Fix an assertion fault that can occur in RTree given a carefully

corrupted database.
[bugs:/forumpost/2026-05-18T06:46:01Z|Bug report 2026-05-18T06:46:01Z].

FossilOrigin-Name: 7cf841f3613c8302a419638bdec83b1b9799f00cfedbfe40dca0a1a005c196b5

diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c
index faebdce78d2e0fe3ffbcb6dcc5a9df3654f4fd03..78d561a9560269bf753bb91bc8e6940fc92b2207 100644 (file)
--- a/ext/rtree/rtree.c
+++ b/ext/rtree/rtree.c
@@ -1665,6 +1665,10 @@ static int rtreeStepToLeaf(RtreeCursor *pCur){
     if( rc ) return rc;
     nCell = NCELL(pNode);
     assert( nCell<200 );
+    if( nCell>RTREE_MAXCELLS ){
+      RTREE_IS_CORRUPT(pRtree);
+      return SQLITE_CORRUPT_VTAB;
+    }
     pCellData = pNode->zData + (4+pRtree->nBytesPerCell*p->iCell);
     while( p->iCell<nCell ){
       sqlite3_rtree_dbl rScore = (sqlite3_rtree_dbl)-1;

diff --git a/manifest b/manifest
index 9fdfa9548f6b3f0b3438c34c8626addeb77a4e1e..551a2d1a20bac6a3294adacd71c9fe6943130765 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\sa\spotential\s1\sbyte\soverread\sin\ssqlite3changegroup_add()\swhen\sprocessing\sa\scorrupt\schangeset\sbuffer.
-D 2026-05-19T17:12:39.740
+C Fix\san\sassertion\sfault\sthat\scan\soccur\sin\sRTree\sgiven\sa\scarefully\ncorrupted\sdatabase.\n[bugs:/forumpost/2026-05-18T06:46:01Z|Bug\sreport\s2026-05-18T06:46:01Z].
+D 2026-05-19T18:45:05.537
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -493,7 +493,7 @@ F ext/recover/sqlite3recover.h 011c799f02deb70ab685916f6f538e6bb32c4e0025e79bfd0
 F ext/recover/test_recover.c 3d0fb1df7823f5bc22a0b93955034d16a2dfa2eb1e443e9a0123a77f120599a3
 F ext/rtree/README 734aa36238bcd2dee91db5dba107d5fcbdb02396612811377a8ad50f1272b1c1
 F ext/rtree/geopoly.c bd1971479184d559499ff3087c37f2823977d7b0ec80916141ae66f70345c88d
-F ext/rtree/rtree.c 44abdd5df278ca1901daf29c82cce6785f0ee82ce59e28160ee988c17a9a185b
+F ext/rtree/rtree.c 9e8ed7e43df2b88a04343d37038c4433b8f4c13618f2ab1293e671f5364f264d
 F ext/rtree/rtree.h 4a690463901cb5e6127cf05eb8e642f127012fd5003830dbc974eca5802d9412
 F ext/rtree/rtree1.test e0608db762b2aadca0ecb6f97396cf66244490adc3ba88f2a292b27be3e1da3e
 F ext/rtree/rtree2.test 9d9deddbb16fd0c30c36e6b4fdc3ee3132d765567f0f9432ee71e1303d32603d
@@ -2205,8 +2205,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 0de3d95500b7ecd41a09d81f176c1510896e811b3e468e1cf50f752305fdb06f
-R d1be400a8bdf1d9fe855ecb1d35fe797
-U dan
-Z 4e1bb0fb8aa5576fdb78f68bf011f8fd
+P 4d8c3a2919dc942a0a044ec7582a688e0f93e91f4a465bb94390fbe3ad1b50b4
+R de6885248d73ae4c4f72cf1bd72de051
+U drh
+Z 06d0676a46a703e62cc9d2319d678a43
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 1bef4d2b7dcb10c4d6445c8555b1f0b23c5d5263..936563b42ecb8204cbf0087501cec6ed8d6addc3 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-4d8c3a2919dc942a0a044ec7582a688e0f93e91f4a465bb94390fbe3ad1b50b4
+7cf841f3613c8302a419638bdec83b1b9799f00cfedbfe40dca0a1a005c196b5