Index: ext/misc/dbdata.c
==================================================================
--- ext/misc/dbdata.c
+++ ext/misc/dbdata.c
@@ -276,10 +276,14 @@
   pCsr->pStmt = 0;
   pCsr->iPgno = 1;
   pCsr->iCell = 0;
   pCsr->iField = 0;
   pCsr->bOnePage = 0;
+  sqlite3_free(pCsr->aPage);
+  sqlite3_free(pCsr->pRec);
+  pCsr->pRec = 0;
+  pCsr->aPage = 0;
 }
 
 /*
 ** Close an sqlite_dbdata or sqlite_dbptr cursor.
 */
@@ -457,10 +461,11 @@
 
   pCsr->iRowid++;
   while( 1 ){
     int rc;
     int iOff = (pCsr->iPgno==1 ? 100 : 0);
+    int bNextPage = 0;
 
     if( pCsr->aPage==0 ){
       while( 1 ){
         if( pCsr->bOnePage==0 && pCsr->iPgno>pCsr->szDb ) return SQLITE_OK;
         rc = dbdataLoadPage(pCsr, pCsr->iPgno, &pCsr->aPage, &pCsr->nPage);
@@ -493,11 +498,10 @@
         sqlite3_int64 nPayload = 0;
         sqlite3_int64 nHdr = 0;
         int iHdr;
         int U, X;
         int nLocal;
-        int bNextPage = 0;
   
         switch( pCsr->aPage[iOff] ){
           case 0x02:
             nPointer = 4;
             break;
@@ -601,36 +605,41 @@
             pCsr->pHdrPtr = &pCsr->pRec[iHdr];
             pCsr->pPtr = &pCsr->pRec[pCsr->nHdr];
             pCsr->iField = (bHasRowid ? -1 : 0);
           }
         }
-
-        if( bNextPage ){
-          sqlite3_free(pCsr->aPage);
-          pCsr->aPage = 0;
-          if( pCsr->bOnePage ) return SQLITE_OK;
-          pCsr->iPgno++;
-          continue;
-        }
       }else{
         pCsr->iField++;
         if( pCsr->iField>0 ){
           sqlite3_int64 iType;
-          pCsr->pHdrPtr += dbdataGetVarint(pCsr->pHdrPtr, &iType);
-          pCsr->pPtr += dbdataValueBytes(iType);
+          if( pCsr->pHdrPtr>&pCsr->pRec[pCsr->nRec] ){
+            bNextPage = 1;
+          }else{
+            pCsr->pHdrPtr += dbdataGetVarint(pCsr->pHdrPtr, &iType);
+            pCsr->pPtr += dbdataValueBytes(iType);
+          }
         }
       }
 
-      if( pCsr->iField<0 || pCsr->pHdrPtr<&pCsr->pRec[pCsr->nHdr] ){
-        return SQLITE_OK;
-      }
-  
-      /* Advance to the next cell. The next iteration of the loop will load
-      ** the record and so on. */
-      sqlite3_free(pCsr->pRec);
-      pCsr->pRec = 0;
-      pCsr->iCell++;
+      if( bNextPage ){
+        sqlite3_free(pCsr->aPage);
+        sqlite3_free(pCsr->pRec);
+        pCsr->aPage = 0;
+        pCsr->pRec = 0;
+        if( pCsr->bOnePage ) return SQLITE_OK;
+        pCsr->iPgno++;
+      }else{
+        if( pCsr->iField<0 || pCsr->pHdrPtr<&pCsr->pRec[pCsr->nHdr] ){
+          return SQLITE_OK;
+        }
+
+        /* Advance to the next cell. The next iteration of the loop will load
+        ** the record and so on. */
+        sqlite3_free(pCsr->pRec);
+        pCsr->pRec = 0;
+        pCsr->iCell++;
+      }
     }
   }
 
   assert( !"can't get here" );
   return SQLITE_OK;
@@ -735,13 +744,16 @@
         int iOff = pCsr->iPgno==1 ? 100 : 0;
         if( pCsr->iCell<0 ){
           iOff += 8;
         }else{
           iOff += 12 + pCsr->iCell*2;
+          if( iOff>pCsr->nPage ) return SQLITE_OK;
           iOff = get_uint16(&pCsr->aPage[iOff]);
         }
-        sqlite3_result_int64(ctx, get_uint32(&pCsr->aPage[iOff]));
+        if( iOff<=pCsr->nPage ){
+          sqlite3_result_int64(ctx, get_uint32(&pCsr->aPage[iOff]));
+        }
         break;
       }
     }
   }else{
     switch( i ){