[sql] Prevent nChildren overrun decoding interior pages in recover.c.

third_party/sqlite/amalgamation/sqlite3.c

Index: third_party/sqlite/amalgamation/sqlite3.c
diff --git a/third_party/sqlite/amalgamation/sqlite3.c b/third_party/sqlite/amalgamation/sqlite3.c
index c0315fffb7d828b45e93e136db72b5e4c4a4d34a..81506c1fc4301590f23c2a1edb4da4911f71d6b9 100644
--- a/third_party/sqlite/amalgamation/sqlite3.c
+++ b/third_party/sqlite/amalgamation/sqlite3.c
@@ -110899,12 +110899,22 @@ static void interiorCursorSetPage(RecoverInteriorCursor *pCursor,
   pCursor->iChild = 0;
 
   /* A child for each cell, plus one in the header. */
-  /* TODO(shess): Sanity-check the count?  Page header plus per-cell
-   * cost of 16-bit offset, 32-bit page number, and one varint
-   * (minimum 1 byte).
-   */
   pCursor->nChildren = decodeUnsigned16(PageHeader(pPage) +
                                         kiPageCellCountOffset) + 1;
+
+  /* The maximum possible value for nChildren is:
+   *   (nPageSize - kiPageInteriorHeaderBytes) /
+   *      (sizeof(uint16) + sizeof(uint32) + 1) + 1
+   * Each child requires a 16-bit offset from an array after the header, and
+   * each child contains a 32-bit page number and at least a varint (min size of
+   * one byte).  The final child page is in the header.
+   */
+  const unsigned knMinCellLength = 2 + 4 + 1;
+  unsigned nMaxChildren =
+      (pCursor->nPageSize - kiPageInteriorHeaderBytes) / knMinCellLength + 1;
+  if (pCursor->nChildren > nMaxChildren) {
+    pCursor->nChildren = nMaxChildren;
+  }
 }
 
 static int interiorCursorCreate(RecoverInteriorCursor *pParent,