/ Ticket Change Details

Artifact ID: 4b22f9e67c58fb8bccc631cb8ce980ef277a1251
Ticket: 78588b938a11f50207db20e0516e2a0a9a31314a
Virtual Table Sync frees pVtab->zErrMsg without zeroing
User & Date: anonymous 2013-07-17 04:15:54

  1. Change foundin to "3.7.17"
  2. Change icomment to:
    In the <code>src/vtab.c</code> and the <code>sqlite3VtabSync</code> function, <code>pVtab->zErrMsg</code> is freed without then being zeroed.  This leads to a double-free error condition when <code>pVtab->zErrMsg</code> is later examined, found non-zero and freed (again).
    The simplest way to reproduce the problem is to create a virtual table implementation that implements <code>xSync</code>.  In <code>xSync</code>, set <code>pVtab->zErrMsg</code> to an allocated string and return an error result.  At the next callback opportunity (mine was in <code>xRollback</code>), <code>pVtab->zErrMsg</code> will still be set, when it should be zero.
  3. Change login to "nobody"
  4. Change mimetype to "text/html"
  5. Change private_contact to "0b7db2d1f0a1f832560fad9056d32af23def945a"
  6. Change severity to "Minor"
  7. Change status to "Open"
  8. Change title to:
    Virtual Table Sync frees pVtab->zErrMsg without zeroing
  9. Change type to "Code_Defect"