SQLite
Ticket Change Details
Not logged in
Overview

Artifact ID: 4b22f9e67c58fb8bccc631cb8ce980ef277a1251
Ticket: 78588b938a11f50207db20e0516e2a0a9a31314a
Virtual Table Sync frees pVtab->zErrMsg without zeroing
Date: 2013-07-17 04:15:54
User: anonymous
Changes

  1. Change foundin to "3.7.17"
  2. Change icomment to:
    <p>
    In the <code>src/vtab.c</code> and the <code>sqlite3VtabSync</code> function, <code>pVtab->zErrMsg</code> is freed without then being zeroed.  This leads to a double-free error condition when <code>pVtab->zErrMsg</code> is later examined, found non-zero and freed (again).
    </p>
    <p>
    The simplest way to reproduce the problem is to create a virtual table implementation that implements <code>xSync</code>.  In <code>xSync</code>, set <code>pVtab->zErrMsg</code> to an allocated string and return an error result.  At the next callback opportunity (mine was in <code>xRollback</code>), <code>pVtab->zErrMsg</code> will still be set, when it should be zero.
    </p>
    
  3. Change login to "nobody"
  4. Change mimetype to "text/html"
  5. Change private_contact to "0b7db2d1f0a1f832560fad9056d32af23def945a"
  6. Change severity to "Minor"
  7. Change status to "Open"
  8. Change title to:
    Virtual Table Sync frees pVtab->zErrMsg without zeroing
    
  9. Change type to "Code_Defect"