Tweak Carlos' change to cater for the additional cases:

- More (ordered) segments than we expect - would previously cause stack-based
buffer overflow.
- Less segments than we expect, where the missing segments are a strict
truncation rather than missing in the middle.

BUG=NONE
TEST=NONE

Review URL: http://codereview.chromium.org/209001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26493 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 3 deletions

diff --git a/third_party/sqlite/ext/fts2/fts2.c b/third_party/sqlite/ext/fts2/fts2.c
index 8b66a525..0edc1e5 100644
--- a/third_party/sqlite/ext/fts2/fts2.c
+++ b/third_party/sqlite/ext/fts2/fts2.c
@@ -5294,12 +5294,12 @@ static int leavesReadersInit(fulltext_vtab *v, int iLevel,
     if( sqlite3_column_type(s, 0)!=SQLITE_INTEGER ||
         sqlite3_column_type(s, 1)!=SQLITE_INTEGER ||
         sqlite3_column_type(s, 2)!=SQLITE_BLOB ||
-        i != iIndex){
+        i!=iIndex ||
+        i>=MERGE_COUNT ){
       rc = SQLITE_CORRUPT_BKPT;
       break;
     }
 
-    assert( i<MERGE_COUNT );
     rc = leavesReaderInit(v, i, iStart, iEnd, pRootData, nRootData,
                           &pReaders[i]);
     if( rc!=SQLITE_OK ) break;
@@ -5394,10 +5394,14 @@ static int segmentMerge(fulltext_vtab *v, int iLevel){
   memset(&lrs, '\0', sizeof(lrs));
   rc = leavesReadersInit(v, iLevel, lrs, &i);
   if( rc!=SQLITE_OK ) return rc;
-  assert( i==MERGE_COUNT );
 
   leafWriterInit(iLevel+1, idx, &writer);
 
+  if( i!=MERGE_COUNT ){
+    rc = SQLITE_CORRUPT_BKPT;
+    goto err;
+  }
+
   /* Since leavesReaderReorder() pushes readers at eof to the end,
   ** when the first reader is empty, all will be empty.
   */