Upstream version 5.34.104.0

[platform/framework/web/crosswalk.git] / src / third_party / sqlite / amalgamation / sqlite3.c

diff --git a/src/third_party/sqlite/amalgamation/sqlite3.c b/src/third_party/sqlite/amalgamation/sqlite3.c
index 5dfdd2c..c0315ff 100644 (file)
--- a/src/third_party/sqlite/amalgamation/sqlite3.c
+++ b/src/third_party/sqlite/amalgamation/sqlite3.c
@@ -111521,6 +111521,7 @@ static int ValidateError(){
 /* Setup the cursor for reading the information from cell iCell. */
 static int leafCursorCellDecode(RecoverLeafCursor *pCursor){
   const unsigned char *pPageHeader;  /* Header of current page. */
+  const unsigned char *pPageEnd;     /* Byte after end of current page. */
   const unsigned char *pCellOffsets; /* Pointer to page's cell offsets. */
   unsigned iCellOffset;              /* Offset of current cell (iCell). */
   const unsigned char *pCell;        /* Pointer to data at iCellOffset. */
@@ -111543,6 +111544,10 @@ static int leafCursorCellDecode(RecoverLeafCursor *pCursor){
   /* Find the offset to the row. */
   pPageHeader = PageHeader(pCursor->pPage);
   pCellOffsets = pPageHeader + knPageLeafHeaderBytes;
+  pPageEnd = PageData(pCursor->pPage, pCursor->nPageSize);
+  if( pCellOffsets + pCursor->iCell*2 + 2 > pPageEnd ){
+    return ValidateError();
+  }
   iCellOffset = decodeUnsigned16(pCellOffsets + pCursor->iCell*2);
   if( iCellOffset>=pCursor->nPageSize ){
     return ValidateError();
@@ -111584,7 +111589,7 @@ static int leafCursorCellDecode(RecoverLeafCursor *pCursor){
 
   /* Check that no other cell starts within this cell. */
   iEndOffset = pCursor->iRecordOffset + pCursor->nLocalRecordBytes;
-  for( i=0; i<pCursor->nCells; ++i ){
+  for( i=0; i<pCursor->nCells && pCellOffsets + i*2 + 2 <= pPageEnd; ++i ){
     const unsigned iOtherOffset = decodeUnsigned16(pCellOffsets + i*2);
     if( iOtherOffset>iCellOffset && iOtherOffset<iEndOffset ){
       return ValidateError();