Index: ext/fts5/fts5_index.c
==================================================================
--- ext/fts5/fts5_index.c
+++ ext/fts5/fts5_index.c
@@ -695,10 +695,11 @@
   }
 
   assert( (pRet==0)==(p->rc!=SQLITE_OK) );
   return pRet;
 }
+
 
 /*
 ** Release a reference to data record returned by an earlier call to
 ** fts5DataRead().
 */
@@ -2152,10 +2153,14 @@
   assert( p->rc==SQLITE_OK );
 
   iPgidx = szLeaf;
   iPgidx += fts5GetVarint32(&a[iPgidx], iTermOff);
   iOff = iTermOff;
+  if( iOff>n ){
+    p->rc = FTS5_CORRUPT;
+    return;
+  }
 
   while( 1 ){
 
     /* Figure out how many new bytes are in this term */
     fts5FastGetVarint32(a, iOff, nNew);