From 2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Mon, 1 Oct 2018 13:54:30 +0000
Subject: [PATCH 0435/1009] Fix a potential crash that can occur while reading
 an index from a corrupt database file.  The corruption is a
 record-header-size that is larger than 0x7fffffff.  Problem detected by
 OSSFuzz against GDAL and reported to us (with a suggested fix) by Even
 Rouault.  The test case is in TH3.

https://github.com/mackyle/sqlite/commit/2b256aaaae3c32e69a5a4c24d7bb22bbc7232f88

---
 src/vdbeaux.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index 5ec3d13..99df435 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -4557,7 +4557,9 @@ int sqlite3VdbeIdxRowid(sqlite3 *db, BtCursor *pCur, i64 *rowid){
   (void)getVarint32((u8*)m.z, szHdr);
   testcase( szHdr==3 );
   testcase( szHdr==m.n );
-  if( unlikely(szHdr<3 || (int)szHdr>m.n) ){
+  testcase( szHdr>0x7fffffff );
+  assert( m.n>=0 );
+  if( unlikely(szHdr<3 || szHdr>(unsigned)m.n) ){
     goto idx_rowid_corruption;
   }
 
-- 
1.8.3.1