Fix potential 32-bit integer overflow problems on the offset and length
parameters to sqlite3_blob_read() and sqlite3_blob_write(). For
sqlite3_blob_open(), make sure the *ppBlob return parameter is zeroed if
the interface fails with SQLITE_MISUSE.
FossilOrigin-Name: 5df02f50f8348dfde4fc15126abc7b7ef7803e69
diff --git a/src/vdbeblob.c b/src/vdbeblob.c
index cf1eb59..ea01f5c 100644
--- a/src/vdbeblob.c
+++ b/src/vdbeblob.c
@@ -154,12 +154,17 @@
Incrblob *pBlob = 0;
#ifdef SQLITE_ENABLE_API_ARMOR
- if( !sqlite3SafetyCheckOk(db) || ppBlob==0 || zTable==0 ){
+ if( ppBlob==0 ){
+ return SQLITE_MISUSE_BKPT;
+ }
+#endif
+ *ppBlob = 0;
+#ifdef SQLITE_ENABLE_API_ARMOR
+ if( !sqlite3SafetyCheckOk(db) || zTable==0 ){
return SQLITE_MISUSE_BKPT;
}
#endif
flags = !!flags; /* flags = (flags ? 1 : 0); */
- *ppBlob = 0;
sqlite3_mutex_enter(db->mutex);
@@ -373,7 +378,7 @@
sqlite3_mutex_enter(db->mutex);
v = (Vdbe*)p->pStmt;
- if( n<0 || iOffset<0 || (iOffset+n)>p->nByte ){
+ if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
/* Request is out of range. Return a transient error. */
rc = SQLITE_ERROR;
}else if( v==0 ){