Index: Makefile.in
==================================================================
--- Makefile.in
+++ Makefile.in
@@ -1000,11 +1000,11 @@
 
 # Run a test using valgrind.  This can take a really long time
 # because valgrind is so much slower than a native machine.
 #
 valgrindtest:	$(TESTPROGS) fuzzcheck$(TEXE)
-	valgrind -v ./fuzzcheck$(TEXE) $(FUZZDATA)
+	valgrind -v ./fuzzcheck$(TEXE) --cell-size-check $(FUZZDATA)
 	OMIT_MISUSE=1 valgrind -v ./testfixture$(TEXE) $(TOP)/test/permutations.test valgrind
 
 # A very fast test that checks basic sanity.  The name comes from
 # the 60s-era electronics testing:  "Turn it on and see if smoke
 # comes out."

Index: main.mk
==================================================================
--- main.mk
+++ main.mk
@@ -681,11 +681,11 @@
 
 # Run a test using valgrind.  This can take a really long time
 # because valgrind is so much slower than a native machine.
 #
 valgrindtest:	$(TESTPROGS) fuzzcheck$(EXE) $(FUZZDATA)
-	valgrind -v ./fuzzcheck$(EXE) $(FUZZDATA)
+	valgrind -v ./fuzzcheck$(EXE) --cell-size-check $(FUZZDATA)
 	OMIT_MISUSE=1 valgrind -v ./testfixture$(EXE) $(TOP)/test/permutations.test valgrind
 
 # A very fast test that checks basic sanity.  The name comes from
 # the 60s-era electronics testing:  "Turn it on and see if smoke
 # comes out."

Index: src/btree.c
==================================================================
--- src/btree.c
+++ src/btree.c
@@ -1194,30 +1194,22 @@
     u8 *pAddr;     /* The i-th cell pointer */
     pAddr = &data[cellOffset + i*2];
     pc = get2byte(pAddr);
     testcase( pc==iCellFirst );
     testcase( pc==iCellLast );
-#if !defined(SQLITE_ENABLE_OVERSIZE_CELL_CHECK)
     /* These conditions have already been verified in btreeInitPage()
-    ** if SQLITE_ENABLE_OVERSIZE_CELL_CHECK is defined 
+    ** if PRAGMA cell_size_check=ON.
     */
     if( pc<iCellFirst || pc>iCellLast ){
       return SQLITE_CORRUPT_BKPT;
     }
-#endif
     assert( pc>=iCellFirst && pc<=iCellLast );
     size = cellSizePtr(pPage, &src[pc]);
     cbrk -= size;
-#if defined(SQLITE_ENABLE_OVERSIZE_CELL_CHECK)
-    if( cbrk<iCellFirst ){
-      return SQLITE_CORRUPT_BKPT;
-    }
-#else
     if( cbrk<iCellFirst || pc+size>usableSize ){
       return SQLITE_CORRUPT_BKPT;
     }
-#endif
     assert( cbrk+size<=usableSize && cbrk>=iCellFirst );
     testcase( cbrk+size==usableSize );
     testcase( pc+size==usableSize );
     put2byte(pAddr, cbrk);
     if( temp==0 ){
@@ -1554,10 +1546,11 @@
 ** we failed to detect any corruption.
 */
 static int btreeInitPage(MemPage *pPage){
 
   assert( pPage->pBt!=0 );
+  assert( pPage->pBt->db!=0 );
   assert( sqlite3_mutex_held(pPage->pBt->mutex) );
   assert( pPage->pgno==sqlite3PagerPagenumber(pPage->pDbPage) );
   assert( pPage == sqlite3PagerGetExtra(pPage->pDbPage) );
   assert( pPage->aData == sqlite3PagerGetData(pPage->pDbPage) );
 
@@ -1612,12 +1605,11 @@
     ** past the end of a page boundary and causes SQLITE_CORRUPT to be 
     ** returned if it does.
     */
     iCellFirst = cellOffset + 2*pPage->nCell;
     iCellLast = usableSize - 4;
-#if defined(SQLITE_ENABLE_OVERSIZE_CELL_CHECK)
-    {
+    if( pBt->db->flags & SQLITE_CellSizeCk ){
       int i;            /* Index into the cell pointer array */
       int sz;           /* Size of a cell */
 
       if( !pPage->leaf ) iCellLast--;
       for(i=0; i<pPage->nCell; i++){
@@ -1633,11 +1625,10 @@
           return SQLITE_CORRUPT_BKPT;
         }
       }
       if( !pPage->leaf ) iCellLast++;
     }  
-#endif
 
     /* Compute the total free space on the page
     ** EVIDENCE-OF: R-23588-34450 The two-byte integer at offset 1 gives the
     ** start of the first freeblock on the page, or is zero if there are no
     ** freeblocks. */
@@ -4949,26 +4940,22 @@
           c = xRecordCompare(nCell, (void*)&pCell[2], pIdxKey);
         }else{
           /* The record flows over onto one or more overflow pages. In
           ** this case the whole cell needs to be parsed, a buffer allocated
           ** and accessPayload() used to retrieve the record into the
-          ** buffer before VdbeRecordCompare() can be called. An extra
-          ** byte of zeroed padding is allocated at the end of the buffer,
-          ** as this stops the record-compare routines from reading past
-          ** the end of the buffer if the record is corrupt.  */
+          ** buffer before VdbeRecordCompare() can be called. */
           void *pCellKey;
           u8 * const pCellBody = pCell - pPage->childPtrSize;
           btreeParseCellPtr(pPage, pCellBody, &pCur->info);
           nCell = (int)pCur->info.nKey;
-          pCellKey = sqlite3Malloc( nCell+1 );
+          pCellKey = sqlite3Malloc( nCell );
           if( pCellKey==0 ){
             rc = SQLITE_NOMEM;
             goto moveto_finish;
           }
           pCur->aiIdx[pCur->iPage] = (u16)idx;
           rc = accessPayload(pCur, 0, nCell, (unsigned char*)pCellKey, 2);
-          ((unsigned char *)pCellKey)[nCell] = 0;
           if( rc ){
             sqlite3_free(pCellKey);
             goto moveto_finish;
           }
           c = xRecordCompare(nCell, pCellKey, pIdxKey);

Index: src/main.c
==================================================================
--- src/main.c
+++ src/main.c
@@ -2756,10 +2756,13 @@
 #if defined(SQLITE_DEFAULT_FOREIGN_KEYS) && SQLITE_DEFAULT_FOREIGN_KEYS
                  | SQLITE_ForeignKeys
 #endif
 #if defined(SQLITE_REVERSE_UNORDERED_SELECTS)
                  | SQLITE_ReverseOrder
+#endif
+#if defined(SQLITE_ENABLE_OVERSIZE_CELL_CHECK)
+                 | SQLITE_CellSizeCk
 #endif
       ;
   sqlite3HashInit(&db->aCollSeq);
 #ifndef SQLITE_OMIT_VIRTUALTABLE
   sqlite3HashInit(&db->aModule);

Index: src/pragma.h
==================================================================
--- src/pragma.h
+++ src/pragma.h
@@ -97,10 +97,14 @@
 #endif
   { /* zName:     */ "case_sensitive_like",
     /* ePragTyp:  */ PragTyp_CASE_SENSITIVE_LIKE,
     /* ePragFlag: */ 0,
     /* iArg:      */ 0 },
+  { /* zName:     */ "cell_size_check",
+    /* ePragTyp:  */ PragTyp_FLAG,
+    /* ePragFlag: */ 0,
+    /* iArg:      */ SQLITE_CellSizeCk },
 #if !defined(SQLITE_OMIT_FLAG_PRAGMAS)
   { /* zName:     */ "checkpoint_fullfsync",
     /* ePragTyp:  */ PragTyp_FLAG,
     /* ePragFlag: */ 0,
     /* iArg:      */ SQLITE_CkptFullFSync },
@@ -454,6 +458,6 @@
     /* ePragTyp:  */ PragTyp_FLAG,
     /* ePragFlag: */ 0,
     /* iArg:      */ SQLITE_WriteSchema|SQLITE_RecoveryMode },
 #endif
 };
-/* Number of pragmas: 59 on by default, 72 total. */
+/* Number of pragmas: 60 on by default, 73 total. */

Index: src/sqliteInt.h
==================================================================
--- src/sqliteInt.h
+++ src/sqliteInt.h
@@ -1251,10 +1251,11 @@
 #define SQLITE_EnableTrigger  0x00800000  /* True to enable triggers */
 #define SQLITE_DeferFKs       0x01000000  /* Defer all FK constraints */
 #define SQLITE_QueryOnly      0x02000000  /* Disable database changes */
 #define SQLITE_VdbeEQP        0x04000000  /* Debug EXPLAIN QUERY PLAN */
 #define SQLITE_Vacuum         0x08000000  /* Currently in a VACUUM */
+#define SQLITE_CellSizeCk     0x10000000  /* Check btree cell sizes on load */
 
 
 /*
 ** Bits of the sqlite3.dbOptFlags field that are used by the
 ** sqlite3_test_control(SQLITE_TESTCTRL_OPTIMIZATIONS,...) interface to

Index: test/fuzzcheck.c
==================================================================
--- test/fuzzcheck.c
+++ test/fuzzcheck.c
@@ -594,10 +594,11 @@
   printf("Usage: %s [options] SOURCE-DB ?ARGS...?\n", g.zArgv0);
   printf(
 "Read databases and SQL scripts from SOURCE-DB and execute each script against\n"
 "each database, checking for crashes and memory leaks.\n"
 "Options:\n"
+"  --cell-size-check     Set the PRAGMA cell_size_check=ON\n"
 "  --dbid N              Use only the database where dbid=N\n"
 "  --help                Show this help text\n"    
 "  -q                    Reduced output\n"
 "  --quiet               Reduced output\n"
 "  --load-sql ARGS...    Load SQL scripts fro files into SOURCE-DB\n"
@@ -632,19 +633,23 @@
   char **azSrcDb = 0;          /* Array of source database names */
   int iSrcDb;                  /* Loop over all source databases */
   int nTest = 0;               /* Total number of tests performed */
   char *zDbName = "";          /* Appreviated name of a source database */
   const char *zFailCode = 0;   /* Value of the TEST_FAILURE environment variable */
+  int cellSzCkFlag = 0;        /* --cell-size-check */
 
   iBegin = timeOfDay();
   g.zArgv0 = argv[0];
   zFailCode = getenv("TEST_FAILURE");
   for(i=1; i<argc; i++){
     const char *z = argv[i];
     if( z[0]=='-' ){
       z++;
       if( z[0]=='-' ) z++;
+      if( strcmp(z,"cell-size-check")==0 ){
+        cellSzCkFlag = 1;
+      }else
       if( strcmp(z,"dbid")==0 ){
         if( i>=argc-1 ) fatalError("missing arguments on %s", argv[i]);
         onlyDbid = atoi(argv[++i]);
       }else
       if( strcmp(z,"help")==0 ){
@@ -823,10 +828,11 @@
           openFlags |= SQLITE_OPEN_MEMORY;
           zVfs = 0;
         }
         rc = sqlite3_open_v2("main.db", &db, openFlags, zVfs);
         if( rc ) fatalError("cannot open inmem database");
+        if( cellSzCkFlag ) runSql(db, "PRAGMA cell_size_check=ON", runFlags);
         runSql(db, (char*)pSql->a, runFlags);
         sqlite3_close(db);
         if( sqlite3_memory_used()>0 ) fatalError("memory leak");
         reformatVfs();
         nTest++;

Index: tool/mkpragmatab.tcl
==================================================================
--- tool/mkpragmatab.tcl
+++ tool/mkpragmatab.tcl
@@ -134,10 +134,14 @@
   TYPE: FLAG
   ARG:  SQLITE_DeferFKs
   IF:   !defined(SQLITE_OMIT_FLAG_PRAGMAS)
   IF:   !defined(SQLITE_OMIT_FOREIGN_KEY) && !defined(SQLITE_OMIT_TRIGGER)
 
+  NAME: cell_size_check
+  TYPE: FLAG
+  ARG:  SQLITE_CellSizeCk
+
   NAME: default_cache_size
   FLAG: NeedSchema
   IF:   !defined(SQLITE_OMIT_PAGER_PRAGMAS) && !defined(SQLITE_OMIT_DEPRECATED)
 
   NAME: page_size