From 525fdb146b15ef6c42886fccf1b892388c2011d6 Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Wed, 9 Jan 2019 21:12:23 +0000
Subject: [PATCH 0730/1009] Fix an out-of-bounds read in SQL function
 fts5_decode() that could occur if it was passed a corrupt record.

https://github.com/mackyle/sqlite/commit/525fdb146b15ef6c42886fccf1b892388c2011d6

---
 ext/fts5/fts5_index.c           |   6 +-
 1 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 268af5e..90dc0a5 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -6409,7 +6409,7 @@ static void fts5DecodeFunction(
     nDoclist = (iTermOff ? iTermOff : szLeaf) - iOff;
     fts5DecodeDoclist(&rc, &s, &a[iOff], nDoclist);
 
-    while( iPgidxOff<n ){
+    while( iPgidxOff<n && rc==SQLITE_OK ){
       int bFirst = (iPgidxOff==szLeaf);     /* True for first term on page */
       int nByte;                            /* Bytes of data */
       int iEnd;
@@ -6427,6 +6427,10 @@ static void fts5DecodeFunction(
 
       if( bFirst==0 ){
         iOff += fts5GetVarint32(&a[iOff], nByte);
+        if( nByte>term.n ){
+          rc = FTS5_CORRUPT;
+          goto decode_out;
+        }
         term.n = nByte;
       }
       iOff += fts5GetVarint32(&a[iOff], nByte);
-- 
1.8.3.1