Overview
Artifact ID: | 4b22f9e67c58fb8bccc631cb8ce980ef277a1251 |
---|---|
Ticket: | 78588b938a11f50207db20e0516e2a0a9a31314a
Virtual Table Sync frees pVtab->zErrMsg without zeroing |
User & Date: | anonymous 2013-07-17 04:15:54 |
Changes
- foundin changed to: "3.7.17"
- icomment:
<p> In the <code>src/vtab.c</code> and the <code>sqlite3VtabSync</code> function, <code>pVtab->zErrMsg</code> is freed without then being zeroed. This leads to a double-free error condition when <code>pVtab->zErrMsg</code> is later examined, found non-zero and freed (again). </p> <p> The simplest way to reproduce the problem is to create a virtual table implementation that implements <code>xSync</code>. In <code>xSync</code>, set <code>pVtab->zErrMsg</code> to an allocated string and return an error result. At the next callback opportunity (mine was in <code>xRollback</code>), <code>pVtab->zErrMsg</code> will still be set, when it should be zero. </p>
- login: "nobody"
- mimetype: "text/html"
- private_contact changed to: "0b7db2d1f0a1f832560fad9056d32af23def945a"
- severity changed to: "Minor"
- status changed to: "Open"
- title changed to:
Virtual Table Sync frees pVtab->zErrMsg without zeroing
- type changed to: "Code_Defect"