Fix potential integer overflow in btree overflow page cache computation.

FossilOrigin-Name: 093e23814e35f0cd0a4bded29b79ddecd7835626d9fe627bfbf4eb138403277f

diff --git a/manifest b/manifest
index 513d067bcd132ec136dacac8803fb648e804e5a1..051804ec52ae2365eebce26d8d35bb409bfd69e5 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\spotential\s1-byte\soverread\sin\ssqlite3changeset_invert()\swhen\s\nprocessing\sa\scorrupt\sbuffer.
-D 2026-05-26T15:09:07.010
+C Fix\spotential\sinteger\soverflow\sin\sbtree\soverflow\spage\scache\scomputation.
+D 2026-05-28T10:18:42.376
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -675,7 +675,7 @@ F src/auth.c ebec42df26b34a62b6750d30d9c2c03554a1c522020182476f7729a439fef04f
 F src/backup.c 5c97e8023aab1ce14a42387eb3ae00ba5a0644569e3476f38661fa6f824c3523
 F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399
 F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea
-F src/btree.c 4b074c6d2ca43e683d64297c915be620e2be84b2f22c1da21045249ed1490f03
+F src/btree.c b699db0283d6a68f9ebafc8559a63c40eb1b3fdeed3e448c8d8ba3a648c914a2
 F src/btree.h e823c46d87f63d904d735a24b76146d19f51f04445ea561f71cc3382fd1307f0
 F src/btreeInt.h 9c0f9ea5c9b5f4dcaea18111d43efe95f2ac276cd86d770dce10fd99ccc93886
 F src/build.c 8581de0af3b6c448f5d64e2d18a91ac1e7057b3bcb8b8827e1240f80d87486a4
@@ -2199,9 +2199,9 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P f2a8ae2251561f2255c2974914293647cf304c6db79de9da957755fccaf8a8b6
-Q +78eaa605cb6c14e5bd49a898b4c737957bd60c8714913cc2341f4ffe3bfe81fe
-R 6bc5782cccdca586113cb0e4025d93e7
+P 69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467
+Q +dfa674d6e6bffdb930dbefa767831db7862c322b6d3c7a6322f0fa0f087aaaf9
+R 6720d86b55a7d4bc94312afbba0be7c7
 U drh
-Z 6fdc2347a7f0dec009e4421d82865621
+Z 98c44a23a6dc62cccc38080934b0ae3d
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index bf6b01e33d69ef8a6e1e8740fd0d1265e596b351..70f2ab599ccde6f58c51130628440d0a29e8e5b0 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-69554ec4e8354e8573071bc423e2dbd0059058388481be3e76fcb7c0fc1ff467
+093e23814e35f0cd0a4bded29b79ddecd7835626d9fe627bfbf4eb138403277f

diff --git a/src/btree.c b/src/btree.c
index 8e6f3f107947e020b71da0b2d48f4a9917c65e23..56a826ef6941d6f629a1b4bbc5b3308328420b9a 100644 (file)
--- a/src/btree.c
+++ b/src/btree.c
@@ -5185,7 +5185,9 @@ static int accessPayload(
     ** means "not yet known" (the cache is lazily populated).
     */
     if( (pCur->curFlags & BTCF_ValidOvfl)==0 ){
-      int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize;
+      i64 nOvfl = pCur->info.nPayload;
+      testcase( nOvfl - pCur->info.nLocal + ovflSize - 1 > 0xffffffffU );
+      nOvfl = (nOvfl - pCur->info.nLocal + ovflSize-1)/ovflSize;
       if( pCur->aOverflow==0
        || nOvfl*(int)sizeof(Pgno) > sqlite3MallocSize(pCur->aOverflow)
       ){