diff --git a/manifest b/manifest
index ff74ba20b0..1d5ef0689c 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\sfunction\ssqlite3OsFileControlNoFail(),\swhich\sis\sthe\ssame\sas\ssqlite3OsFileControl()\sexcept\sthat\sit\sdoes\snot\ssimulate\sOOM\serrors.\sThis\ssaves\sadding\scalls\sto\sthe\sBenignMalloc()\sfunctions\saround\seach\sof\sthe\sinvocations\sof\ssqliteOsFileControl()\sthat\signore\sthe\sreturn\scode.
-D 2012-01-10T16:56:39.621
+C Avoid\spassing\sstrings\swith\sa\ssingle\snul-terminator\s(two\sare\srequired)\sto\sthe\sVFS\sxOpen()\smethod\sfrom\swithin\sthe\scode\sthat\schecks\sto\ssee\sif\sa\smaster-journal\sfile\smay\sbe\ssafely\sdeleted.
+D 2012-01-10T17:28:10.499
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5b4a3e12a850b021547e43daf886b25133b44c07
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -168,7 +168,7 @@ F src/os_common.h 92815ed65f805560b66166e3583470ff94478f04
 F src/os_os2.c 4a75888ba3dfc820ad5e8177025972d74d7f2440
 F src/os_unix.c 2ad4366b3c41dc813345d6dbb3cab97d62d60b96
 F src/os_win.c e344ccb73aaeb5caab2c3419fba2857f914198d7
-F src/pager.c e7c940ef4a3bad34c9c44ac429257fcf301b828f
+F src/pager.c f2a3a87da34b6e1ff7f74fb22e6014087ecdf5e4
 F src/pager.h 5cd760857707529b403837d813d86b68938d6183
 F src/parse.y fabb2e7047417d840e6fdb3ef0988a86849a08ba
 F src/pcache.c f8043b433a57aba85384a531e3937a804432a346
@@ -986,7 +986,7 @@ F tool/tostr.awk e75472c2f98dd76e06b8c9c1367f4ab07e122d06
 F tool/vdbe-compress.tcl d70ea6d8a19e3571d7ab8c9b75cba86d1173ff0f
 F tool/warnings-clang.sh 9f406d66e750e8ac031c63a9ef3248aaa347ef2a
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
-P 7f852ac6435f1c9e25b07f816cca5ba40484579e
-R 0386e0f2452004fbea4274e17c048ecf
+P af59b182d797642e5ec3ddf291cf62662a136bd1
+R 47a7f4ba0fc3538cc9b5e527d944f9de
 U dan
-Z d0553b98b27ed93d2ef4aa9f634cdd90
+Z 553d33d7ac54e78ccf7479f534ea4295
diff --git a/manifest.uuid b/manifest.uuid
index 01a50bf8d3..1e63fd5d2a 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-af59b182d797642e5ec3ddf291cf62662a136bd1
\ No newline at end of file
+2544f233f1041a42bbdbb5413d2bc92b2a2e0397
\ No newline at end of file
diff --git a/src/pager.c b/src/pager.c
index 7768fda166..e1ff80a546 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -2391,19 +2391,39 @@ static int pager_delmaster(Pager *pPager, const char *zMaster){
   rc = sqlite3OsFileSize(pMaster, &nMasterJournal);
   if( rc!=SQLITE_OK ) goto delmaster_out;
   nMasterPtr = pVfs->mxPathname+1;
-  zMasterJournal = sqlite3Malloc((int)nMasterJournal + nMasterPtr + 1);
+  zMasterJournal = sqlite3Malloc((int)nMasterJournal + nMasterPtr + 2);
   if( !zMasterJournal ){
     rc = SQLITE_NOMEM;
     goto delmaster_out;
   }
-  zMasterPtr = &zMasterJournal[nMasterJournal+1];
+  zMasterPtr = &zMasterJournal[nMasterJournal+2];
   rc = sqlite3OsRead(pMaster, zMasterJournal, (int)nMasterJournal, 0);
   if( rc!=SQLITE_OK ) goto delmaster_out;
+
+  /* Ensure that even if the contents of the master journal file are corrupt,
+  ** they are terminated by a pair of 0x00 bytes. This prevents buffer 
+  ** overreads in any calls made to sqlite3_uri_xxx() via sqlite3OsOpen()
+  ** below.  */
   zMasterJournal[nMasterJournal] = 0;
+  zMasterJournal[nMasterJournal+1] = 0;
 
   zJournal = zMasterJournal;
   while( (zJournal-zMasterJournal)<nMasterJournal ){
+    char c;
     int exists;
+    int nJournal = sqlite3Strlen30(zJournal);
+
+    /* The sqlite3OsAccess() and sqlite3OsOpen() functions require argument
+    ** strings that may be passed to the sqlite3_uri_xxx() API functions.
+    ** In this case that means strings terminated by a pair of 0x00 bytes.
+    ** But the master-journal file contains strings terminated by a single
+    ** 0x00 only. So temporarily replace the first byte of the following
+    ** string with a second 0x00. The original value is restored before the
+    ** next iteration of this loop.  */
+    assert( &zJournal[nJournal+1] < zMasterPtr );
+    c = zJournal[nJournal+1];
+    zJournal[nJournal+1] = '\0';
+
     rc = sqlite3OsAccess(pVfs, zJournal, SQLITE_ACCESS_EXISTS, &exists);
     if( rc!=SQLITE_OK ){
       goto delmaster_out;
@@ -2413,7 +2433,6 @@ static int pager_delmaster(Pager *pPager, const char *zMaster){
       ** Open it and check if it points at the master journal. If
       ** so, return without deleting the master journal file.
       */
-      int c;
       int flags = (SQLITE_OPEN_READONLY|SQLITE_OPEN_MAIN_JOURNAL);
       rc = sqlite3OsOpen(pVfs, zJournal, pJournal, flags, 0);
       if( rc!=SQLITE_OK ){
@@ -2426,13 +2445,13 @@ static int pager_delmaster(Pager *pPager, const char *zMaster){
         goto delmaster_out;
       }
 
-      c = zMasterPtr[0]!=0 && strcmp(zMasterPtr, zMaster)==0;
-      if( c ){
+      if( zMasterPtr[0]!=0 && strcmp(zMasterPtr, zMaster)==0 ){
         /* We have a match. Do not delete the master journal file. */
         goto delmaster_out;
       }
     }
-    zJournal += (sqlite3Strlen30(zJournal)+1);
+    zJournal += nJournal+1;
+    zJournal[0] = c;
   }
  
   sqlite3OsClose(pMaster);