From 536bdac3ff692d5ebf13d6b7ff129721444f281b Mon Sep 17 00:00:00 2001
From: Dan Kennedy <danielk1977@gmail.com>
Date: Thu, 31 Jan 2019 14:37:18 +0000
Subject: [PATCH 0878/1009] Fix another buffer overrun that could occur when
 quering a corrupt database using an fts5vocab table.

https://github.com/mackyle/sqlite/commit/536bdac3ff692d5ebf13d6b7ff129721444f281b

---
 ext/fts5/fts5_index.c           |   2 +-
 ext/fts5/fts5_vocab.c           |   1 +
 1 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
index 32732b9..bb87714 100644
--- a/ext/fts5/fts5_index.c
+++ b/ext/fts5/fts5_index.c
@@ -1652,7 +1652,7 @@ static void fts5SegIterLoadTerm(Fts5Index *p, Fts5SegIter *pIter, int nKeep){
   int nNew;                       /* Bytes of new data */
 
   iOff += fts5GetVarint32(&a[iOff], nNew);
-  if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n ){
+  if( iOff+nNew>pIter->pLeaf->szLeaf || nKeep>pIter->term.n || nNew==0 ){
     p->rc = FTS5_CORRUPT;
     return;
   }
diff --git a/ext/fts5/fts5_vocab.c b/ext/fts5/fts5_vocab.c
index bfb6821..2550c9d 100644
--- a/ext/fts5/fts5_vocab.c
+++ b/ext/fts5/fts5_vocab.c
@@ -484,6 +484,7 @@ static int fts5VocabNextMethod(sqlite3_vtab_cursor *pCursor){
       int nTerm;
 
       zTerm = sqlite3Fts5IterTerm(pCsr->pIter, &nTerm);
+      assert( nTerm>=0 );
       if( pCsr->nLeTerm>=0 ){
         int nCmp = MIN(nTerm, pCsr->nLeTerm);
         int bCmp = memcmp(pCsr->zLeTerm, zTerm, nCmp);
-- 
1.8.3.1