SQLite

Ticket Change Details
Login
Overview

Artifact ID: 4b22f9e67c58fb8bccc631cb8ce980ef277a1251
Ticket: 78588b938a11f50207db20e0516e2a0a9a31314a
Virtual Table Sync frees pVtab->zErrMsg without zeroing
User & Date: anonymous 2013-07-17 04:15:54
Changes

  1. foundin changed to: "3.7.17"
  2. icomment:
    <p>
    In the <code>src/vtab.c</code> and the <code>sqlite3VtabSync</code> function, <code>pVtab->zErrMsg</code> is freed without then being zeroed.  This leads to a double-free error condition when <code>pVtab->zErrMsg</code> is later examined, found non-zero and freed (again).
    </p>
    <p>
    The simplest way to reproduce the problem is to create a virtual table implementation that implements <code>xSync</code>.  In <code>xSync</code>, set <code>pVtab->zErrMsg</code> to an allocated string and return an error result.  At the next callback opportunity (mine was in <code>xRollback</code>), <code>pVtab->zErrMsg</code> will still be set, when it should be zero.
    </p>
    
  3. login: "nobody"
  4. mimetype: "text/html"
  5. private_contact changed to: "0b7db2d1f0a1f832560fad9056d32af23def945a"
  6. severity changed to: "Minor"
  7. status changed to: "Open"
  8. title changed to:
    Virtual Table Sync frees pVtab->zErrMsg without zeroing
    
  9. type changed to: "Code_Defect"