Index: src/btree.c
==================================================================
--- src/btree.c
+++ src/btree.c
@@ -899,14 +899,21 @@
   u8 *pCell,              /* Pointer to the cell text. */
   CellInfo *pInfo         /* Fill in this structure */
 ){
   u16 n;                  /* Number bytes in cell content header */
   u32 nPayload;           /* Number of bytes of cell payload */
+  u8 cellBuf[20];
 
   assert( sqlite3_mutex_held(pPage->pBt->mutex) );
 
   pInfo->pCell = pCell;
+  if( pCell >= pPage->aDataEnd - sizeof(cellBuf) && pCell < pPage->aDataEnd ){
+    int x = pPage->aDataEnd - pCell;
+    memcpy(cellBuf, pCell, x);
+    memset(&cellBuf[x], 0, sizeof(cellBuf)-x);
+    pCell = cellBuf;
+  }
   assert( pPage->leaf==0 || pPage->leaf==1 );
   n = pPage->childPtrSize;
   assert( n==4-4*pPage->leaf );
   if( pPage->intKey ){
     if( pPage->hasData ){
@@ -975,12 +982,13 @@
 ** data area of the btree-page.  The return number includes the cell
 ** data header and the local payload, but not any overflow page or
 ** the space used by the cell pointer.
 */
 static u16 cellSizePtr(MemPage *pPage, u8 *pCell){
-  u8 *pIter = &pCell[pPage->childPtrSize];
+  u8 *pX = pCell;
   u32 nSize;
+  u8 cellBuf[25];
 
 #ifdef SQLITE_DEBUG
   /* The value returned by this function should always be the same as
   ** the (CellInfo.nSize) value found by doing a full parse of the
   ** cell. If SQLITE_DEBUG is defined, an assert() at the bottom of
@@ -987,25 +995,32 @@
   ** this function verifies that this invariant is not violated. */
   CellInfo debuginfo;
   btreeParseCellPtr(pPage, pCell, &debuginfo);
 #endif
 
+  if( pX >= pPage->aDataEnd - sizeof(cellBuf) && pX < pPage->aDataEnd ){
+    int x = pPage->aDataEnd - pX;
+    memcpy(cellBuf, pCell, x);
+    memset(&cellBuf[x], 0, sizeof(cellBuf)-x);
+    pX = pCell = cellBuf;
+  }
+  pX += pPage->childPtrSize;
   if( pPage->intKey ){
     u8 *pEnd;
     if( pPage->hasData ){
-      pIter += getVarint32(pIter, nSize);
+      pX += getVarint32(pX, nSize);
     }else{
       nSize = 0;
     }
 
     /* pIter now points at the 64-bit integer key value, a variable length 
     ** integer. The following block moves pIter to point at the first byte
     ** past the end of the key value. */
-    pEnd = &pIter[9];
-    while( (*pIter++)&0x80 && pIter<pEnd );
+    pEnd = &pX[9];
+    while( (*pX++)&0x80 && pX<pEnd );
   }else{
-    pIter += getVarint32(pIter, nSize);
+    pX += getVarint32(pX, nSize);
   }
 
   testcase( nSize==pPage->maxLocal );
   testcase( nSize==pPage->maxLocal+1 );
   if( nSize>pPage->maxLocal ){
@@ -1016,11 +1031,11 @@
     if( nSize>pPage->maxLocal ){
       nSize = minLocal;
     }
     nSize += 4;
   }
-  nSize += (u32)(pIter - pCell);
+  nSize += (u32)(pX - pCell);
 
   /* The minimum size of any cell is 4 bytes. */
   if( nSize<4 ){
     nSize = 4;
   }