Index: src/btree.c ================================================================== --- src/btree.c +++ src/btree.c @@ -1333,11 +1333,15 @@ ** and the reserved space is zero (the usual value for reserved space) ** then the cell content offset of an empty page wants to be 65536. ** However, that integer is too large to be stored in a 2-byte unsigned ** integer, so a value of 0 is used in its place. */ top = get2byteNotZero(&data[hdr+5]); - if( gap>top || (u32)top>pPage->pBt->usableSize ) return SQLITE_CORRUPT_BKPT; + if( gap>top || NEVER((u32)top>pPage->pBt->usableSize) ){ + /* The NEVER() is because a oversize "top" value will be blocked from + ** reaching this point by btreeInitPage() or btreeGetUnusedPage() */ + return SQLITE_CORRUPT_BKPT; + } /* If there is enough space between gap and top for one more cell pointer ** array entry offset, and if the freelist is not empty, then search the ** freelist looking for a free slot big enough to satisfy the request. */ Index: src/tokenize.c ================================================================== --- src/tokenize.c +++ src/tokenize.c @@ -448,11 +448,12 @@ } } } abort_parse: assert( nErr==0 ); - if( pParse->rc==SQLITE_OK && db->mallocFailed==0 && zSql[i]==0 ){ + if( pParse->rc==SQLITE_OK && db->mallocFailed==0 ){ + assert( zSql[i]==0 ); if( lastTokenParsed!=TK_SEMI ){ sqlite3Parser(pEngine, TK_SEMI, pParse->sLastToken, pParse); pParse->zTail = &zSql[i]; } if( pParse->rc==SQLITE_OK && db->mallocFailed==0 ){