Index: src/shell.c.in ================================================================== --- src/shell.c.in +++ src/shell.c.in @@ -3889,10 +3889,12 @@ nLine++; if( fgets(zLine, sizeof(zLine), in)==0 ) goto readHexDb_error; rc = sscanf(zLine, "| size %d pagesize %d", &n, &pgsz); if( rc!=2 ) goto readHexDb_error; if( n<0 ) goto readHexDb_error; + if( pgsz<512 || pgsz>65536 || (pgsz&(pgsz-1))!=0 ) goto readHexDb_error; + n = (n+pgsz-1)&~(pgsz-1); /* Round n up to the next multiple of pgsz */ a = sqlite3_malloc( n ? n : 1 ); if( a==0 ){ utf8_printf(stderr, "Out of memory!\n"); goto readHexDb_error; } Index: src/test1.c ================================================================== --- src/test1.c +++ src/test1.c @@ -7738,10 +7738,15 @@ while( zIn[i]==' ' || zIn[i]=='\t' ){ i++; } if( a==0 ){ int pgsz; rc = sscanf(zIn+i, "| size %d pagesize %d", &n, &pgsz); if( rc!=2 ) continue; + if( pgsz<512 || pgsz>65536 || (pgsz&(pgsz-1))!=0 ){ + Tcl_AppendResult(interp, "bad 'pagesize' field", (void*)0); + return TCL_ERROR; + } + n = (n+pgsz-1)&~(pgsz-1); /* Round n up to the next multiple of pgsz */ if( n<512 ){ Tcl_AppendResult(interp, "bad 'size' field", (void*)0); return TCL_ERROR; } a = malloc( n );