Index: src/shell.c.in
==================================================================
--- src/shell.c.in
+++ src/shell.c.in
@@ -3889,10 +3889,12 @@
   nLine++;
   if( fgets(zLine, sizeof(zLine), in)==0 ) goto readHexDb_error;
   rc = sscanf(zLine, "| size %d pagesize %d", &n, &pgsz);
   if( rc!=2 ) goto readHexDb_error;
   if( n<0 ) goto readHexDb_error;
+  if( pgsz<512 || pgsz>65536 || (pgsz&(pgsz-1))!=0 ) goto readHexDb_error;
+  n = (n+pgsz-1)&~(pgsz-1);  /* Round n up to the next multiple of pgsz */
   a = sqlite3_malloc( n ? n : 1 );
   if( a==0 ){
     utf8_printf(stderr, "Out of memory!\n");
     goto readHexDb_error;
   }

Index: src/test1.c
==================================================================
--- src/test1.c
+++ src/test1.c
@@ -7738,10 +7738,15 @@
     while( zIn[i]==' ' || zIn[i]=='\t' ){ i++; }
     if( a==0 ){
       int pgsz;
       rc = sscanf(zIn+i, "| size %d pagesize %d", &n, &pgsz);
       if( rc!=2 ) continue;
+      if( pgsz<512 || pgsz>65536 || (pgsz&(pgsz-1))!=0 ){
+        Tcl_AppendResult(interp, "bad 'pagesize' field", (void*)0);
+        return TCL_ERROR;
+      }
+      n = (n+pgsz-1)&~(pgsz-1);  /* Round n up to the next multiple of pgsz */
       if( n<512 ){
         Tcl_AppendResult(interp, "bad 'size' field", (void*)0);
         return TCL_ERROR;
       }
       a = malloc( n );