Index: src/btree.c
==================================================================
--- src/btree.c
+++ src/btree.c
@@ -4949,26 +4949,32 @@
           c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey);
         }else{
           /* The record flows over onto one or more overflow pages. In
           ** this case the whole cell needs to be parsed, a buffer allocated
           ** and accessPayload() used to retrieve the record into the
-          ** buffer before VdbeRecordCompare() can be called. An extra
-          ** byte of zeroed padding is allocated at the end of the buffer,
-          ** as this stops the record-compare routines from reading past
-          ** the end of the buffer if the record is corrupt.  */
+          ** buffer before VdbeRecordCompare() can be called. 
+          **
+          ** If the record is corrupt, the xRecordCompare routine may read
+          ** up to two varints past the end of the buffer. An extra 18 
+          ** bytes of padding is allocated at the end of the buffer in
+          ** case this happens.  */
           void *pCellKey;
           u8 * const pCellBody = pCell - pPage->childPtrSize;
           btreeParseCellPtr(pPage, pCellBody, &pCur->info);
           nCell = (int)pCur->info.nKey;
-          pCellKey = sqlite3Malloc( nCell+1 );
+          testcase( nCell<0 );
+          if( nCell<2 ){
+            rc = SQLITE_CORRUPT_BKPT;
+            goto moveto_finish;
+          }
+          pCellKey = sqlite3Malloc( nCell+18 );
           if( pCellKey==0 ){
             rc = SQLITE_NOMEM;
             goto moveto_finish;
           }
           pCur->aiIdx[pCur->iPage] = (u16)idx;
           rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2);
-          ((unsigned char *)pCellKey)[nCell] = 0;
           if( rc ){
             sqlite3_free(pCellKey);
             goto moveto_finish;
           }
           c = xRecordCompare(nCell, pCellKey, pIdxKey);