/ Ticket Change Details

Artifact ID: 4b22f9e67c58fb8bccc631cb8ce980ef277a1251
Ticket: 78588b938a11f50207db20e0516e2a0a9a31314a
Virtual Table Sync frees pVtab->zErrMsg without zeroing
User & Date: anonymous 2013-07-17 04:15:54

  1. Change foundin to "3.7.17"
  2. Change icomment to:

    In the src/vtab.c and the sqlite3VtabSync function, pVtab->zErrMsg is freed without then being zeroed. This leads to a double-free error condition when pVtab->zErrMsg is later examined, found non-zero and freed (again).

    The simplest way to reproduce the problem is to create a virtual table implementation that implements xSync. In xSync, set pVtab->zErrMsg to an allocated string and return an error result. At the next callback opportunity (mine was in xRollback), pVtab->zErrMsg will still be set, when it should be zero.

  3. Change login to "nobody"
  4. Change mimetype to "text/html"
  5. Change private_contact to "0b7db2d1f0a1f832560fad9056d32af23def945a"
  6. Change severity to "Minor"
  7. Change status to "Open"
  8. Change title to:

    Virtual Table Sync frees pVtab->zErrMsg without zeroing

  9. Change type to "Code_Defect"