr){
     if( x>0 ){
       if( x>pParse->nzVar ){
         char **a;
-        a = sqlite3DbRealloc(db, pParse->azVar, x*sizeof(a[0]));
+        a = sqlite3DbRealloc(db, pParse->azVar, (i64)x*sizeof(a[0]));
         if( a==0 ) return;  /* Error reported through db->mallocFailed */
         pParse->azVar = a;
         memset(&a[pParse->nzVar], 0, (x-pParse->nzVar)*sizeof(a[0]));
@@ -910,7 +910,7 @@ static Expr *exprDup(sqlite3 *db, Expr *p, int flags, u8 **pzBuffer){
 static With *withDup(sqlite3 *db, With *p){
   With *pRet = 0;
   if( p ){
-    int nByte = sizeof(*p) + sizeof(p->a[0]) * (p->nCte-1);
+    i64 nByte = sizeof(*p) + sizeof(p->a[0]) * (i64)(p->nCte-1);
     pRet = sqlite3DbMallocZero(db, nByte);
     if( pRet ){
       int i;
@@ -957,7 +957,7 @@ ExprList *sqlite3ExprListDup(sqlite3 *db, ExprList *p, int flags){
   if( pNew==0 ) return 0;
   pNew->nExpr = i = p->nExpr;
   if( (flags & EXPRDUP_REDUCE)==0 ) for(i=1; i<p->nExpr; i+=i){}
-  pNew->a = pItem = sqlite3DbMallocRaw(db,  i*sizeof(p->a[0]) );
+  pNew->a = pItem = sqlite3DbMallocRaw(db,  (i64)i*sizeof(p->a[0]) );
   if( pItem==0 ){
     sqlite3DbFree(db, pNew);
     return 0;
@@ -987,7 +987,7 @@ ExprList *sqlite3ExprListDup(sqlite3 *db, ExprList *p, int flags){
 SrcList *sqlite3SrcListDup(sqlite3 *db, SrcList *p, int flags){
   SrcList *pNew;
   int i;
-  int nByte;
+  i64 nByte;
   if( p==0 ) return 0;
   nByte = sizeof(*p) + (p->nSrc>0 ? sizeof(p->a[0]) * (p->nSrc-1) : 0);
   pNew = sqlite3DbMallocRaw(db, nByte );
@@ -1029,7 +1029,7 @@ IdList *sqlite3IdListDup(sqlite3 *db, IdList *p){
   pNew = sqlite3DbMallocRaw(db, sizeof(*pNew) );
   if( pNew==0 ) return 0;
   pNew->nId = p->nId;
-  pNew->a = sqlite3DbMallocRaw(db, p->nId*sizeof(p->a[0]) );
+  pNew->a = sqlite3DbMallocRaw(db, (i64)p->nId*sizeof(p->a[0]) );
   if( pNew->a==0 ){
     sqlite3DbFree(db, pNew);
     return 0;
@@ -1103,7 +1103,7 @@ ExprList *sqlite3ExprListAppend(
   }else if( (pList->nExpr & (pList->nExpr-1))==0 ){
     struct ExprList_item *a;
     assert( pList->nExpr>0 );
-    a = sqlite3DbRealloc(db, pList->a, pList->nExpr*2*sizeof(pList->a[0]));
+    a = sqlite3DbRealloc(db, pList->a, (i64)pList->nExpr*2*sizeof(pList->a[0]));
     if( a==0 ){
       goto no_mem;
     }
diff --git a/src/fkey.c b/src/fkey.c
index 336256e0f3..22157e9423 100644
--- a/src/fkey.c
+++ b/src/fkey.c
@@ -219,7 +219,7 @@ int sqlite3FkLocateIndex(
     }
   }else if( paiCol ){
     assert( nCol>1 );
-    aiCol = (int *)sqlite3DbMallocRaw(pParse->db, nCol*sizeof(int));
+    aiCol = (int *)sqlite3DbMallocRaw(pParse->db, (i64)nCol*sizeof(int));
     if( !aiCol ) return 1;
     *paiCol = aiCol;
   }
diff --git a/src/func.c b/src/func.c
index bc5c78981e..6f0a4248a1 100644
--- a/src/func.c
+++ b/src/func.c
@@ -393,7 +393,7 @@ static void *contextMalloc(sqlite3_context *context, i64 nByte){
     sqlite3_result_error_toobig(context);
     z = 0;
   }else{
-    z = sqlite3Malloc((int)nByte);
+    z = sqlite3Malloc(nByte);
     if( !z ){
       sqlite3_result_error_nomem(context);
     }
diff --git a/src/hash.c b/src/hash.c
index f9901fee8f..3ab5476348 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -120,7 +120,7 @@ static int rehash(Hash *pH, unsigned int new_size){
   ** may be larger than the requested amount).
   */
   sqlite3BeginBenignMalloc();
-  new_ht = (struct _ht *)sqlite3Malloc( new_size*sizeof(struct _ht) );
+  new_ht = (struct _ht *)sqlite3Malloc( new_size*(i64)sizeof(struct _ht) );
   sqlite3EndBenignMalloc();
 
   if( new_ht==0 ) return 0;
diff --git a/src/insert.c b/src/insert.c
index 909bc27474..fd5b78a3c5 100644
--- a/src/insert.c
+++ b/src/insert.c
@@ -747,7 +747,7 @@ void sqlite3Insert(
     int nIdx;
     nIdx = sqlite3OpenTableAndIndices(pParse, pTab, OP_OpenWrite, -1, 0,
                                       &iDataCur, &iIdxCur);
-    aRegIdx = sqlite3DbMallocRaw(db, sizeof(int)*(nIdx+1));
+    aRegIdx = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(nIdx+1));
     if( aRegIdx==0 ){
       goto insert_cleanup;
     }
diff --git a/src/legacy.c b/src/legacy.c
index 94649ae705..7e9f93e722 100644
--- a/src/legacy.c
+++ b/src/legacy.c
@@ -73,7 +73,7 @@ int sqlite3_exec(
           (SQLITE_DONE==rc && !callbackIsInit
                            && db->flags&SQLITE_NullCallback)) ){
         if( !callbackIsInit ){
-          azCols = sqlite3DbMallocZero(db, 2*nCol*sizeof(const char*) + 1);
+          azCols = sqlite3DbMallocZero(db, 2*(i64)nCol*sizeof(const char*) + 1);
           if( azCols==0 ){
             goto exec_out;
           }
diff --git a/src/loadext.c b/src/loadext.c
index 828e865b61..f646ce39e9 100644
--- a/src/loadext.c
+++ b/src/loadext.c
@@ -531,7 +531,7 @@ static int sqlite3LoadExtension(
   }
 
   /* Append the new shared library handle to the db->aExtension array. */
-  aHandle = sqlite3DbMallocZero(db, sizeof(handle)*(db->nExtension+1));
+  aHandle = sqlite3DbMallocZero(db, sizeof(handle)*(i64)(db->nExtension+1));
   if( aHandle==0 ){
     return SQLITE_NOMEM;
   }
diff --git a/src/main.c b/src/main.c
index d150d19d3c..17c6f2c39f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -558,7 +558,7 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
     pStart = 0;
   }else if( pBuf==0 ){
     sqlite3BeginBenignMalloc();
-    pStart = sqlite3Malloc( sz*cnt );  /* IMP: R-61949-35727 */
+    pStart = sqlite3Malloc( sz*(i64)cnt );  /* IMP: R-61949-35727 */
     sqlite3EndBenignMalloc();
     if( pStart ) cnt = sqlite3MallocSize(pStart)/sz;
   }else{
diff --git a/src/malloc.c b/src/malloc.c
index 9c11d07767..7aafaf5569 100644
--- a/src/malloc.c
+++ b/src/malloc.c
@@ -294,7 +294,7 @@ static int mallocWithAlarm(int n, void **pp){
 ** Allocate memory.  This routine is like sqlite3_malloc() except that it
 ** assumes the memory subsystem has already been initialized.
 */
-void *sqlite3Malloc(int n){
+void *sqlite3Malloc(i64 n){
   void *p;
   if( n<=0               /* IMP: R-65312-04917 */ 
    || n>=0x7fffff00
@@ -307,10 +307,10 @@ void *sqlite3Malloc(int n){
     p = 0;
   }else if( sqlite3GlobalConfig.bMemstat ){
     sqlite3_mutex_enter(mem0.mutex);
-    mallocWithAlarm(n, &p);
+    mallocWithAlarm((int)n, &p);
     sqlite3_mutex_leave(mem0.mutex);
   }else{
-    p = sqlite3GlobalConfig.m.xMalloc(n);
+    p = sqlite3GlobalConfig.m.xMalloc((int)n);
   }
   assert( EIGHT_BYTE_ALIGNMENT(p) );  /* IMP: R-04675-44850 */
   return p;
@@ -513,7 +513,7 @@ void sqlite3DbFree(sqlite3 *db, void *p){
 /*
 ** Change the size of an existing memory allocation
 */
-void *sqlite3Realloc(void *pOld, int nBytes){
+void *sqlite3Realloc(void *pOld, i64 nBytes){
   int nOld, nNew, nDiff;
   void *pNew;
   if( pOld==0 ){
@@ -531,7 +531,7 @@ void *sqlite3Realloc(void *pOld, int nBytes){
   /* IMPLEMENTATION-OF: R-46199-30249 SQLite guarantees that the second
   ** argument to xRealloc is always a value returned by a prior call to
   ** xRoundup. */
-  nNew = sqlite3GlobalConfig.m.xRoundup(nBytes);
+  nNew = sqlite3GlobalConfig.m.xRoundup((int)nBytes);
   if( nOld==nNew ){
     pNew = pOld;
   }else if( sqlite3GlobalConfig.bMemstat ){
@@ -576,7 +576,7 @@ void *sqlite3_realloc(void *pOld, int n){
 /*
 ** Allocate and zero memory.
 */ 
-void *sqlite3MallocZero(int n){
+void *sqlite3MallocZero(i64 n){
   void *p = sqlite3Malloc(n);
   if( p ){
     memset(p, 0, n);
@@ -588,7 +588,7 @@ void *sqlite3MallocZero(int n){
 ** Allocate and zero memory.  If the allocation fails, make
 ** the mallocFailed flag in the connection pointer.
 */
-void *sqlite3DbMallocZero(sqlite3 *db, int n){
+void *sqlite3DbMallocZero(sqlite3 *db, i64 n){
   void *p = sqlite3DbMallocRaw(db, n);
   if( p ){
     memset(p, 0, n);
@@ -614,7 +614,7 @@ void *sqlite3DbMallocZero(sqlite3 *db, int n){
 ** In other words, if a subsequent malloc (ex: "b") worked, it is assumed
 ** that all prior mallocs (ex: "a") worked too.
 */
-void *sqlite3DbMallocRaw(sqlite3 *db, int n){
+void *sqlite3DbMallocRaw(sqlite3 *db, i64 n){
   void *p;
   assert( db==0 || sqlite3_mutex_held(db->mutex) );
   assert( db==0 || db->pnBytesFreed==0 );
@@ -658,7 +658,7 @@ void *sqlite3DbMallocRaw(sqlite3 *db, int n){
 ** Resize the block of memory pointed to by p to n bytes. If the
 ** resize fails, set the mallocFailed flag in the connection object.
 */
-void *sqlite3DbRealloc(sqlite3 *db, void *p, int n){
+void *sqlite3DbRealloc(sqlite3 *db, void *p, i64 n){
   void *pNew = 0;
   assert( db!=0 );
   assert( sqlite3_mutex_held(db->mutex) );
@@ -695,7 +695,7 @@ void *sqlite3DbRealloc(sqlite3 *db, void *p, int n){
 ** Attempt to reallocate p.  If the reallocation fails, then free p
 ** and set the mallocFailed flag in the database connection.
 */
-void *sqlite3DbReallocOrFree(sqlite3 *db, void *p, int n){
+void *sqlite3DbReallocOrFree(sqlite3 *db, void *p, i64 n){
   void *pNew;
   pNew = sqlite3DbRealloc(db, p, n);
   if( !pNew ){
@@ -713,13 +713,12 @@ void *sqlite3DbReallocOrFree(sqlite3 *db, void *p, int n){
 */
 char *sqlite3DbStrDup(sqlite3 *db, const char *z){
   char *zNew;
-  size_t n;
+  i64 n;
   if( z==0 ){
     return 0;
   }
   n = sqlite3Strlen30(z) + 1;
-  assert( (n&0x7fffffff)==n );
-  zNew = sqlite3DbMallocRaw(db, (int)n);
+  zNew = sqlite3DbMallocRaw(db, n);
   if( zNew ){
     memcpy(zNew, z, n);
   }
@@ -730,8 +729,7 @@ char *sqlite3DbStrNDup(sqlite3 *db, const char *z, int n){
   if( z==0 ){
     return 0;
   }
-  assert( (n&0x7fffffff)==n );
-  zNew = sqlite3DbMallocRaw(db, n+1);
+  zNew = sqlite3DbMallocRaw(db, (i64)n+1);
   if( zNew ){
     memcpy(zNew, z, n);
     zNew[n] = 0;
diff --git a/src/notify.c b/src/notify.c
index fcab5bfaf0..b0263e2123 100644
--- a/src/notify.c
+++ b/src/notify.c
@@ -258,7 +258,7 @@ void sqlite3ConnectionUnlocked(sqlite3 *db){
        || (aDyn && nArg==(int)(sqlite3MallocSize(aDyn)/sizeof(void*)))
       ){
         /* The aArg[] array needs to grow. */
-        void **pNew = (void **)sqlite3Malloc(nArg*sizeof(void *)*2);
+        void **pNew = (void **)sqlite3Malloc((i64)nArg*sizeof(void *)*2);
         if( pNew ){
           memcpy(pNew, aArg, nArg*sizeof(void *));
           sqlite3_free(aDyn);
diff --git a/src/os_win.c b/src/os_win.c
index fcac665dff..bed5edf793 100644
--- a/src/os_win.c
+++ b/src/os_win.c
@@ -1533,7 +1533,7 @@ static LPWSTR winUtf8ToUnicode(const char *zFilename){
   if( nChar==0 ){
     return 0;
   }
-  zWideFilename = sqlite3MallocZero( nChar*sizeof(zWideFilename[0]) );
+  zWideFilename = sqlite3MallocZero( (i64)nChar*sizeof(zWideFilename[0]) );
   if( zWideFilename==0 ){
     return 0;
   }
@@ -1588,7 +1588,7 @@ static LPWSTR winMbcsToUnicode(const char *zFilename){
   if( nByte==0 ){
     return 0;
   }
-  zMbcsFilename = sqlite3MallocZero( nByte*sizeof(zMbcsFilename[0]) );
+  zMbcsFilename = sqlite3MallocZero( (i64)nByte*sizeof(zMbcsFilename[0]) );
   if( zMbcsFilename==0 ){
     return 0;
   }
@@ -4329,7 +4329,7 @@ static int winGetTempname(sqlite3_vfs *pVfs, char **pzBuf){
 #elif !SQLITE_OS_WINRT && !defined(__CYGWIN__)
   else if( osIsNT() ){
     char *zMulti;
-    LPWSTR zWidePath = sqlite3MallocZero( nMax*sizeof(WCHAR) );
+    LPWSTR zWidePath = sqlite3MallocZero( (i64)nMax*sizeof(WCHAR) );
     if( !zWidePath ){
       sqlite3_free(zBuf);
       OSTRACE(("TEMP-FILENAME rc=SQLITE_IOERR_NOMEM\n"));
@@ -5108,7 +5108,7 @@ static int winFullPathname(
                          "winFullPathname1", zRelative);
     }
     nByte += 3;
-    zTemp = sqlite3MallocZero( nByte*sizeof(zTemp[0]) );
+    zTemp = sqlite3MallocZero( (i64)nByte*sizeof(zTemp[0]) );
     if( zTemp==0 ){
       sqlite3_free(zConverted);
       return SQLITE_IOERR_NOMEM;
@@ -5134,7 +5134,7 @@ static int winFullPathname(
                          "winFullPathname3", zRelative);
     }
     nByte += 3;
-    zTemp = sqlite3MallocZero( nByte*sizeof(zTemp[0]) );
+    zTemp = sqlite3MallocZero( (i64)nByte*sizeof(zTemp[0]) );
     if( zTemp==0 ){
       sqlite3_free(zConverted);
       return SQLITE_IOERR_NOMEM;
diff --git a/src/pager.c b/src/pager.c
index a77dcecc4c..7f168bb126 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -2443,7 +2443,7 @@ static int pager_delmaster(Pager *pPager, const char *zMaster){
   rc = sqlite3OsFileSize(pMaster, &nMasterJournal);
   if( rc!=SQLITE_OK ) goto delmaster_out;
   nMasterPtr = pVfs->mxPathname+1;
-  zMasterJournal = sqlite3Malloc((int)nMasterJournal + nMasterPtr + 1);
+  zMasterJournal = sqlite3Malloc(nMasterJournal + nMasterPtr + 1);
   if( !zMasterJournal ){
     rc = SQLITE_NOMEM;
     goto delmaster_out;
@@ -4574,7 +4574,7 @@ int sqlite3PagerOpen(
   if( zFilename && zFilename[0] ){
     const char *z;
     nPathname = pVfs->mxPathname+1;
-    zPathname = sqlite3DbMallocRaw(0, nPathname*2);
+    zPathname = sqlite3DbMallocRaw(0, (i64)nPathname*2);
     if( zPathname==0 ){
       return SQLITE_NOMEM;
     }
@@ -4619,7 +4619,7 @@ int sqlite3PagerOpen(
     ROUND8(sizeof(*pPager)) +      /* Pager structure */
     ROUND8(pcacheSize) +           /* PCache object */
     ROUND8(pVfs->szOsFile) +       /* The main db file */
-    journalFileSize * 2 +          /* The two journal files */ 
+    (i64)journalFileSize * 2 +     /* The two journal files */ 
     nPathname + 1 + nUri +         /* zFilename */
     nPathname + 8 + 2              /* zJournal */
 #ifndef SQLITE_OMIT_WAL
@@ -6478,7 +6478,7 @@ int sqlite3PagerOpenSavepoint(Pager *pPager, int nSavepoint){
     ** malloc failure occurs while populating it in the for(...) loop below.
     */
     aNew = (PagerSavepoint *)sqlite3Realloc(
-        pPager->aSavepoint, sizeof(PagerSavepoint)*nSavepoint
+        pPager->aSavepoint, sizeof(PagerSavepoint)*(i64)nSavepoint
     );
     if( !aNew ){
       return SQLITE_NOMEM;
diff --git a/src/pcache1.c b/src/pcache1.c
index 1644b0693c..0340c8f2e5 100644
--- a/src/pcache1.c
+++ b/src/pcache1.c
@@ -397,7 +397,7 @@ static int pcache1ResizeHash(PCache1 *p){
 
   pcache1LeaveMutex(p->pGroup);
   if( p->nHash ){ sqlite3BeginBenignMalloc(); }
-  apNew = (PgHdr1 **)sqlite3MallocZero(sizeof(PgHdr1 *)*nNew);
+  apNew = (PgHdr1 **)sqlite3MallocZero(sizeof(PgHdr1 *)*(i64)nNew);
   if( p->nHash ){ sqlite3EndBenignMalloc(); }
   pcache1EnterMutex(p->pGroup);
   if( apNew ){
diff --git a/src/select.c b/src/select.c
index 5fff010f34..5c6522fd05 100644
--- a/src/select.c
+++ b/src/select.c
@@ -932,7 +932,7 @@ static void selectInnerLoop(
 */
 KeyInfo *sqlite3KeyInfoAlloc(sqlite3 *db, int N, int X){
   KeyInfo *p = sqlite3DbMallocZero(0, 
-                   sizeof(KeyInfo) + (N+X)*(sizeof(CollSeq*)+1));
+                   sizeof(KeyInfo) + (i64)(N+X)*(sizeof(CollSeq*)+1));
   if( p ){
     p->aSortOrder = (u8*)&p->aColl[N+X];
     p->nField = (u16)N;
@@ -1542,7 +1542,7 @@ static int selectColumnsFromExprList(
 
   if( pEList ){
     nCol = pEList->nExpr;
-    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
+    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*(i64)nCol);
     testcase( aCol==0 );
   }else{
     nCol = 0;
@@ -2744,7 +2744,7 @@ static int multiSelectOrderBy(
   ** to the right and the left are evaluated, they use the correct
   ** collation.
   */
-  aPermute = sqlite3DbMallocRaw(db, sizeof(int)*nOrderBy);
+  aPermute = sqlite3DbMallocRaw(db, sizeof(int)*(i64)nOrderBy);
   if( aPermute ){
     struct ExprList_item *pItem;
     for(i=0, pItem=pOrderBy->a; i<nOrderBy; i++, pItem++){
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index bb8763ccbb..564fcd1e10 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2870,15 +2870,15 @@ int sqlite3Strlen30(const char*);
 
 int sqlite3MallocInit(void);
 void sqlite3MallocEnd(void);
-void *sqlite3Malloc(int);
-void *sqlite3MallocZero(int);
-void *sqlite3DbMallocZero(sqlite3*, int);
-void *sqlite3DbMallocRaw(sqlite3*, int);
+void *sqlite3Malloc(i64);
+void *sqlite3MallocZero(i64);
+void *sqlite3DbMallocZero(sqlite3*, i64);
+void *sqlite3DbMallocRaw(sqlite3*, i64);
 char *sqlite3DbStrDup(sqlite3*,const char*);
 char *sqlite3DbStrNDup(sqlite3*,const char*, int);
-void *sqlite3Realloc(void*, int);
-void *sqlite3DbReallocOrFree(sqlite3 *, void *, int);
-void *sqlite3DbRealloc(sqlite3 *, void *, int);
+void *sqlite3Realloc(void*, i64);
+void *sqlite3DbReallocOrFree(sqlite3 *, void *, i64);
+void *sqlite3DbRealloc(sqlite3 *, void *, i64);
 void sqlite3DbFree(sqlite3*, void*);
 int sqlite3MallocSize(void*);
 int sqlite3DbMallocSize(sqlite3*, void*);
diff --git a/src/test8.c b/src/test8.c
index 8bc835d638..51cd41d403 100644
--- a/src/test8.c
+++ b/src/test8.c
@@ -178,14 +178,14 @@ static int getColumnNames(
 
   if( rc==SQLITE_OK ){
     int ii;
-    int nBytes;
+    i64 nBytes;
     char *zSpace;
     nCol = sqlite3_column_count(pStmt);
 
     /* Figure out how much space to allocate for the array of column names 
     ** (including space for the strings themselves). Then allocate it.
     */
-    nBytes = sizeof(char *) * nCol;
+    nBytes = sizeof(char *) * (i64)nCol;
     for(ii=0; ii<nCol; ii++){
       const char *zName = sqlite3_column_name(pStmt, ii);
       if( !zName ){
@@ -244,7 +244,7 @@ static int getIndexArray(
   char *zSql;
 
   /* Allocate space for the index array */
-  aIndex = (int *)sqlite3MallocZero(sizeof(int) * nCol);
+  aIndex = (int *)sqlite3MallocZero(sizeof(int) * (i64)nCol);
   if( !aIndex ){
     rc = SQLITE_NOMEM;
     goto get_index_array_out;
diff --git a/src/update.c b/src/update.c
index 4138749f80..ee28b35ad3 100644
--- a/src/update.c
+++ b/src/update.c
@@ -197,7 +197,7 @@ void sqlite3Update(
   /* Allocate space for aXRef[], aRegIdx[], and aToOpen[].  
   ** Initialize aXRef[] and aToOpen[] to their default values.
   */
-  aXRef = sqlite3DbMallocRaw(db, sizeof(int) * (pTab->nCol+nIdx) + nIdx+2 );
+  aXRef = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(pTab->nCol+nIdx) + nIdx+2 );
   if( aXRef==0 ) goto update_cleanup;
   aRegIdx = aXRef+pTab->nCol;
   aToOpen = (u8*)(aRegIdx+nIdx);
diff --git a/src/vdbe.c b/src/vdbe.c
index a64e5bf5e1..4db395fa4a 100644
--- a/src/vdbe.c
+++ b/src/vdbe.c
@@ -5107,7 +5107,7 @@ case OP_IntegrityCk: {
   assert( p->bIsReader );
   nRoot = pOp->p2;
   assert( nRoot>0 );
-  aRoot = sqlite3DbMallocRaw(db, sizeof(int)*(nRoot+1) );
+  aRoot = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(nRoot+1) );
   if( aRoot==0 ) goto no_mem;
   assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pnErr = &aMem[pOp->p3];
@@ -5261,7 +5261,7 @@ case OP_RowSetTest: {                     /* jump, in1, in3 */
 */
 case OP_Program: {        /* jump */
   int nMem;               /* Number of memory registers for sub-program */
-  int nByte;              /* Bytes of runtime space required for sub-program */
+  i64 nByte;              /* Bytes of runtime space required for sub-program */
   Mem *pRt;               /* Register to allocate runtime space */
   Mem *pMem;              /* Used to iterate through memory cells */
   Mem *pEnd;              /* Last memory cell in new array */
@@ -5308,9 +5308,9 @@ case OP_Program: {        /* jump */
     */
     nMem = pProgram->nMem + pProgram->nCsr;
     nByte = ROUND8(sizeof(VdbeFrame))
-              + nMem * sizeof(Mem)
-              + pProgram->nCsr * sizeof(VdbeCursor *)
-              + pProgram->nOnce * sizeof(u8);
+              + (i64)nMem * sizeof(Mem)
+              + (i64)pProgram->nCsr * sizeof(VdbeCursor *)
+              + (i64)pProgram->nOnce * sizeof(u8);
     pFrame = sqlite3DbMallocZero(db, nByte);
     if( !pFrame ){
       goto no_mem;
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 0a6b536720..f233cd7888 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -96,7 +96,7 @@ static int growOpArray(Vdbe *v){
   VdbeOp *pNew;
   Parse *p = v->pParse;
   int nNew = (p->nOpAlloc ? p->nOpAlloc*2 : (int)(1024/sizeof(Op)));
-  pNew = sqlite3DbRealloc(p->db, v->aOp, nNew*sizeof(Op));
+  pNew = sqlite3DbRealloc(p->db, v->aOp, (i64)nNew*sizeof(Op));
   if( pNew ){
     p->nOpAlloc = sqlite3DbMallocSize(p->db, pNew)/sizeof(Op);
     v->aOp = pNew;
@@ -258,7 +258,7 @@ int sqlite3VdbeMakeLabel(Vdbe *v){
   assert( v->magic==VDBE_MAGIC_INIT );
   if( (i & (i-1))==0 ){
     p->aLabel = sqlite3DbReallocOrFree(p->db, p->aLabel, 
-                                       (i*2+1)*sizeof(p->aLabel[0]));
+                                       (i64)(i*2+1)*sizeof(p->aLabel[0]));
   }
   if( p->aLabel ){
     p->aLabel[i] = -1;
@@ -340,7 +340,7 @@ static Op *opIterNext(VdbeOpIter *p){
     }
   
     if( pRet->p4type==P4_SUBPROGRAM ){
-      int nByte = (p->nSub+1)*sizeof(SubProgram*);
+      i64 nByte = (p->nSub+1)*(i64)sizeof(SubProgram*);
       int j;
       for(j=0; j<p->nSub; j++){
         if( p->apSub[j]==pRet->p4.pProgram ) break;
@@ -1531,10 +1531,10 @@ void sqlite3VdbeIOTraceSql(Vdbe *p){
 */
 static void *allocSpace(
   void *pBuf,          /* Where return pointer will be stored */
-  int nByte,           /* Number of bytes to allocate */
+  i64 nByte,           /* Number of bytes to allocate */
   u8 **ppFrom,         /* IN/OUT: Allocate from *ppFrom */
   u8 *pEnd,            /* Pointer to 1 byte past the end of *ppFrom buffer */
-  int *pnByte          /* If allocation cannot be made, increment *pnByte */
+  i64 *pnByte          /* If allocation cannot be made, increment *pnByte */
 ){
   assert( EIGHT_BYTE_ALIGNMENT(*ppFrom) );
   if( pBuf ) return pBuf;
@@ -1619,7 +1619,7 @@ void sqlite3VdbeMakeReady(
   int n;                         /* Loop counter */
   u8 *zCsr;                      /* Memory available for allocation */
   u8 *zEnd;                      /* First byte past allocated memory */
-  int nByte;                     /* How much extra memory is needed */
+  i64 nByte;                     /* How much extra memory is needed */
 
   assert( p!=0 );
   assert( p->nOp>0 );
@@ -1674,11 +1674,11 @@ void sqlite3VdbeMakeReady(
   */
   do {
     nByte = 0;
-    p->aMem = allocSpace(p->aMem, nMem*sizeof(Mem), &zCsr, zEnd, &nByte);
-    p->aVar = allocSpace(p->aVar, nVar*sizeof(Mem), &zCsr, zEnd, &nByte);
-    p->apArg = allocSpace(p->apArg, nArg*sizeof(Mem*), &zCsr, zEnd, &nByte);
-    p->azVar = allocSpace(p->azVar, nVar*sizeof(char*), &zCsr, zEnd, &nByte);
-    p->apCsr = allocSpace(p->apCsr, nCursor*sizeof(VdbeCursor*),
+    p->aMem = allocSpace(p->aMem, (i64)nMem*sizeof(Mem), &zCsr, zEnd, &nByte);
+    p->aVar = allocSpace(p->aVar, (i64)nVar*sizeof(Mem), &zCsr, zEnd, &nByte);
+    p->apArg = allocSpace(p->apArg, (i64)nArg*sizeof(Mem*), &zCsr, zEnd,&nByte);
+    p->azVar = allocSpace(p->azVar, (i64)nVar*sizeof(char*), &zCsr,zEnd,&nByte);
+    p->apCsr = allocSpace(p->apCsr, (i64)nCursor*sizeof(VdbeCursor*),
                           &zCsr, zEnd, &nByte);
     p->aOnceFlag = allocSpace(p->aOnceFlag, nOnce, &zCsr, zEnd, &nByte);
     if( nByte ){
@@ -1838,6 +1838,7 @@ void sqlite3VdbeSetNumCols(Vdbe *p, int nResColumn){
   int n;
   sqlite3 *db = p->db;
 
+  assert( nResColumn <= 0xffff );
   releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);
   sqlite3DbFree(db, p->aColName);
   n = nResColumn*COLNAME_N;
@@ -3073,6 +3074,7 @@ UnpackedRecord *sqlite3VdbeAllocUnpackedRecord(
   ** it by.  If pSpace is already 8-byte aligned, nOff should be zero.
   */
   nOff = (8 - (SQLITE_PTR_TO_INT(pSpace) & 7)) & 7;
+  assert( sizeof(pKeyInfo->nField)==2 );
   nByte = ROUND8(sizeof(UnpackedRecord)) + sizeof(Mem)*(pKeyInfo->nField+1);
   if( nByte>szSpace+nOff ){
     p = (UnpackedRecord *)sqlite3DbMallocRaw(pKeyInfo->db, nByte);
diff --git a/src/vdbemem.c b/src/vdbemem.c
index 2c4aa4ad7f..56c2219b48 100644
--- a/src/vdbemem.c
+++ b/src/vdbemem.c
@@ -934,6 +934,7 @@ static sqlite3_value *valueNew(sqlite3 *db, struct ValueNewStat4Ctx *p){
       int i;                      /* Counter variable */
       int nCol = pIdx->nColumn;   /* Number of index columns including rowid */
   
+      assert( sizeof(pIdx->nColumn)==2 && nCol<=0xffff );
       nByte = sizeof(Mem) * nCol + ROUND8(sizeof(UnpackedRecord));
       pRec = (UnpackedRecord*)sqlite3DbMallocZero(db, nByte);
       if( pRec ){
diff --git a/src/vdbesort.c b/src/vdbesort.c
index d1b726b727..32e614bd54 100644
--- a/src/vdbesort.c
+++ b/src/vdbesort.c
@@ -222,7 +222,7 @@ static int vdbeSorterIterRead(
 
     /* Extend the p->aAlloc[] allocation if required. */
     if( p->nAlloc<nByte ){
-      int nNew = p->nAlloc*2;
+      i64 nNew = p->nAlloc*2;
       while( nByte>nNew ) nNew = nNew*2;
       p->aAlloc = sqlite3DbReallocOrFree(db, p->aAlloc, nNew);
       if( !p->aAlloc ) return SQLITE_NOMEM;
diff --git a/src/vtab.c b/src/vtab.c
index ca0db214cc..5769b594cc 100644
--- a/src/vtab.c
+++ b/src/vtab.c
@@ -278,7 +278,7 @@ void sqlite3VtabClear(sqlite3 *db, Table *p){
 */
 static void addModuleArgument(sqlite3 *db, Table *pTable, char *zArg){
   int i = pTable->nModuleArg++;
-  int nBytes = sizeof(char *)*(1+pTable->nModuleArg);
+  i64 nBytes = sizeof(char *)*(i64)(1+pTable->nModuleArg);
   char **azModuleArg;
   azModuleArg = sqlite3DbRealloc(db, pTable->azModuleArg, nBytes);
   if( azModuleArg==0 ){
@@ -620,7 +620,7 @@ static int growVTrans(sqlite3 *db){
   /* Grow the sqlite3.aVTrans array if required */
   if( (db->nVTrans%ARRAY_INCR)==0 ){
     VTable **aVTrans;
-    int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR);
+    i64 nBytes = sizeof(sqlite3_vtab *)*(i64)(db->nVTrans + ARRAY_INCR);
     aVTrans = sqlite3DbRealloc(db, (void *)db->aVTrans, nBytes);
     if( !aVTrans ){
       return SQLITE_NOMEM;
diff --git a/src/where.c b/src/where.c
index 2daa9f1536..104d64d6f0 100644
--- a/src/where.c
+++ b/src/where.c
@@ -209,7 +209,7 @@ static int whereClauseInsert(WhereClause *pWC, Expr *p, u8 wtFlags){
   if( pWC->nTerm>=pWC->nSlot ){
     WhereTerm *pOld = pWC->a;
     sqlite3 *db = pWC->pWInfo->pParse->db;
-    pWC->a = sqlite3DbMallocRaw(db, sizeof(pWC->a[0])*pWC->nSlot*2 );
+    pWC->a = sqlite3DbMallocRaw(db, sizeof(pWC->a[0])*(i64)pWC->nSlot*2 );
     if( pWC->a==0 ){
       if( wtFlags & TERM_DYNAMIC ){
         sqlite3ExprDelete(db, p);
@@ -1777,8 +1777,8 @@ static sqlite3_index_info *allocateIndexInfo(
   /* Allocate the sqlite3_index_info structure
   */
   pIdxInfo = sqlite3DbMallocZero(pParse->db, sizeof(*pIdxInfo)
-                           + (sizeof(*pIdxCons) + sizeof(*pUsage))*nTerm
-                           + sizeof(*pIdxOrderBy)*nOrderBy );
+                           + (sizeof(*pIdxCons) + sizeof(*pUsage))*(i64)nTerm
+                           + sizeof(*pIdxOrderBy)*(i64)nOrderBy );
   if( pIdxInfo==0 ){
     sqlite3ErrorMsg(pParse, "out of memory");
     return 0;
@@ -3686,7 +3686,7 @@ static int whereLoopResize(sqlite3 *db, WhereLoop *p, int n){
   WhereTerm **paNew;
   if( p->nLSlot>=n ) return SQLITE_OK;
   n = (n+7)&~7;
-  paNew = sqlite3DbMallocRaw(db, sizeof(p->aLTerm[0])*n);
+  paNew = sqlite3DbMallocRaw(db, sizeof(p->aLTerm[0])*(i64)n);
   if( paNew==0 ) return SQLITE_NOMEM;
   memcpy(paNew, p->aLTerm, sizeof(p->aLTerm[0])*p->nLSlot);
   if( p->aLTerm!=p->aLTermSpace ) sqlite3DbFree(db, p->aLTerm);
@@ -5231,8 +5231,8 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
   WHERETRACE(0x002, ("---- begin solver\n"));
 
   /* Allocate and initialize space for aTo and aFrom */
-  ii = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2;
-  pSpace = sqlite3DbMallocRaw(db, ii);
+  pSpace = sqlite3DbMallocRaw(db, 
+               (sizeof(WherePath)+sizeof(WhereLoop*)*(i64)nLoop)*mxChoice*2);
   if( pSpace==0 ) return SQLITE_NOMEM;
   aTo = (WherePath*)pSpace;
   aFrom = aTo+mxChoice;