Index: src/btree.c
==================================================================
--- src/btree.c
+++ src/btree.c
@@ -1333,11 +1333,15 @@
   ** and the reserved space is zero (the usual value for reserved space)
   ** then the cell content offset of an empty page wants to be 65536.
   ** However, that integer is too large to be stored in a 2-byte unsigned
   ** integer, so a value of 0 is used in its place. */
   top = get2byteNotZero(&data[hdr+5]);
-  if( gap>top || (u32)top>pPage->pBt->usableSize ) return SQLITE_CORRUPT_BKPT;
+  if( gap>top || NEVER((u32)top>pPage->pBt->usableSize) ){
+    /* The NEVER() is because a oversize "top" value will be blocked from
+    ** reaching this point by btreeInitPage() or btreeGetUnusedPage() */
+    return SQLITE_CORRUPT_BKPT;
+  }
 
   /* If there is enough space between gap and top for one more cell pointer
   ** array entry offset, and if the freelist is not empty, then search the
   ** freelist looking for a free slot big enough to satisfy the request.
   */

Index: src/tokenize.c
==================================================================
--- src/tokenize.c
+++ src/tokenize.c
@@ -448,11 +448,12 @@
       }
     }
   }
 abort_parse:
   assert( nErr==0 );
-  if( pParse->rc==SQLITE_OK && db->mallocFailed==0 && zSql[i]==0 ){
+  if( pParse->rc==SQLITE_OK && db->mallocFailed==0 ){
+    assert( zSql[i]==0 );
     if( lastTokenParsed!=TK_SEMI ){
       sqlite3Parser(pEngine, TK_SEMI, pParse->sLastToken, pParse);
       pParse->zTail = &zSql[i];
     }
     if( pParse->rc==SQLITE_OK && db->mallocFailed==0 ){