/ Check-in [17349a49]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Changes to help ensure that a multiplication does not overflow when computing the number of bytes needed for a memory allocation, and cause a malfunction. No problems existing problems were discovered. However, these changes should help to ensure that no problems arise in the future.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | safer-malloc
Files: files | file ages | folders
SHA1: 17349a49d2db61c70e04e19f024b47e34737e78e
User & Date: drh 2014-05-19 15:16:11
Context
2014-05-19
19:26
Fix harmless compiler warnings in MSVC. Leaf check-in: aa7e2041 user: drh tags: safer-malloc
15:16
Changes to help ensure that a multiplication does not overflow when computing the number of bytes needed for a memory allocation, and cause a malfunction. No problems existing problems were discovered. However, these changes should help to ensure that no problems arise in the future. check-in: 17349a49 user: drh tags: safer-malloc
2014-05-17
16:56
Internally, use a 64-bit integers for segment level numbers. check-in: 8180e320 user: dan tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/alter.c.

   792    792     if( !pNew ) goto exit_begin_add_column;
   793    793     pParse->pNewTable = pNew;
   794    794     pNew->nRef = 1;
   795    795     pNew->nCol = pTab->nCol;
   796    796     assert( pNew->nCol>0 );
   797    797     nAlloc = (((pNew->nCol-1)/8)*8)+8;
   798    798     assert( nAlloc>=pNew->nCol && nAlloc%8==0 && nAlloc-pNew->nCol<8 );
   799         -  pNew->aCol = (Column*)sqlite3DbMallocZero(db, sizeof(Column)*nAlloc);
          799  +  pNew->aCol = (Column*)sqlite3DbMallocZero(db, sizeof(Column)*(i64)nAlloc);
   800    800     pNew->zName = sqlite3MPrintf(db, "sqlite_altertab_%s", pTab->zName);
   801    801     if( !pNew->aCol || !pNew->zName ){
   802    802       db->mallocFailed = 1;
   803    803       goto exit_begin_add_column;
   804    804     }
   805    805     memcpy(pNew->aCol, pTab->aCol, sizeof(Column)*pNew->nCol);
   806    806     for(i=0; i<pNew->nCol; i++){

Changes to src/analyze.c.

   815    815       ** rows, then each estimate is computed as:
   816    816       **
   817    817       **        I = (K+D-1)/D
   818    818       */
   819    819       char *z;
   820    820       int i;
   821    821   
   822         -    char *zRet = sqlite3MallocZero(p->nCol * 25);
          822  +    char *zRet = sqlite3MallocZero((i64)p->nCol * 25);
   823    823       if( zRet==0 ){
   824    824         sqlite3_result_error_nomem(context);
   825    825         return;
   826    826       }
   827    827   
   828    828       sqlite3_snprintf(24, zRet, "%llu", (u64)p->nRow);
   829    829       z = zRet + sqlite3Strlen30(zRet);
................................................................................
   866    866           break;
   867    867         }
   868    868       }
   869    869   
   870    870       if( IsStat3 ){
   871    871         sqlite3_result_int64(context, (i64)aCnt[0]);
   872    872       }else{
   873         -      char *zRet = sqlite3MallocZero(p->nCol * 25);
          873  +      char *zRet = sqlite3MallocZero((i64)p->nCol * 25);
   874    874         if( zRet==0 ){
   875    875           sqlite3_result_error_nomem(context);
   876    876         }else{
   877    877           int i;
   878    878           char *z = zRet;
   879    879           for(i=0; i<p->nCol; i++){
   880    880             sqlite3_snprintf(24, z, "%llu ", (u64)aCnt[i]);
................................................................................
   994    994       int addrNextRow;              /* Address of "next_row:" */
   995    995       const char *zIdxName;         /* Name of the index */
   996    996   
   997    997       if( pOnlyIdx && pOnlyIdx!=pIdx ) continue;
   998    998       if( pIdx->pPartIdxWhere==0 ) needTableCnt = 0;
   999    999       VdbeNoopComment((v, "Begin analysis of %s", pIdx->zName));
  1000   1000       nCol = pIdx->nKeyCol;
         1001  +    assert( sizeof(pIdx->nKeyCol)==2 && nCol<=0xffff );
  1001   1002       aGotoChng = sqlite3DbMallocRaw(db, sizeof(int)*(nCol+1));
  1002   1003       if( aGotoChng==0 ) continue;
  1003   1004   
  1004   1005       /* Populate the register containing the index name. */
  1005   1006       if( pIdx->autoIndex==2 && !HasRowid(pTab) ){
  1006   1007         zIdxName = pTab->zName;
  1007   1008       }else{
................................................................................
  1584   1585   
  1585   1586     while( sqlite3_step(pStmt)==SQLITE_ROW ){
  1586   1587       int nIdxCol = 1;              /* Number of columns in stat4 records */
  1587   1588       int nAvgCol = 1;              /* Number of entries in Index.aAvgEq */
  1588   1589   
  1589   1590       char *zIndex;   /* Index name */
  1590   1591       Index *pIdx;    /* Pointer to the index object */
  1591         -    int nSample;    /* Number of samples */
  1592         -    int nByte;      /* Bytes of space required */
         1592  +    i64 nSample;    /* Number of samples */
         1593  +    i64 nByte;      /* Bytes of space required */
  1593   1594       int i;          /* Bytes of space required */
  1594   1595       tRowcnt *pSpace;
  1595   1596   
  1596   1597       zIndex = (char *)sqlite3_column_text(pStmt, 0);
  1597   1598       if( zIndex==0 ) continue;
  1598   1599       nSample = sqlite3_column_int(pStmt, 1);
  1599   1600       pIdx = findIndexOrPrimaryKey(db, zIndex, zDb);

Changes to src/attach.c.

   109    109     ** hash tables.
   110    110     */
   111    111     if( db->aDb==db->aDbStatic ){
   112    112       aNew = sqlite3DbMallocRaw(db, sizeof(db->aDb[0])*3 );
   113    113       if( aNew==0 ) return;
   114    114       memcpy(aNew, db->aDb, sizeof(db->aDb[0])*2);
   115    115     }else{
   116         -    aNew = sqlite3DbRealloc(db, db->aDb, sizeof(db->aDb[0])*(db->nDb+1) );
          116  +    aNew = sqlite3DbRealloc(db, db->aDb, sizeof(db->aDb[0])*(i64)(db->nDb+1) );
   117    117       if( aNew==0 ) return;
   118    118     }
   119    119     db->aDb = aNew;
   120    120     aNew = &db->aDb[db->nDb];
   121    121     memset(aNew, 0, sizeof(*aNew));
   122    122   
   123    123     /* Open the database file. If the btree is successfully opened, use

Changes to src/btree.c.

   602    602     /* If this is an intKey table, then the above call to BtreeKeySize()
   603    603     ** stores the integer key in pCur->nKey. In this case this value is
   604    604     ** all that is required. Otherwise, if pCur is not open on an intKey
   605    605     ** table, then malloc space for and store the pCur->nKey bytes of key 
   606    606     ** data.
   607    607     */
   608    608     if( 0==pCur->apPage[0]->intKey ){
   609         -    void *pKey = sqlite3Malloc( (int)pCur->nKey );
          609  +    void *pKey = sqlite3Malloc( pCur->nKey );
   610    610       if( pKey ){
   611    611         rc = sqlite3BtreeKey(pCur, 0, (int)pCur->nKey, pKey);
   612    612         if( rc==SQLITE_OK ){
   613    613           pCur->pKey = pKey;
   614    614         }else{
   615    615           sqlite3_free(pKey);
   616    616         }
................................................................................
  4018   4018       ** stored in aOverflow[0], etc. A value of 0 in the aOverflow[] array
  4019   4019       ** means "not yet known" (the cache is lazily populated).
  4020   4020       */
  4021   4021       if( eOp!=2 && (pCur->curFlags & BTCF_ValidOvfl)==0 ){
  4022   4022         int nOvfl = (pCur->info.nPayload-pCur->info.nLocal+ovflSize-1)/ovflSize;
  4023   4023         if( nOvfl>pCur->nOvflAlloc ){
  4024   4024           Pgno *aNew = (Pgno*)sqlite3DbRealloc(
  4025         -            pCur->pBtree->db, pCur->aOverflow, nOvfl*2*sizeof(Pgno)
         4025  +            pCur->pBtree->db, pCur->aOverflow, (i64)nOvfl*2*sizeof(Pgno)
  4026   4026           );
  4027   4027           if( aNew==0 ){
  4028   4028             rc = SQLITE_NOMEM;
  4029   4029           }else{
  4030   4030             pCur->nOvflAlloc = nOvfl*2;
  4031   4031             pCur->aOverflow = aNew;
  4032   4032           }

Changes to src/build.c.

  1032   1032         sqlite3ErrorMsg(pParse, "duplicate column name: %s", z);
  1033   1033         sqlite3DbFree(db, z);
  1034   1034         return;
  1035   1035       }
  1036   1036     }
  1037   1037     if( (p->nCol & 0x7)==0 ){
  1038   1038       Column *aNew;
  1039         -    aNew = sqlite3DbRealloc(db,p->aCol,(p->nCol+8)*sizeof(p->aCol[0]));
         1039  +    aNew = sqlite3DbRealloc(db,p->aCol,(i64)(p->nCol+8)*sizeof(p->aCol[0]));
  1040   1040       if( aNew==0 ){
  1041   1041         sqlite3DbFree(db, z);
  1042   1042         return;
  1043   1043       }
  1044   1044       p->aCol = aNew;
  1045   1045     }
  1046   1046     pCol = &p->aCol[p->nCol];
................................................................................
  1487   1487       zSep2 = ",";
  1488   1488       zEnd = ")";
  1489   1489     }else{
  1490   1490       zSep = "\n  ";
  1491   1491       zSep2 = ",\n  ";
  1492   1492       zEnd = "\n)";
  1493   1493     }
         1494  +  assert( sizeof(p->nCol)==2 );
  1494   1495     n += 35 + 6*p->nCol;
  1495   1496     zStmt = sqlite3DbMallocRaw(0, n);
  1496   1497     if( zStmt==0 ){
  1497   1498       db->mallocFailed = 1;
  1498   1499       return 0;
  1499   1500     }
  1500   1501     sqlite3_snprintf(n, zStmt, "CREATE TABLE ");
................................................................................
  1538   1539   
  1539   1540   /*
  1540   1541   ** Resize an Index object to hold N columns total.  Return SQLITE_OK
  1541   1542   ** on success and SQLITE_NOMEM on an OOM error.
  1542   1543   */
  1543   1544   static int resizeIndexObject(sqlite3 *db, Index *pIdx, int N){
  1544   1545     char *zExtra;
  1545         -  int nByte;
         1546  +  i64 nByte;
  1546   1547     if( pIdx->nColumn>=N ) return SQLITE_OK;
  1547   1548     assert( pIdx->isResized==0 );
  1548         -  nByte = (sizeof(char*) + sizeof(i16) + 1)*N;
         1549  +  nByte = (sizeof(char*) + sizeof(i16) + 1)*(i64)N;
  1549   1550     zExtra = sqlite3DbMallocZero(db, nByte);
  1550   1551     if( zExtra==0 ) return SQLITE_NOMEM;
  1551   1552     memcpy(zExtra, pIdx->azColl, sizeof(char*)*pIdx->nColumn);
  1552   1553     pIdx->azColl = (char**)zExtra;
  1553   1554     zExtra += sizeof(char*)*N;
  1554   1555     memcpy(zExtra, pIdx->aiColumn, sizeof(i16)*pIdx->nColumn);
  1555   1556     pIdx->aiColumn = (i16*)zExtra;
................................................................................
  2499   2500     int flags            /* Conflict resolution algorithms. */
  2500   2501   ){
  2501   2502     sqlite3 *db = pParse->db;
  2502   2503   #ifndef SQLITE_OMIT_FOREIGN_KEY
  2503   2504     FKey *pFKey = 0;
  2504   2505     FKey *pNextTo;
  2505   2506     Table *p = pParse->pNewTable;
  2506         -  int nByte;
         2507  +  i64 nByte;
  2507   2508     int i;
  2508   2509     int nCol;
  2509   2510     char *z;
  2510   2511   
  2511   2512     assert( pTo!=0 );
  2512   2513     if( p==0 || IN_DECLARE_VTAB ) goto fk_end;
  2513   2514     if( pFromCol==0 ){
................................................................................
  2524   2525       sqlite3ErrorMsg(pParse,
  2525   2526           "number of columns in foreign key does not match the number of "
  2526   2527           "columns in the referenced table");
  2527   2528       goto fk_end;
  2528   2529     }else{
  2529   2530       nCol = pFromCol->nExpr;
  2530   2531     }
  2531         -  nByte = sizeof(*pFKey) + (nCol-1)*sizeof(pFKey->aCol[0]) + pTo->n + 1;
         2532  +  nByte = sizeof(*pFKey) + (i64)(nCol-1)*sizeof(pFKey->aCol[0]) + pTo->n + 1;
  2532   2533     if( pToCol ){
  2533   2534       for(i=0; i<pToCol->nExpr; i++){
  2534   2535         nByte += sqlite3Strlen30(pToCol->a[i].zName) + 1;
  2535   2536       }
  2536   2537     }
  2537   2538     pFKey = sqlite3DbMallocZero(db, nByte );
  2538   2539     if( pFKey==0 ){
................................................................................
  3375   3376     int *pnEntry,     /* Number of objects currently in use */
  3376   3377     int *pIdx         /* Write the index of a new slot here */
  3377   3378   ){
  3378   3379     char *z;
  3379   3380     int n = *pnEntry;
  3380   3381     if( (n & (n-1))==0 ){
  3381   3382       int sz = (n==0) ? 1 : 2*n;
  3382         -    void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry);
         3383  +    void *pNew = sqlite3DbRealloc(db, pArray, sz*(i64)szEntry);
  3383   3384       if( pNew==0 ){
  3384   3385         *pIdx = -1;
  3385   3386         return pArray;
  3386   3387       }
  3387   3388       pArray = pNew;
  3388   3389     }
  3389   3390     z = (char*)pArray;
................................................................................
  3481   3482   
  3482   3483     /* Allocate additional space if needed */
  3483   3484     if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){
  3484   3485       SrcList *pNew;
  3485   3486       int nAlloc = pSrc->nSrc+nExtra;
  3486   3487       int nGot;
  3487   3488       pNew = sqlite3DbRealloc(db, pSrc,
  3488         -               sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) );
         3489  +               sizeof(*pSrc) + (nAlloc-1)*(i64)sizeof(pSrc->a[0]) );
  3489   3490       if( pNew==0 ){
  3490   3491         assert( db->mallocFailed );
  3491   3492         return pSrc;
  3492   3493       }
  3493   3494       pSrc = pNew;
  3494   3495       nGot = (sqlite3DbMallocSize(db, pNew) - sizeof(*pSrc))/sizeof(pSrc->a[0])+1;
  3495   3496       pSrc->nAlloc = nGot;
................................................................................
  4198   4199         if( sqlite3StrICmp(zName, pWith->a[i].zName)==0 ){
  4199   4200           sqlite3ErrorMsg(pParse, "duplicate WITH table name: %s", zName);
  4200   4201         }
  4201   4202       }
  4202   4203     }
  4203   4204   
  4204   4205     if( pWith ){
  4205         -    int nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte);
         4206  +    i64 nByte = sizeof(*pWith) + (sizeof(pWith->a[1])*(i64)pWith->nCte);
  4206   4207       pNew = sqlite3DbRealloc(db, pWith, nByte);
  4207   4208     }else{
  4208   4209       pNew = sqlite3DbMallocZero(db, sizeof(*pWith));
  4209   4210     }
  4210   4211     assert( zName!=0 || pNew==0 );
  4211   4212     assert( db->mallocFailed==0 || pNew==0 );
  4212   4213   

Changes to src/date.c.

   938    938     testcase( n==(u64)db->aLimit[SQLITE_LIMIT_LENGTH] );
   939    939     if( n<sizeof(zBuf) ){
   940    940       z = zBuf;
   941    941     }else if( n>(u64)db->aLimit[SQLITE_LIMIT_LENGTH] ){
   942    942       sqlite3_result_error_toobig(context);
   943    943       return;
   944    944     }else{
   945         -    z = sqlite3DbMallocRaw(db, (int)n);
          945  +    z = sqlite3DbMallocRaw(db, n);
   946    946       if( z==0 ){
   947    947         sqlite3_result_error_nomem(context);
   948    948         return;
   949    949       }
   950    950     }
   951    951     computeJD(&x);
   952    952     computeYMD_HMS(&x);

Changes to src/expr.c.

   661    661           }
   662    662         }
   663    663         if( x==0 ) x = pExpr->iColumn = (ynVar)(++pParse->nVar);
   664    664       }
   665    665       if( x>0 ){
   666    666         if( x>pParse->nzVar ){
   667    667           char **a;
   668         -        a = sqlite3DbRealloc(db, pParse->azVar, x*sizeof(a[0]));
          668  +        a = sqlite3DbRealloc(db, pParse->azVar, (i64)x*sizeof(a[0]));
   669    669           if( a==0 ) return;  /* Error reported through db->mallocFailed */
   670    670           pParse->azVar = a;
   671    671           memset(&a[pParse->nzVar], 0, (x-pParse->nzVar)*sizeof(a[0]));
   672    672           pParse->nzVar = x;
   673    673         }
   674    674         if( z[0]!='?' || pParse->azVar[x-1]==0 ){
   675    675           sqlite3DbFree(db, pParse->azVar[x-1]);
................................................................................
   906    906   ** argument. If an OOM condition is encountered, NULL is returned
   907    907   ** and the db->mallocFailed flag set.
   908    908   */
   909    909   #ifndef SQLITE_OMIT_CTE
   910    910   static With *withDup(sqlite3 *db, With *p){
   911    911     With *pRet = 0;
   912    912     if( p ){
   913         -    int nByte = sizeof(*p) + sizeof(p->a[0]) * (p->nCte-1);
          913  +    i64 nByte = sizeof(*p) + sizeof(p->a[0]) * (i64)(p->nCte-1);
   914    914       pRet = sqlite3DbMallocZero(db, nByte);
   915    915       if( pRet ){
   916    916         int i;
   917    917         pRet->nCte = p->nCte;
   918    918         for(i=0; i<p->nCte; i++){
   919    919           pRet->a[i].pSelect = sqlite3SelectDup(db, p->a[i].pSelect, 0);
   920    920           pRet->a[i].pCols = sqlite3ExprListDup(db, p->a[i].pCols, 0);
................................................................................
   953    953     struct ExprList_item *pItem, *pOldItem;
   954    954     int i;
   955    955     if( p==0 ) return 0;
   956    956     pNew = sqlite3DbMallocRaw(db, sizeof(*pNew) );
   957    957     if( pNew==0 ) return 0;
   958    958     pNew->nExpr = i = p->nExpr;
   959    959     if( (flags & EXPRDUP_REDUCE)==0 ) for(i=1; i<p->nExpr; i+=i){}
   960         -  pNew->a = pItem = sqlite3DbMallocRaw(db,  i*sizeof(p->a[0]) );
          960  +  pNew->a = pItem = sqlite3DbMallocRaw(db,  (i64)i*sizeof(p->a[0]) );
   961    961     if( pItem==0 ){
   962    962       sqlite3DbFree(db, pNew);
   963    963       return 0;
   964    964     } 
   965    965     pOldItem = p->a;
   966    966     for(i=0; i<p->nExpr; i++, pItem++, pOldItem++){
   967    967       Expr *pOldExpr = pOldItem->pExpr;
................................................................................
   983    983   ** called with a NULL argument.
   984    984   */
   985    985   #if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER) \
   986    986    || !defined(SQLITE_OMIT_SUBQUERY)
   987    987   SrcList *sqlite3SrcListDup(sqlite3 *db, SrcList *p, int flags){
   988    988     SrcList *pNew;
   989    989     int i;
   990         -  int nByte;
          990  +  i64 nByte;
   991    991     if( p==0 ) return 0;
   992    992     nByte = sizeof(*p) + (p->nSrc>0 ? sizeof(p->a[0]) * (p->nSrc-1) : 0);
   993    993     pNew = sqlite3DbMallocRaw(db, nByte );
   994    994     if( pNew==0 ) return 0;
   995    995     pNew->nSrc = pNew->nAlloc = p->nSrc;
   996    996     for(i=0; i<p->nSrc; i++){
   997    997       struct SrcList_item *pNewItem = &pNew->a[i];
................................................................................
  1025   1025   IdList *sqlite3IdListDup(sqlite3 *db, IdList *p){
  1026   1026     IdList *pNew;
  1027   1027     int i;
  1028   1028     if( p==0 ) return 0;
  1029   1029     pNew = sqlite3DbMallocRaw(db, sizeof(*pNew) );
  1030   1030     if( pNew==0 ) return 0;
  1031   1031     pNew->nId = p->nId;
  1032         -  pNew->a = sqlite3DbMallocRaw(db, p->nId*sizeof(p->a[0]) );
         1032  +  pNew->a = sqlite3DbMallocRaw(db, (i64)p->nId*sizeof(p->a[0]) );
  1033   1033     if( pNew->a==0 ){
  1034   1034       sqlite3DbFree(db, pNew);
  1035   1035       return 0;
  1036   1036     }
  1037   1037     /* Note that because the size of the allocation for p->a[] is not
  1038   1038     ** necessarily a power of two, sqlite3IdListAppend() may not be called
  1039   1039     ** on the duplicate created by this function. */
................................................................................
  1099   1099         goto no_mem;
  1100   1100       }
  1101   1101       pList->a = sqlite3DbMallocRaw(db, sizeof(pList->a[0]));
  1102   1102       if( pList->a==0 ) goto no_mem;
  1103   1103     }else if( (pList->nExpr & (pList->nExpr-1))==0 ){
  1104   1104       struct ExprList_item *a;
  1105   1105       assert( pList->nExpr>0 );
  1106         -    a = sqlite3DbRealloc(db, pList->a, pList->nExpr*2*sizeof(pList->a[0]));
         1106  +    a = sqlite3DbRealloc(db, pList->a, (i64)pList->nExpr*2*sizeof(pList->a[0]));
  1107   1107       if( a==0 ){
  1108   1108         goto no_mem;
  1109   1109       }
  1110   1110       pList->a = a;
  1111   1111     }
  1112   1112     assert( pList->a!=0 );
  1113   1113     if( 1 ){

Changes to src/fkey.c.

   215    215       */
   216    216       if( pParent->iPKey>=0 ){
   217    217         if( !zKey ) return 0;
   218    218         if( !sqlite3StrICmp(pParent->aCol[pParent->iPKey].zName, zKey) ) return 0;
   219    219       }
   220    220     }else if( paiCol ){
   221    221       assert( nCol>1 );
   222         -    aiCol = (int *)sqlite3DbMallocRaw(pParse->db, nCol*sizeof(int));
          222  +    aiCol = (int *)sqlite3DbMallocRaw(pParse->db, (i64)nCol*sizeof(int));
   223    223       if( !aiCol ) return 1;
   224    224       *paiCol = aiCol;
   225    225     }
   226    226   
   227    227     for(pIdx=pParent->pIndex; pIdx; pIdx=pIdx->pNext){
   228    228       if( pIdx->nKeyCol==nCol && pIdx->onError!=OE_None ){ 
   229    229         /* pIdx is a UNIQUE index (or a PRIMARY KEY) and has the right number

Changes to src/func.c.

   389    389     assert( nByte>0 );
   390    390     testcase( nByte==db->aLimit[SQLITE_LIMIT_LENGTH] );
   391    391     testcase( nByte==db->aLimit[SQLITE_LIMIT_LENGTH]+1 );
   392    392     if( nByte>db->aLimit[SQLITE_LIMIT_LENGTH] ){
   393    393       sqlite3_result_error_toobig(context);
   394    394       z = 0;
   395    395     }else{
   396         -    z = sqlite3Malloc((int)nByte);
          396  +    z = sqlite3Malloc(nByte);
   397    397       if( !z ){
   398    398         sqlite3_result_error_nomem(context);
   399    399       }
   400    400     }
   401    401     return z;
   402    402   }
   403    403   

Changes to src/hash.c.

   116    116     ** allocation as a benign. Use sqlite3Malloc()/memset(0) instead of 
   117    117     ** sqlite3MallocZero() to make the allocation, as sqlite3MallocZero()
   118    118     ** only zeroes the requested number of bytes whereas this module will
   119    119     ** use the actual amount of space allocated for the hash table (which
   120    120     ** may be larger than the requested amount).
   121    121     */
   122    122     sqlite3BeginBenignMalloc();
   123         -  new_ht = (struct _ht *)sqlite3Malloc( new_size*sizeof(struct _ht) );
          123  +  new_ht = (struct _ht *)sqlite3Malloc( new_size*(i64)sizeof(struct _ht) );
   124    124     sqlite3EndBenignMalloc();
   125    125   
   126    126     if( new_ht==0 ) return 0;
   127    127     sqlite3_free(pH->ht);
   128    128     pH->ht = new_ht;
   129    129     pH->htsize = new_size = sqlite3MallocSize(new_ht)/sizeof(struct _ht);
   130    130     memset(new_ht, 0, new_size*sizeof(struct _ht));

Changes to src/insert.c.

   743    743     }
   744    744   
   745    745     /* If this is not a view, open the table and and all indices */
   746    746     if( !isView ){
   747    747       int nIdx;
   748    748       nIdx = sqlite3OpenTableAndIndices(pParse, pTab, OP_OpenWrite, -1, 0,
   749    749                                         &iDataCur, &iIdxCur);
   750         -    aRegIdx = sqlite3DbMallocRaw(db, sizeof(int)*(nIdx+1));
          750  +    aRegIdx = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(nIdx+1));
   751    751       if( aRegIdx==0 ){
   752    752         goto insert_cleanup;
   753    753       }
   754    754       for(i=0; i<nIdx; i++){
   755    755         aRegIdx[i] = ++pParse->nMem;
   756    756       }
   757    757     }

Changes to src/legacy.c.

    69     69         rc = sqlite3_step(pStmt);
    70     70   
    71     71         /* Invoke the callback function if required */
    72     72         if( xCallback && (SQLITE_ROW==rc || 
    73     73             (SQLITE_DONE==rc && !callbackIsInit
    74     74                              && db->flags&SQLITE_NullCallback)) ){
    75     75           if( !callbackIsInit ){
    76         -          azCols = sqlite3DbMallocZero(db, 2*nCol*sizeof(const char*) + 1);
           76  +          azCols = sqlite3DbMallocZero(db, 2*(i64)nCol*sizeof(const char*) + 1);
    77     77             if( azCols==0 ){
    78     78               goto exec_out;
    79     79             }
    80     80             for(i=0; i<nCol; i++){
    81     81               azCols[i] = (char *)sqlite3_column_name(pStmt, i);
    82     82               /* sqlite3VdbeSetColName() installs column names as UTF8
    83     83               ** strings so there is no way for sqlite3_column_name() to fail. */

Changes to src/loadext.c.

   527    527       }
   528    528       sqlite3_free(zErrmsg);
   529    529       sqlite3OsDlClose(pVfs, handle);
   530    530       return SQLITE_ERROR;
   531    531     }
   532    532   
   533    533     /* Append the new shared library handle to the db->aExtension array. */
   534         -  aHandle = sqlite3DbMallocZero(db, sizeof(handle)*(db->nExtension+1));
          534  +  aHandle = sqlite3DbMallocZero(db, sizeof(handle)*(i64)(db->nExtension+1));
   535    535     if( aHandle==0 ){
   536    536       return SQLITE_NOMEM;
   537    537     }
   538    538     if( db->nExtension>0 ){
   539    539       memcpy(aHandle, db->aExtension, sizeof(handle)*db->nExtension);
   540    540     }
   541    541     sqlite3DbFree(db, db->aExtension);

Changes to src/main.c.

   554    554     if( sz<=(int)sizeof(LookasideSlot*) ) sz = 0;
   555    555     if( cnt<0 ) cnt = 0;
   556    556     if( sz==0 || cnt==0 ){
   557    557       sz = 0;
   558    558       pStart = 0;
   559    559     }else if( pBuf==0 ){
   560    560       sqlite3BeginBenignMalloc();
   561         -    pStart = sqlite3Malloc( sz*cnt );  /* IMP: R-61949-35727 */
          561  +    pStart = sqlite3Malloc( sz*(i64)cnt );  /* IMP: R-61949-35727 */
   562    562       sqlite3EndBenignMalloc();
   563    563       if( pStart ) cnt = sqlite3MallocSize(pStart)/sz;
   564    564     }else{
   565    565       pStart = pBuf;
   566    566     }
   567    567     db->lookaside.pStart = pStart;
   568    568     db->lookaside.pFree = 0;

Changes to src/malloc.c.

   290    290     return nFull;
   291    291   }
   292    292   
   293    293   /*
   294    294   ** Allocate memory.  This routine is like sqlite3_malloc() except that it
   295    295   ** assumes the memory subsystem has already been initialized.
   296    296   */
   297         -void *sqlite3Malloc(int n){
          297  +void *sqlite3Malloc(i64 n){
   298    298     void *p;
   299    299     if( n<=0               /* IMP: R-65312-04917 */ 
   300    300      || n>=0x7fffff00
   301    301     ){
   302    302       /* A memory allocation of a number of bytes which is near the maximum
   303    303       ** signed integer value might cause an integer overflow inside of the
   304    304       ** xMalloc().  Hence we limit the maximum size to 0x7fffff00, giving
   305    305       ** 255 bytes of overhead.  SQLite itself will never use anything near
   306    306       ** this amount.  The only way to reach the limit is with sqlite3_malloc() */
   307    307       p = 0;
   308    308     }else if( sqlite3GlobalConfig.bMemstat ){
   309    309       sqlite3_mutex_enter(mem0.mutex);
   310         -    mallocWithAlarm(n, &p);
          310  +    mallocWithAlarm((int)n, &p);
   311    311       sqlite3_mutex_leave(mem0.mutex);
   312    312     }else{
   313         -    p = sqlite3GlobalConfig.m.xMalloc(n);
          313  +    p = sqlite3GlobalConfig.m.xMalloc((int)n);
   314    314     }
   315    315     assert( EIGHT_BYTE_ALIGNMENT(p) );  /* IMP: R-04675-44850 */
   316    316     return p;
   317    317   }
   318    318   
   319    319   /*
   320    320   ** This version of the memory allocation is for use by the application.
................................................................................
   509    509     sqlite3MemdebugSetType(p, MEMTYPE_HEAP);
   510    510     sqlite3_free(p);
   511    511   }
   512    512   
   513    513   /*
   514    514   ** Change the size of an existing memory allocation
   515    515   */
   516         -void *sqlite3Realloc(void *pOld, int nBytes){
          516  +void *sqlite3Realloc(void *pOld, i64 nBytes){
   517    517     int nOld, nNew, nDiff;
   518    518     void *pNew;
   519    519     if( pOld==0 ){
   520    520       return sqlite3Malloc(nBytes); /* IMP: R-28354-25769 */
   521    521     }
   522    522     if( nBytes<=0 ){
   523    523       sqlite3_free(pOld); /* IMP: R-31593-10574 */
................................................................................
   527    527       /* The 0x7ffff00 limit term is explained in comments on sqlite3Malloc() */
   528    528       return 0;
   529    529     }
   530    530     nOld = sqlite3MallocSize(pOld);
   531    531     /* IMPLEMENTATION-OF: R-46199-30249 SQLite guarantees that the second
   532    532     ** argument to xRealloc is always a value returned by a prior call to
   533    533     ** xRoundup. */
   534         -  nNew = sqlite3GlobalConfig.m.xRoundup(nBytes);
          534  +  nNew = sqlite3GlobalConfig.m.xRoundup((int)nBytes);
   535    535     if( nOld==nNew ){
   536    536       pNew = pOld;
   537    537     }else if( sqlite3GlobalConfig.bMemstat ){
   538    538       sqlite3_mutex_enter(mem0.mutex);
   539    539       sqlite3StatusSet(SQLITE_STATUS_MALLOC_SIZE, nBytes);
   540    540       nDiff = nNew - nOld;
   541    541       if( sqlite3StatusValue(SQLITE_STATUS_MEMORY_USED) >= 
................................................................................
   572    572     return sqlite3Realloc(pOld, n);
   573    573   }
   574    574   
   575    575   
   576    576   /*
   577    577   ** Allocate and zero memory.
   578    578   */ 
   579         -void *sqlite3MallocZero(int n){
          579  +void *sqlite3MallocZero(i64 n){
   580    580     void *p = sqlite3Malloc(n);
   581    581     if( p ){
   582    582       memset(p, 0, n);
   583    583     }
   584    584     return p;
   585    585   }
   586    586   
   587    587   /*
   588    588   ** Allocate and zero memory.  If the allocation fails, make
   589    589   ** the mallocFailed flag in the connection pointer.
   590    590   */
   591         -void *sqlite3DbMallocZero(sqlite3 *db, int n){
          591  +void *sqlite3DbMallocZero(sqlite3 *db, i64 n){
   592    592     void *p = sqlite3DbMallocRaw(db, n);
   593    593     if( p ){
   594    594       memset(p, 0, n);
   595    595     }
   596    596     return p;
   597    597   }
   598    598   
................................................................................
   610    610   **         int *a = (int*)sqlite3DbMallocRaw(db, 100);
   611    611   **         int *b = (int*)sqlite3DbMallocRaw(db, 200);
   612    612   **         if( b ) a[10] = 9;
   613    613   **
   614    614   ** In other words, if a subsequent malloc (ex: "b") worked, it is assumed
   615    615   ** that all prior mallocs (ex: "a") worked too.
   616    616   */
   617         -void *sqlite3DbMallocRaw(sqlite3 *db, int n){
          617  +void *sqlite3DbMallocRaw(sqlite3 *db, i64 n){
   618    618     void *p;
   619    619     assert( db==0 || sqlite3_mutex_held(db->mutex) );
   620    620     assert( db==0 || db->pnBytesFreed==0 );
   621    621   #ifndef SQLITE_OMIT_LOOKASIDE
   622    622     if( db ){
   623    623       LookasideSlot *pBuf;
   624    624       if( db->mallocFailed ){
................................................................................
   654    654     return p;
   655    655   }
   656    656   
   657    657   /*
   658    658   ** Resize the block of memory pointed to by p to n bytes. If the
   659    659   ** resize fails, set the mallocFailed flag in the connection object.
   660    660   */
   661         -void *sqlite3DbRealloc(sqlite3 *db, void *p, int n){
          661  +void *sqlite3DbRealloc(sqlite3 *db, void *p, i64 n){
   662    662     void *pNew = 0;
   663    663     assert( db!=0 );
   664    664     assert( sqlite3_mutex_held(db->mutex) );
   665    665     if( db->mallocFailed==0 ){
   666    666       if( p==0 ){
   667    667         return sqlite3DbMallocRaw(db, n);
   668    668       }
................................................................................
   691    691     return pNew;
   692    692   }
   693    693   
   694    694   /*
   695    695   ** Attempt to reallocate p.  If the reallocation fails, then free p
   696    696   ** and set the mallocFailed flag in the database connection.
   697    697   */
   698         -void *sqlite3DbReallocOrFree(sqlite3 *db, void *p, int n){
          698  +void *sqlite3DbReallocOrFree(sqlite3 *db, void *p, i64 n){
   699    699     void *pNew;
   700    700     pNew = sqlite3DbRealloc(db, p, n);
   701    701     if( !pNew ){
   702    702       sqlite3DbFree(db, p);
   703    703     }
   704    704     return pNew;
   705    705   }
................................................................................
   709    709   ** functions call sqlite3MallocRaw() directly instead of sqliteMalloc(). This
   710    710   ** is because when memory debugging is turned on, these two functions are 
   711    711   ** called via macros that record the current file and line number in the
   712    712   ** ThreadData structure.
   713    713   */
   714    714   char *sqlite3DbStrDup(sqlite3 *db, const char *z){
   715    715     char *zNew;
   716         -  size_t n;
          716  +  i64 n;
   717    717     if( z==0 ){
   718    718       return 0;
   719    719     }
   720    720     n = sqlite3Strlen30(z) + 1;
   721         -  assert( (n&0x7fffffff)==n );
   722         -  zNew = sqlite3DbMallocRaw(db, (int)n);
          721  +  zNew = sqlite3DbMallocRaw(db, n);
   723    722     if( zNew ){
   724    723       memcpy(zNew, z, n);
   725    724     }
   726    725     return zNew;
   727    726   }
   728    727   char *sqlite3DbStrNDup(sqlite3 *db, const char *z, int n){
   729    728     char *zNew;
   730    729     if( z==0 ){
   731    730       return 0;
   732    731     }
   733         -  assert( (n&0x7fffffff)==n );
   734         -  zNew = sqlite3DbMallocRaw(db, n+1);
          732  +  zNew = sqlite3DbMallocRaw(db, (i64)n+1);
   735    733     if( zNew ){
   736    734       memcpy(zNew, z, n);
   737    735       zNew[n] = 0;
   738    736     }
   739    737     return zNew;
   740    738   }
   741    739   

Changes to src/notify.c.

   254    254         sqlite3BeginBenignMalloc();
   255    255         assert( aArg==aDyn || (aDyn==0 && aArg==aStatic) );
   256    256         assert( nArg<=(int)ArraySize(aStatic) || aArg==aDyn );
   257    257         if( (!aDyn && nArg==(int)ArraySize(aStatic))
   258    258          || (aDyn && nArg==(int)(sqlite3MallocSize(aDyn)/sizeof(void*)))
   259    259         ){
   260    260           /* The aArg[] array needs to grow. */
   261         -        void **pNew = (void **)sqlite3Malloc(nArg*sizeof(void *)*2);
          261  +        void **pNew = (void **)sqlite3Malloc((i64)nArg*sizeof(void *)*2);
   262    262           if( pNew ){
   263    263             memcpy(pNew, aArg, nArg*sizeof(void *));
   264    264             sqlite3_free(aDyn);
   265    265             aDyn = aArg = pNew;
   266    266           }else{
   267    267             /* This occurs when the array of context pointers that need to
   268    268             ** be passed to the unlock-notify callback is larger than the

Changes to src/os_win.c.

  1529   1529     int nChar;
  1530   1530     LPWSTR zWideFilename;
  1531   1531   
  1532   1532     nChar = osMultiByteToWideChar(CP_UTF8, 0, zFilename, -1, NULL, 0);
  1533   1533     if( nChar==0 ){
  1534   1534       return 0;
  1535   1535     }
  1536         -  zWideFilename = sqlite3MallocZero( nChar*sizeof(zWideFilename[0]) );
         1536  +  zWideFilename = sqlite3MallocZero( (i64)nChar*sizeof(zWideFilename[0]) );
  1537   1537     if( zWideFilename==0 ){
  1538   1538       return 0;
  1539   1539     }
  1540   1540     nChar = osMultiByteToWideChar(CP_UTF8, 0, zFilename, -1, zWideFilename,
  1541   1541                                   nChar);
  1542   1542     if( nChar==0 ){
  1543   1543       sqlite3_free(zWideFilename);
................................................................................
  1584   1584     int codepage = osAreFileApisANSI() ? CP_ACP : CP_OEMCP;
  1585   1585   
  1586   1586     nByte = osMultiByteToWideChar(codepage, 0, zFilename, -1, NULL,
  1587   1587                                   0)*sizeof(WCHAR);
  1588   1588     if( nByte==0 ){
  1589   1589       return 0;
  1590   1590     }
  1591         -  zMbcsFilename = sqlite3MallocZero( nByte*sizeof(zMbcsFilename[0]) );
         1591  +  zMbcsFilename = sqlite3MallocZero( (i64)nByte*sizeof(zMbcsFilename[0]) );
  1592   1592     if( zMbcsFilename==0 ){
  1593   1593       return 0;
  1594   1594     }
  1595   1595     nByte = osMultiByteToWideChar(codepage, 0, zFilename, -1, zMbcsFilename,
  1596   1596                                   nByte);
  1597   1597     if( nByte==0 ){
  1598   1598       sqlite3_free(zMbcsFilename);
................................................................................
  4325   4325           sqlite3_free(zConverted);
  4326   4326         }
  4327   4327       }
  4328   4328     }
  4329   4329   #elif !SQLITE_OS_WINRT && !defined(__CYGWIN__)
  4330   4330     else if( osIsNT() ){
  4331   4331       char *zMulti;
  4332         -    LPWSTR zWidePath = sqlite3MallocZero( nMax*sizeof(WCHAR) );
         4332  +    LPWSTR zWidePath = sqlite3MallocZero( (i64)nMax*sizeof(WCHAR) );
  4333   4333       if( !zWidePath ){
  4334   4334         sqlite3_free(zBuf);
  4335   4335         OSTRACE(("TEMP-FILENAME rc=SQLITE_IOERR_NOMEM\n"));
  4336   4336         return SQLITE_IOERR_NOMEM;
  4337   4337       }
  4338   4338       if( osGetTempPathW(nMax, zWidePath)==0 ){
  4339   4339         sqlite3_free(zWidePath);
................................................................................
  5104   5104       nByte = osGetFullPathNameW((LPCWSTR)zConverted, 0, 0, 0);
  5105   5105       if( nByte==0 ){
  5106   5106         sqlite3_free(zConverted);
  5107   5107         return winLogError(SQLITE_CANTOPEN_FULLPATH, osGetLastError(),
  5108   5108                            "winFullPathname1", zRelative);
  5109   5109       }
  5110   5110       nByte += 3;
  5111         -    zTemp = sqlite3MallocZero( nByte*sizeof(zTemp[0]) );
         5111  +    zTemp = sqlite3MallocZero( (i64)nByte*sizeof(zTemp[0]) );
  5112   5112       if( zTemp==0 ){
  5113   5113         sqlite3_free(zConverted);
  5114   5114         return SQLITE_IOERR_NOMEM;
  5115   5115       }
  5116   5116       nByte = osGetFullPathNameW((LPCWSTR)zConverted, nByte, zTemp, 0);
  5117   5117       if( nByte==0 ){
  5118   5118         sqlite3_free(zConverted);
................................................................................
  5130   5130       nByte = osGetFullPathNameA((char*)zConverted, 0, 0, 0);
  5131   5131       if( nByte==0 ){
  5132   5132         sqlite3_free(zConverted);
  5133   5133         return winLogError(SQLITE_CANTOPEN_FULLPATH, osGetLastError(),
  5134   5134                            "winFullPathname3", zRelative);
  5135   5135       }
  5136   5136       nByte += 3;
  5137         -    zTemp = sqlite3MallocZero( nByte*sizeof(zTemp[0]) );
         5137  +    zTemp = sqlite3MallocZero( (i64)nByte*sizeof(zTemp[0]) );
  5138   5138       if( zTemp==0 ){
  5139   5139         sqlite3_free(zConverted);
  5140   5140         return SQLITE_IOERR_NOMEM;
  5141   5141       }
  5142   5142       nByte = osGetFullPathNameA((char*)zConverted, nByte, zTemp, 0);
  5143   5143       if( nByte==0 ){
  5144   5144         sqlite3_free(zConverted);

Changes to src/pager.c.

  2439   2439     ** sqlite3_malloc() and pointed to by zMasterJournal.   Also obtain
  2440   2440     ** sufficient space (in zMasterPtr) to hold the names of master
  2441   2441     ** journal files extracted from regular rollback-journals.
  2442   2442     */
  2443   2443     rc = sqlite3OsFileSize(pMaster, &nMasterJournal);
  2444   2444     if( rc!=SQLITE_OK ) goto delmaster_out;
  2445   2445     nMasterPtr = pVfs->mxPathname+1;
  2446         -  zMasterJournal = sqlite3Malloc((int)nMasterJournal + nMasterPtr + 1);
         2446  +  zMasterJournal = sqlite3Malloc(nMasterJournal + nMasterPtr + 1);
  2447   2447     if( !zMasterJournal ){
  2448   2448       rc = SQLITE_NOMEM;
  2449   2449       goto delmaster_out;
  2450   2450     }
  2451   2451     zMasterPtr = &zMasterJournal[nMasterJournal+1];
  2452   2452     rc = sqlite3OsRead(pMaster, zMasterJournal, (int)nMasterJournal, 0);
  2453   2453     if( rc!=SQLITE_OK ) goto delmaster_out;
................................................................................
  4570   4570     /* Compute and store the full pathname in an allocated buffer pointed
  4571   4571     ** to by zPathname, length nPathname. Or, if this is a temporary file,
  4572   4572     ** leave both nPathname and zPathname set to 0.
  4573   4573     */
  4574   4574     if( zFilename && zFilename[0] ){
  4575   4575       const char *z;
  4576   4576       nPathname = pVfs->mxPathname+1;
  4577         -    zPathname = sqlite3DbMallocRaw(0, nPathname*2);
         4577  +    zPathname = sqlite3DbMallocRaw(0, (i64)nPathname*2);
  4578   4578       if( zPathname==0 ){
  4579   4579         return SQLITE_NOMEM;
  4580   4580       }
  4581   4581       zPathname[0] = 0; /* Make sure initialized even if FullPathname() fails */
  4582   4582       rc = sqlite3OsFullPathname(pVfs, zFilename, nPathname, zPathname);
  4583   4583       nPathname = sqlite3Strlen30(zPathname);
  4584   4584       z = zUri = &zFilename[sqlite3Strlen30(zFilename)+1];
................................................................................
  4615   4615     **     Database file name              (nPathname+1 bytes)
  4616   4616     **     Journal file name               (nPathname+8+1 bytes)
  4617   4617     */
  4618   4618     pPtr = (u8 *)sqlite3MallocZero(
  4619   4619       ROUND8(sizeof(*pPager)) +      /* Pager structure */
  4620   4620       ROUND8(pcacheSize) +           /* PCache object */
  4621   4621       ROUND8(pVfs->szOsFile) +       /* The main db file */
  4622         -    journalFileSize * 2 +          /* The two journal files */ 
         4622  +    (i64)journalFileSize * 2 +     /* The two journal files */ 
  4623   4623       nPathname + 1 + nUri +         /* zFilename */
  4624   4624       nPathname + 8 + 2              /* zJournal */
  4625   4625   #ifndef SQLITE_OMIT_WAL
  4626   4626       + nPathname + 4 + 2            /* zWal */
  4627   4627   #endif
  4628   4628     );
  4629   4629     assert( EIGHT_BYTE_ALIGNMENT(SQLITE_INT_TO_PTR(journalFileSize)) );
................................................................................
  6474   6474       PagerSavepoint *aNew;                   /* New Pager.aSavepoint array */
  6475   6475   
  6476   6476       /* Grow the Pager.aSavepoint array using realloc(). Return SQLITE_NOMEM
  6477   6477       ** if the allocation fails. Otherwise, zero the new portion in case a 
  6478   6478       ** malloc failure occurs while populating it in the for(...) loop below.
  6479   6479       */
  6480   6480       aNew = (PagerSavepoint *)sqlite3Realloc(
  6481         -        pPager->aSavepoint, sizeof(PagerSavepoint)*nSavepoint
         6481  +        pPager->aSavepoint, sizeof(PagerSavepoint)*(i64)nSavepoint
  6482   6482       );
  6483   6483       if( !aNew ){
  6484   6484         return SQLITE_NOMEM;
  6485   6485       }
  6486   6486       memset(&aNew[nCurrent], 0, (nSavepoint-nCurrent) * sizeof(PagerSavepoint));
  6487   6487       pPager->aSavepoint = aNew;
  6488   6488   

Changes to src/pcache1.c.

   393    393     nNew = p->nHash*2;
   394    394     if( nNew<256 ){
   395    395       nNew = 256;
   396    396     }
   397    397   
   398    398     pcache1LeaveMutex(p->pGroup);
   399    399     if( p->nHash ){ sqlite3BeginBenignMalloc(); }
   400         -  apNew = (PgHdr1 **)sqlite3MallocZero(sizeof(PgHdr1 *)*nNew);
          400  +  apNew = (PgHdr1 **)sqlite3MallocZero(sizeof(PgHdr1 *)*(i64)nNew);
   401    401     if( p->nHash ){ sqlite3EndBenignMalloc(); }
   402    402     pcache1EnterMutex(p->pGroup);
   403    403     if( apNew ){
   404    404       for(i=0; i<p->nHash; i++){
   405    405         PgHdr1 *pPage;
   406    406         PgHdr1 *pNext = p->apHash[i];
   407    407         while( (pPage = pNext)!=0 ){

Changes to src/select.c.

   928    928   
   929    929   /*
   930    930   ** Allocate a KeyInfo object sufficient for an index of N key columns and
   931    931   ** X extra columns.
   932    932   */
   933    933   KeyInfo *sqlite3KeyInfoAlloc(sqlite3 *db, int N, int X){
   934    934     KeyInfo *p = sqlite3DbMallocZero(0, 
   935         -                   sizeof(KeyInfo) + (N+X)*(sizeof(CollSeq*)+1));
          935  +                   sizeof(KeyInfo) + (i64)(N+X)*(sizeof(CollSeq*)+1));
   936    936     if( p ){
   937    937       p->aSortOrder = (u8*)&p->aColl[N+X];
   938    938       p->nField = (u16)N;
   939    939       p->nXField = (u16)X;
   940    940       p->enc = ENC(db);
   941    941       p->db = db;
   942    942       p->nRef = 1;
................................................................................
  1538   1538     int nCol;                   /* Number of columns in the result set */
  1539   1539     Expr *p;                    /* Expression for a single result column */
  1540   1540     char *zName;                /* Column name */
  1541   1541     int nName;                  /* Size of name in zName[] */
  1542   1542   
  1543   1543     if( pEList ){
  1544   1544       nCol = pEList->nExpr;
  1545         -    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);
         1545  +    aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*(i64)nCol);
  1546   1546       testcase( aCol==0 );
  1547   1547     }else{
  1548   1548       nCol = 0;
  1549   1549       aCol = 0;
  1550   1550     }
  1551   1551     *pnCol = nCol;
  1552   1552     *paCol = aCol;
................................................................................
  2740   2740     /* Compute the comparison permutation and keyinfo that is used with
  2741   2741     ** the permutation used to determine if the next
  2742   2742     ** row of results comes from selectA or selectB.  Also add explicit
  2743   2743     ** collations to the ORDER BY clause terms so that when the subqueries
  2744   2744     ** to the right and the left are evaluated, they use the correct
  2745   2745     ** collation.
  2746   2746     */
  2747         -  aPermute = sqlite3DbMallocRaw(db, sizeof(int)*nOrderBy);
         2747  +  aPermute = sqlite3DbMallocRaw(db, sizeof(int)*(i64)nOrderBy);
  2748   2748     if( aPermute ){
  2749   2749       struct ExprList_item *pItem;
  2750   2750       for(i=0, pItem=pOrderBy->a; i<nOrderBy; i++, pItem++){
  2751   2751         assert( pItem->u.x.iOrderByCol>0
  2752   2752             && pItem->u.x.iOrderByCol<=p->pEList->nExpr );
  2753   2753         aPermute[i] = pItem->u.x.iOrderByCol - 1;
  2754   2754       }

Changes to src/sqliteInt.h.

  2866   2866   */
  2867   2867   #define sqlite3StrICmp sqlite3_stricmp
  2868   2868   int sqlite3Strlen30(const char*);
  2869   2869   #define sqlite3StrNICmp sqlite3_strnicmp
  2870   2870   
  2871   2871   int sqlite3MallocInit(void);
  2872   2872   void sqlite3MallocEnd(void);
  2873         -void *sqlite3Malloc(int);
  2874         -void *sqlite3MallocZero(int);
  2875         -void *sqlite3DbMallocZero(sqlite3*, int);
  2876         -void *sqlite3DbMallocRaw(sqlite3*, int);
         2873  +void *sqlite3Malloc(i64);
         2874  +void *sqlite3MallocZero(i64);
         2875  +void *sqlite3DbMallocZero(sqlite3*, i64);
         2876  +void *sqlite3DbMallocRaw(sqlite3*, i64);
  2877   2877   char *sqlite3DbStrDup(sqlite3*,const char*);
  2878   2878   char *sqlite3DbStrNDup(sqlite3*,const char*, int);
  2879         -void *sqlite3Realloc(void*, int);
  2880         -void *sqlite3DbReallocOrFree(sqlite3 *, void *, int);
  2881         -void *sqlite3DbRealloc(sqlite3 *, void *, int);
         2879  +void *sqlite3Realloc(void*, i64);
         2880  +void *sqlite3DbReallocOrFree(sqlite3 *, void *, i64);
         2881  +void *sqlite3DbRealloc(sqlite3 *, void *, i64);
  2882   2882   void sqlite3DbFree(sqlite3*, void*);
  2883   2883   int sqlite3MallocSize(void*);
  2884   2884   int sqlite3DbMallocSize(sqlite3*, void*);
  2885   2885   void *sqlite3ScratchMalloc(int);
  2886   2886   void sqlite3ScratchFree(void*);
  2887   2887   void *sqlite3PageMalloc(int);
  2888   2888   void sqlite3PageFree(void*);

Changes to src/test8.c.

   174    174       goto out;
   175    175     }
   176    176     rc = sqlite3_prepare(db, zSql, -1, &pStmt, 0);
   177    177     sqlite3_free(zSql);
   178    178   
   179    179     if( rc==SQLITE_OK ){
   180    180       int ii;
   181         -    int nBytes;
          181  +    i64 nBytes;
   182    182       char *zSpace;
   183    183       nCol = sqlite3_column_count(pStmt);
   184    184   
   185    185       /* Figure out how much space to allocate for the array of column names 
   186    186       ** (including space for the strings themselves). Then allocate it.
   187    187       */
   188         -    nBytes = sizeof(char *) * nCol;
          188  +    nBytes = sizeof(char *) * (i64)nCol;
   189    189       for(ii=0; ii<nCol; ii++){
   190    190         const char *zName = sqlite3_column_name(pStmt, ii);
   191    191         if( !zName ){
   192    192           rc = SQLITE_NOMEM;
   193    193           goto out;
   194    194         }
   195    195         nBytes += (int)strlen(zName)+1;
................................................................................
   240    240   ){
   241    241     sqlite3_stmt *pStmt = 0;
   242    242     int *aIndex = 0;
   243    243     int rc;
   244    244     char *zSql;
   245    245   
   246    246     /* Allocate space for the index array */
   247         -  aIndex = (int *)sqlite3MallocZero(sizeof(int) * nCol);
          247  +  aIndex = (int *)sqlite3MallocZero(sizeof(int) * (i64)nCol);
   248    248     if( !aIndex ){
   249    249       rc = SQLITE_NOMEM;
   250    250       goto get_index_array_out;
   251    251     }
   252    252   
   253    253     /* Compile an sqlite pragma to loop through all indices on table zTab */
   254    254     zSql = sqlite3_mprintf("PRAGMA index_list(%s)", zTab);

Changes to src/update.c.

   193    193       }
   194    194       pParse->nTab++;
   195    195     }
   196    196   
   197    197     /* Allocate space for aXRef[], aRegIdx[], and aToOpen[].  
   198    198     ** Initialize aXRef[] and aToOpen[] to their default values.
   199    199     */
   200         -  aXRef = sqlite3DbMallocRaw(db, sizeof(int) * (pTab->nCol+nIdx) + nIdx+2 );
          200  +  aXRef = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(pTab->nCol+nIdx) + nIdx+2 );
   201    201     if( aXRef==0 ) goto update_cleanup;
   202    202     aRegIdx = aXRef+pTab->nCol;
   203    203     aToOpen = (u8*)(aRegIdx+nIdx);
   204    204     memset(aToOpen, 1, nIdx+1);
   205    205     aToOpen[nIdx+1] = 0;
   206    206     for(i=0; i<pTab->nCol; i++) aXRef[i] = -1;
   207    207   

Changes to src/vdbe.c.

  5103   5103     int nErr;       /* Number of errors reported */
  5104   5104     char *z;        /* Text of the error report */
  5105   5105     Mem *pnErr;     /* Register keeping track of errors remaining */
  5106   5106   
  5107   5107     assert( p->bIsReader );
  5108   5108     nRoot = pOp->p2;
  5109   5109     assert( nRoot>0 );
  5110         -  aRoot = sqlite3DbMallocRaw(db, sizeof(int)*(nRoot+1) );
         5110  +  aRoot = sqlite3DbMallocRaw(db, sizeof(int)*(i64)(nRoot+1) );
  5111   5111     if( aRoot==0 ) goto no_mem;
  5112   5112     assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
  5113   5113     pnErr = &aMem[pOp->p3];
  5114   5114     assert( (pnErr->flags & MEM_Int)!=0 );
  5115   5115     assert( (pnErr->flags & (MEM_Str|MEM_Blob))==0 );
  5116   5116     pIn1 = &aMem[pOp->p1];
  5117   5117     for(j=0; j<nRoot; j++){
................................................................................
  5257   5257   **
  5258   5258   ** P4 is a pointer to the VM containing the trigger program.
  5259   5259   **
  5260   5260   ** If P5 is non-zero, then recursive program invocation is enabled.
  5261   5261   */
  5262   5262   case OP_Program: {        /* jump */
  5263   5263     int nMem;               /* Number of memory registers for sub-program */
  5264         -  int nByte;              /* Bytes of runtime space required for sub-program */
         5264  +  i64 nByte;              /* Bytes of runtime space required for sub-program */
  5265   5265     Mem *pRt;               /* Register to allocate runtime space */
  5266   5266     Mem *pMem;              /* Used to iterate through memory cells */
  5267   5267     Mem *pEnd;              /* Last memory cell in new array */
  5268   5268     VdbeFrame *pFrame;      /* New vdbe frame to execute in */
  5269   5269     SubProgram *pProgram;   /* Sub-program to execute */
  5270   5270     void *t;                /* Token identifying trigger */
  5271   5271   
................................................................................
  5304   5304       /* SubProgram.nMem is set to the number of memory cells used by the 
  5305   5305       ** program stored in SubProgram.aOp. As well as these, one memory
  5306   5306       ** cell is required for each cursor used by the program. Set local
  5307   5307       ** variable nMem (and later, VdbeFrame.nChildMem) to this value.
  5308   5308       */
  5309   5309       nMem = pProgram->nMem + pProgram->nCsr;
  5310   5310       nByte = ROUND8(sizeof(VdbeFrame))
  5311         -              + nMem * sizeof(Mem)
  5312         -              + pProgram->nCsr * sizeof(VdbeCursor *)
  5313         -              + pProgram->nOnce * sizeof(u8);
         5311  +              + (i64)nMem * sizeof(Mem)
         5312  +              + (i64)pProgram->nCsr * sizeof(VdbeCursor *)
         5313  +              + (i64)pProgram->nOnce * sizeof(u8);
  5314   5314       pFrame = sqlite3DbMallocZero(db, nByte);
  5315   5315       if( !pFrame ){
  5316   5316         goto no_mem;
  5317   5317       }
  5318   5318       sqlite3VdbeMemRelease(pRt);
  5319   5319       pRt->flags = MEM_Frame;
  5320   5320       pRt->u.pFrame = pFrame;

Changes to src/vdbeaux.c.

    92     92   ** unchanged (this is so that any opcodes already allocated can be 
    93     93   ** correctly deallocated along with the rest of the Vdbe).
    94     94   */
    95     95   static int growOpArray(Vdbe *v){
    96     96     VdbeOp *pNew;
    97     97     Parse *p = v->pParse;
    98     98     int nNew = (p->nOpAlloc ? p->nOpAlloc*2 : (int)(1024/sizeof(Op)));
    99         -  pNew = sqlite3DbRealloc(p->db, v->aOp, nNew*sizeof(Op));
           99  +  pNew = sqlite3DbRealloc(p->db, v->aOp, (i64)nNew*sizeof(Op));
   100    100     if( pNew ){
   101    101       p->nOpAlloc = sqlite3DbMallocSize(p->db, pNew)/sizeof(Op);
   102    102       v->aOp = pNew;
   103    103     }
   104    104     return (pNew ? SQLITE_OK : SQLITE_NOMEM);
   105    105   }
   106    106   
................................................................................
   254    254   */
   255    255   int sqlite3VdbeMakeLabel(Vdbe *v){
   256    256     Parse *p = v->pParse;
   257    257     int i = p->nLabel++;
   258    258     assert( v->magic==VDBE_MAGIC_INIT );
   259    259     if( (i & (i-1))==0 ){
   260    260       p->aLabel = sqlite3DbReallocOrFree(p->db, p->aLabel, 
   261         -                                       (i*2+1)*sizeof(p->aLabel[0]));
          261  +                                       (i64)(i*2+1)*sizeof(p->aLabel[0]));
   262    262     }
   263    263     if( p->aLabel ){
   264    264       p->aLabel[i] = -1;
   265    265     }
   266    266     return -1-i;
   267    267   }
   268    268   
................................................................................
   336    336       p->iAddr++;
   337    337       if( p->iAddr==nOp ){
   338    338         p->iSub++;
   339    339         p->iAddr = 0;
   340    340       }
   341    341     
   342    342       if( pRet->p4type==P4_SUBPROGRAM ){
   343         -      int nByte = (p->nSub+1)*sizeof(SubProgram*);
          343  +      i64 nByte = (p->nSub+1)*(i64)sizeof(SubProgram*);
   344    344         int j;
   345    345         for(j=0; j<p->nSub; j++){
   346    346           if( p->apSub[j]==pRet->p4.pProgram ) break;
   347    347         }
   348    348         if( j==p->nSub ){
   349    349           p->apSub = sqlite3DbReallocOrFree(v->db, p->apSub, nByte);
   350    350           if( !p->apSub ){
................................................................................
  1527   1527   **
  1528   1528   ** *pnByte is a counter of the number of bytes of space that have failed
  1529   1529   ** to allocate.  If there is insufficient space in *ppFrom to satisfy the
  1530   1530   ** request, then increment *pnByte by the amount of the request.
  1531   1531   */
  1532   1532   static void *allocSpace(
  1533   1533     void *pBuf,          /* Where return pointer will be stored */
  1534         -  int nByte,           /* Number of bytes to allocate */
         1534  +  i64 nByte,           /* Number of bytes to allocate */
  1535   1535     u8 **ppFrom,         /* IN/OUT: Allocate from *ppFrom */
  1536   1536     u8 *pEnd,            /* Pointer to 1 byte past the end of *ppFrom buffer */
  1537         -  int *pnByte          /* If allocation cannot be made, increment *pnByte */
         1537  +  i64 *pnByte          /* If allocation cannot be made, increment *pnByte */
  1538   1538   ){
  1539   1539     assert( EIGHT_BYTE_ALIGNMENT(*ppFrom) );
  1540   1540     if( pBuf ) return pBuf;
  1541   1541     nByte = ROUND8(nByte);
  1542   1542     if( &(*ppFrom)[nByte] <= pEnd ){
  1543   1543       pBuf = (void*)*ppFrom;
  1544   1544       *ppFrom += nByte;
................................................................................
  1615   1615     int nMem;                      /* Number of VM memory registers */
  1616   1616     int nCursor;                   /* Number of cursors required */
  1617   1617     int nArg;                      /* Number of arguments in subprograms */
  1618   1618     int nOnce;                     /* Number of OP_Once instructions */
  1619   1619     int n;                         /* Loop counter */
  1620   1620     u8 *zCsr;                      /* Memory available for allocation */
  1621   1621     u8 *zEnd;                      /* First byte past allocated memory */
  1622         -  int nByte;                     /* How much extra memory is needed */
         1622  +  i64 nByte;                     /* How much extra memory is needed */
  1623   1623   
  1624   1624     assert( p!=0 );
  1625   1625     assert( p->nOp>0 );
  1626   1626     assert( pParse!=0 );
  1627   1627     assert( p->magic==VDBE_MAGIC_INIT );
  1628   1628     assert( pParse==p->pParse );
  1629   1629     db = p->db;
................................................................................
  1670   1670     **
  1671   1671     ** This two-pass approach that reuses as much memory as possible from
  1672   1672     ** the leftover space at the end of the opcode array can significantly
  1673   1673     ** reduce the amount of memory held by a prepared statement.
  1674   1674     */
  1675   1675     do {
  1676   1676       nByte = 0;
  1677         -    p->aMem = allocSpace(p->aMem, nMem*sizeof(Mem), &zCsr, zEnd, &nByte);
  1678         -    p->aVar = allocSpace(p->aVar, nVar*sizeof(Mem), &zCsr, zEnd, &nByte);
  1679         -    p->apArg = allocSpace(p->apArg, nArg*sizeof(Mem*), &zCsr, zEnd, &nByte);
  1680         -    p->azVar = allocSpace(p->azVar, nVar*sizeof(char*), &zCsr, zEnd, &nByte);
  1681         -    p->apCsr = allocSpace(p->apCsr, nCursor*sizeof(VdbeCursor*),
         1677  +    p->aMem = allocSpace(p->aMem, (i64)nMem*sizeof(Mem), &zCsr, zEnd, &nByte);
         1678  +    p->aVar = allocSpace(p->aVar, (i64)nVar*sizeof(Mem), &zCsr, zEnd, &nByte);
         1679  +    p->apArg = allocSpace(p->apArg, (i64)nArg*sizeof(Mem*), &zCsr, zEnd,&nByte);
         1680  +    p->azVar = allocSpace(p->azVar, (i64)nVar*sizeof(char*), &zCsr,zEnd,&nByte);
         1681  +    p->apCsr = allocSpace(p->apCsr, (i64)nCursor*sizeof(VdbeCursor*),
  1682   1682                             &zCsr, zEnd, &nByte);
  1683   1683       p->aOnceFlag = allocSpace(p->aOnceFlag, nOnce, &zCsr, zEnd, &nByte);
  1684   1684       if( nByte ){
  1685   1685         p->pFree = sqlite3DbMallocZero(db, nByte);
  1686   1686       }
  1687   1687       zCsr = p->pFree;
  1688   1688       zEnd = &zCsr[nByte];
................................................................................
  1834   1834   ** be called on an SQL statement before sqlite3_step().
  1835   1835   */
  1836   1836   void sqlite3VdbeSetNumCols(Vdbe *p, int nResColumn){
  1837   1837     Mem *pColName;
  1838   1838     int n;
  1839   1839     sqlite3 *db = p->db;
  1840   1840   
         1841  +  assert( nResColumn <= 0xffff );
  1841   1842     releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);
  1842   1843     sqlite3DbFree(db, p->aColName);
  1843   1844     n = nResColumn*COLNAME_N;
  1844   1845     p->nResColumn = (u16)nResColumn;
  1845   1846     p->aColName = pColName = (Mem*)sqlite3DbMallocZero(db, sizeof(Mem)*n );
  1846   1847     if( p->aColName==0 ) return;
  1847   1848     while( n-- > 0 ){
................................................................................
  3069   3070     int nByte;                      /* Number of bytes required for *p */
  3070   3071   
  3071   3072     /* We want to shift the pointer pSpace up such that it is 8-byte aligned.
  3072   3073     ** Thus, we need to calculate a value, nOff, between 0 and 7, to shift 
  3073   3074     ** it by.  If pSpace is already 8-byte aligned, nOff should be zero.
  3074   3075     */
  3075   3076     nOff = (8 - (SQLITE_PTR_TO_INT(pSpace) & 7)) & 7;
         3077  +  assert( sizeof(pKeyInfo->nField)==2 );
  3076   3078     nByte = ROUND8(sizeof(UnpackedRecord)) + sizeof(Mem)*(pKeyInfo->nField+1);
  3077   3079     if( nByte>szSpace+nOff ){
  3078   3080       p = (UnpackedRecord *)sqlite3DbMallocRaw(pKeyInfo->db, nByte);
  3079   3081       *ppFree = (char *)p;
  3080   3082       if( !p ) return 0;
  3081   3083     }else{
  3082   3084       p = (UnpackedRecord*)&pSpace[nOff];

Changes to src/vdbemem.c.

   930    930   
   931    931       if( pRec==0 ){
   932    932         Index *pIdx = p->pIdx;      /* Index being probed */
   933    933         int nByte;                  /* Bytes of space to allocate */
   934    934         int i;                      /* Counter variable */
   935    935         int nCol = pIdx->nColumn;   /* Number of index columns including rowid */
   936    936     
          937  +      assert( sizeof(pIdx->nColumn)==2 && nCol<=0xffff );
   937    938         nByte = sizeof(Mem) * nCol + ROUND8(sizeof(UnpackedRecord));
   938    939         pRec = (UnpackedRecord*)sqlite3DbMallocZero(db, nByte);
   939    940         if( pRec ){
   940    941           pRec->pKeyInfo = sqlite3KeyInfoOfIndex(p->pParse, pIdx);
   941    942           if( pRec->pKeyInfo ){
   942    943             assert( pRec->pKeyInfo->nField+pRec->pKeyInfo->nXField==nCol );
   943    944             assert( pRec->pKeyInfo->enc==ENC(db) );

Changes to src/vdbesort.c.

   218    218       /* The requested data is not all available in the in-memory buffer.
   219    219       ** In this case, allocate space at p->aAlloc[] to copy the requested
   220    220       ** range into. Then return a copy of pointer p->aAlloc to the caller.  */
   221    221       int nRem;                     /* Bytes remaining to copy */
   222    222   
   223    223       /* Extend the p->aAlloc[] allocation if required. */
   224    224       if( p->nAlloc<nByte ){
   225         -      int nNew = p->nAlloc*2;
          225  +      i64 nNew = p->nAlloc*2;
   226    226         while( nByte>nNew ) nNew = nNew*2;
   227    227         p->aAlloc = sqlite3DbReallocOrFree(db, p->aAlloc, nNew);
   228    228         if( !p->aAlloc ) return SQLITE_NOMEM;
   229    229         p->nAlloc = nNew;
   230    230       }
   231    231   
   232    232       /* Copy as much data as is available in the buffer into the start of

Changes to src/vtab.c.

   274    274   ** Add a new module argument to pTable->azModuleArg[].
   275    275   ** The string is not copied - the pointer is stored.  The
   276    276   ** string will be freed automatically when the table is
   277    277   ** deleted.
   278    278   */
   279    279   static void addModuleArgument(sqlite3 *db, Table *pTable, char *zArg){
   280    280     int i = pTable->nModuleArg++;
   281         -  int nBytes = sizeof(char *)*(1+pTable->nModuleArg);
          281  +  i64 nBytes = sizeof(char *)*(i64)(1+pTable->nModuleArg);
   282    282     char **azModuleArg;
   283    283     azModuleArg = sqlite3DbRealloc(db, pTable->azModuleArg, nBytes);
   284    284     if( azModuleArg==0 ){
   285    285       int j;
   286    286       for(j=0; j<i; j++){
   287    287         sqlite3DbFree(db, pTable->azModuleArg[j]);
   288    288       }
................................................................................
   616    616   */
   617    617   static int growVTrans(sqlite3 *db){
   618    618     const int ARRAY_INCR = 5;
   619    619   
   620    620     /* Grow the sqlite3.aVTrans array if required */
   621    621     if( (db->nVTrans%ARRAY_INCR)==0 ){
   622    622       VTable **aVTrans;
   623         -    int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR);
          623  +    i64 nBytes = sizeof(sqlite3_vtab *)*(i64)(db->nVTrans + ARRAY_INCR);
   624    624       aVTrans = sqlite3DbRealloc(db, (void *)db->aVTrans, nBytes);
   625    625       if( !aVTrans ){
   626    626         return SQLITE_NOMEM;
   627    627       }
   628    628       memset(&aVTrans[db->nVTrans], 0, sizeof(sqlite3_vtab *)*ARRAY_INCR);
   629    629       db->aVTrans = aVTrans;
   630    630     }

Changes to src/where.c.

   205    205   static int whereClauseInsert(WhereClause *pWC, Expr *p, u8 wtFlags){
   206    206     WhereTerm *pTerm;
   207    207     int idx;
   208    208     testcase( wtFlags & TERM_VIRTUAL );
   209    209     if( pWC->nTerm>=pWC->nSlot ){
   210    210       WhereTerm *pOld = pWC->a;
   211    211       sqlite3 *db = pWC->pWInfo->pParse->db;
   212         -    pWC->a = sqlite3DbMallocRaw(db, sizeof(pWC->a[0])*pWC->nSlot*2 );
          212  +    pWC->a = sqlite3DbMallocRaw(db, sizeof(pWC->a[0])*(i64)pWC->nSlot*2 );
   213    213       if( pWC->a==0 ){
   214    214         if( wtFlags & TERM_DYNAMIC ){
   215    215           sqlite3ExprDelete(db, p);
   216    216         }
   217    217         pWC->a = pOld;
   218    218         return 0;
   219    219       }
................................................................................
  1773   1773         nOrderBy = n;
  1774   1774       }
  1775   1775     }
  1776   1776   
  1777   1777     /* Allocate the sqlite3_index_info structure
  1778   1778     */
  1779   1779     pIdxInfo = sqlite3DbMallocZero(pParse->db, sizeof(*pIdxInfo)
  1780         -                           + (sizeof(*pIdxCons) + sizeof(*pUsage))*nTerm
  1781         -                           + sizeof(*pIdxOrderBy)*nOrderBy );
         1780  +                           + (sizeof(*pIdxCons) + sizeof(*pUsage))*(i64)nTerm
         1781  +                           + sizeof(*pIdxOrderBy)*(i64)nOrderBy );
  1782   1782     if( pIdxInfo==0 ){
  1783   1783       sqlite3ErrorMsg(pParse, "out of memory");
  1784   1784       return 0;
  1785   1785     }
  1786   1786   
  1787   1787     /* Initialize the structure.  The sqlite3_index_info structure contains
  1788   1788     ** many fields that are declared "const" to prevent xBestIndex from
................................................................................
  3682   3682   /*
  3683   3683   ** Increase the memory allocation for pLoop->aLTerm[] to be at least n.
  3684   3684   */
  3685   3685   static int whereLoopResize(sqlite3 *db, WhereLoop *p, int n){
  3686   3686     WhereTerm **paNew;
  3687   3687     if( p->nLSlot>=n ) return SQLITE_OK;
  3688   3688     n = (n+7)&~7;
  3689         -  paNew = sqlite3DbMallocRaw(db, sizeof(p->aLTerm[0])*n);
         3689  +  paNew = sqlite3DbMallocRaw(db, sizeof(p->aLTerm[0])*(i64)n);
  3690   3690     if( paNew==0 ) return SQLITE_NOMEM;
  3691   3691     memcpy(paNew, p->aLTerm, sizeof(p->aLTerm[0])*p->nLSlot);
  3692   3692     if( p->aLTerm!=p->aLTermSpace ) sqlite3DbFree(db, p->aLTerm);
  3693   3693     p->aLTerm = paNew;
  3694   3694     p->nLSlot = n;
  3695   3695     return SQLITE_OK;
  3696   3696   }
................................................................................
  5227   5227     ** For 2-way joins, the 5 best paths are followed.
  5228   5228     ** For joins of 3 or more tables, track the 10 best paths */
  5229   5229     mxChoice = (nLoop==1) ? 1 : (nLoop==2 ? 5 : 10);
  5230   5230     assert( nLoop<=pWInfo->pTabList->nSrc );
  5231   5231     WHERETRACE(0x002, ("---- begin solver\n"));
  5232   5232   
  5233   5233     /* Allocate and initialize space for aTo and aFrom */
  5234         -  ii = (sizeof(WherePath)+sizeof(WhereLoop*)*nLoop)*mxChoice*2;
  5235         -  pSpace = sqlite3DbMallocRaw(db, ii);
         5234  +  pSpace = sqlite3DbMallocRaw(db, 
         5235  +               (sizeof(WherePath)+sizeof(WhereLoop*)*(i64)nLoop)*mxChoice*2);
  5236   5236     if( pSpace==0 ) return SQLITE_NOMEM;
  5237   5237     aTo = (WherePath*)pSpace;
  5238   5238     aFrom = aTo+mxChoice;
  5239   5239     memset(aFrom, 0, sizeof(aFrom[0]));
  5240   5240     pX = (WhereLoop**)(aFrom+mxChoice);
  5241   5241     for(ii=mxChoice*2, pFrom=aTo; ii>0; ii--, pFrom++, pX += nLoop){
  5242   5242       pFrom->aLoop = pX;