X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;ds=sidebyside;f=src%2Fthird_party%2Fsqlite%2Famalgamation%2Fsqlite3.c;h=c0315fffb7d828b45e93e136db72b5e4c4a4d34a;hb=ff3e2503a20db9193d323c1d19c38c68004dec4a;hp=5dfdd2c0b106d37fbe793533373720ecdafa70d4;hpb=7338fba38ba696536d1cc9d389afd716a6ab2fe6;p=platform%2Fframework%2Fweb%2Fcrosswalk.git diff --git a/src/third_party/sqlite/amalgamation/sqlite3.c b/src/third_party/sqlite/amalgamation/sqlite3.c index 5dfdd2c..c0315ff 100644 --- a/src/third_party/sqlite/amalgamation/sqlite3.c +++ b/src/third_party/sqlite/amalgamation/sqlite3.c @@ -111521,6 +111521,7 @@ static int ValidateError(){ /* Setup the cursor for reading the information from cell iCell. */ static int leafCursorCellDecode(RecoverLeafCursor *pCursor){ const unsigned char *pPageHeader; /* Header of current page. */ + const unsigned char *pPageEnd; /* Byte after end of current page. */ const unsigned char *pCellOffsets; /* Pointer to page's cell offsets. */ unsigned iCellOffset; /* Offset of current cell (iCell). */ const unsigned char *pCell; /* Pointer to data at iCellOffset. */ @@ -111543,6 +111544,10 @@ static int leafCursorCellDecode(RecoverLeafCursor *pCursor){ /* Find the offset to the row. */ pPageHeader = PageHeader(pCursor->pPage); pCellOffsets = pPageHeader + knPageLeafHeaderBytes; + pPageEnd = PageData(pCursor->pPage, pCursor->nPageSize); + if( pCellOffsets + pCursor->iCell*2 + 2 > pPageEnd ){ + return ValidateError(); + } iCellOffset = decodeUnsigned16(pCellOffsets + pCursor->iCell*2); if( iCellOffset>=pCursor->nPageSize ){ return ValidateError(); @@ -111584,7 +111589,7 @@ static int leafCursorCellDecode(RecoverLeafCursor *pCursor){ /* Check that no other cell starts within this cell. */ iEndOffset = pCursor->iRecordOffset + pCursor->nLocalRecordBytes; - for( i=0; inCells; ++i ){ + for( i=0; inCells && pCellOffsets + i*2 + 2 <= pPageEnd; ++i ){ const unsigned iOtherOffset = decodeUnsigned16(pCellOffsets + i*2); if( iOtherOffset>iCellOffset && iOtherOffset