Fix potential integer overflow in btree overflow page cache computation,

author drh <>

Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)

committer drh <>

Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)
author drh <>
Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)
committer drh <>
Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)
diff --git a/manifest b/manifest

index 69ce4de20862d078570793e19232a81242aa7ff2..8f82d170742c8bb401b487063e7833ca4d3401fc 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Patch\stest/indexexpr1.test\sto\swork\swhen\sbuilt\swith\sSQLITE_DQS=0.\sAddresses\s[forum:2026-05-26T18:08:20Z|forum\spost\s2026-05-26T18:08:20Z].
-D 2026-05-26T19:25:36.487
+C Fix\spotential\sinteger\soverflow\sin\sbtree\soverflow\spage\scache\scomputation,\nreported\sby\sProject\sFortify.\s\sTest\scases\sin\sTH3.
+D 2026-05-28T10:14:25.247
  F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -678,7 +678,7 @@ F src/auth.c b5ece4e1edccad082c0332fa0087df225473bae0feea9269f824312201377185
  F src/backup.c 6ebe22ccbedfcb92423833992130e8d65824be4e6599c3a03f540ab38fc7d13c
  F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399
  F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea
-F src/btree.c 8aa7c903ef0181ff92c8365545ae75a1d648f57151b60c03c11b0a51da979edb
+F src/btree.c 2f74489af68281d143f5c4e9ef8ba280cee86fce67a64b3eff9344bbabc5dadf
  F src/btree.h e823c46d87f63d904d735a24b76146d19f51f04445ea561f71cc3382fd1307f0
  F src/btreeInt.h 9c0f9ea5c9b5f4dcaea18111d43efe95f2ac276cd86d770dce10fd99ccc93886
  F src/build.c 866e584cdf40fbc83f530af9fd4d0991582a6fdbd8a9911b7cdbbea5f26a4a9e
@@ -2208,8 +2208,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
  F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
  F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
  F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P e78198e6aec57c28e33a5b1c5ae9943115a35d2fbfa04c8428318567f17eefbe
-R a628ab30284205241205a853323276ec
-U stephan
-Z c98417d5ae241afbaee0903a7ef064d4
+P b470a5d69e70d3440467e7792231f8556111d2c1126cf62879bbfd214ac0a9e0
+R f93211bf011e728b05fb024ce9234ada
+U drh
+Z 01ed8bae8d232f4e5f402b3795da7d4b
  # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid

index 9f810aa70f8704cf7b79333a6b7fd01f59c6235f..9536c9a6aa6c00d1e7adcd4610ba97d277479636 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b470a5d69e70d3440467e7792231f8556111d2c1126cf62879bbfd214ac0a9e0
+dfa674d6e6bffdb930dbefa767831db7862c322b6d3c7a6322f0fa0f087aaaf9
diff --git a/src/btree.c b/src/btree.c

index fd2c384479f085b39a419fa12eab8c409b7eeda3..88a8ede43a71e675713847a187704bcf7c307962 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -5195,7 +5195,9 @@ static int accessPayload(
      ** means "not yet known" (the cache is lazily populated).
      */
      if( (pCur->curFlags & BTCF_ValidOvfl)==0 ){
-      int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize;
+      i64 nOvfl = pCur->info.nPayload;
+      testcase( nOvfl - pCur->info.nLocal + ovflSize - 1 > 0xffffffffU );
+      nOvfl = (nOvfl - pCur->info.nLocal + ovflSize-1)/ovflSize;
        if( pCur->aOverflow==0
         || nOvfl*(int)sizeof(Pgno) > sqlite3MallocSize(pCur->aOverflow)
        ){
author	drh <>
	Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)
committer	drh <>
	Thu, 28 May 2026 10:14:25 +0000 (10:14 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/btree.c		patch \| blob \| blame \| history